࣮ફnginxʙϝϧΧϦͷ߹ʙTatsuhiko [email protected][email protected]/04/21
View Slide
ࣗݾհ• ٱอୡ(Tatsuhiko Kubo)• [email protected]• Software Engineer in Infrastructure Engineering• Mercari, Inc.• Favorites: Go, C, nginx
OSS࡞ͬͨΓίϯτϦϏϡʔτͨ͠Γ
AgendaϝϧΧϦͰͷnginxͷ׆༻ࣄྫʹ͍ͭͯ
nginx• ੈքͰೋ൪ʹར༻͞Ε͍ͯΔOSSͷHTTPαʔό• C10Kʹ͑ΒΕΔΞʔΩςΫνϟ• Πϕϯτۦಈ• ϊϯϒϩοΩϯάI/O• ඇಉظI/O• ܰྔͰߴ
ϝϧΧϦͰΑ͋͘Δޫܠ࣮ࡍʹ͋Δఔू͍ͯ͠·͢
Agenda• Reverse proxy• SSL termination• SPDY gateway• L7 load balancer
ϦόʔεϓϩΩγͱͯ͠ͷnginx• ϦΫΤετͷϩΪϯά• ΞΫηε੍ޚ• ίϯςϯπͷѹॖɾΩϟογϡ• όοϑΝϦϯά• etc…
nginx.confͷઃఆྫserver {listen 443 ssl spdy;server_name xxx.yyy;# ϓϩΩγઃఆproxy_set_header X-Forwarded-Proto $scheme;proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header Connection "";proxy_http_version 1.1;proxy_buffers 50 8k;# ੩తίϯςϯπnginxͰฦ͢location ~ /(styles|js|images)/ {root /usr/share/zabbix;expires 30d;}# Zabbix(༻ͷgoogle_auth_proxy)ϓϩΩγlocation / {proxy_pass http://google_auth_proxy_for_zabbix;}}
લஈʹnginxΛஔ͘ϝϦοτ• HTTP or HTTPSαʔόʹඞཁͳλεΫΛҰ௨Γ͜ͳͤΔ• ΞϓϦέʔγϣϯαʔό(e.g. Unicorn)ʹΓͳ͍ػೳΛิ• ωοτϫʔΫϨΠςϯγͷվળ• KeepAlive• gzipѹॖ• TLS Session (Cache | Tickets)ɺOCSP Stapling• SPDY• etc…
HTTPS௨৴ͷߴԽ• ҰൠʹHTTPS௨৴ͰTCP 3-way handshakeʹՃ͑ͯTLS 3-way handshake͕ൃੜ͢ΔͷͰHTTP௨৴ΑΓ͘ͳΔ• HTTPS௨৴ߴԽͷͨΊͷࡾछͷਆث• TLS Session Cache• TLS Session Tickets• OCSP Stapling
TLS Session Cache• TLSϋϯυγΣΠΫͷηογϣϯใΛαʔόʹΩϟογϡ• nginxͰڞ༗ϝϞϦ্ʹΩϟογϡ͞ΕΔ• ࣍ճͷTLSϋϯυγΣΠΫΛলུ• CPUͷϦιʔεͷݮϨΠςϯγͷղফʹޮՌ͕͋Δ
TLS Session Cache with nginx
TLS Session Tickets• ҉߸Խͨ͠ηογϣϯใ(νέοτ)ΛΫϥΠΞϯτʹ͢• νέοτΛݩʹTLSηογϣϯΛ࠶։• HTTPSαʔόෳͰηογϣϯใΛڞ༗Ͱ͖Δ• εϚϗͩͱαϙʔτ͍ͯ͠Δ͕গͳ͍…
TLS Session Tickets with nginx
OCSP Stapling• OCSPʹΑΔSSLূ໌ॻͷࣦޮ֬ೝΛαʔόଆͰߦͬͯΩϟογϡ• ΫϥΠΞϯτଆͰΔͱTLSϋϯυγΣΠΫ࣌ʹϨΠςϯγ͕ൃੜ͢Δ• ͬͺΓεϚϗͩͱ͋Μ·ΓରԠͯ͠ͳ͍• Google Chrome for iOSͩͱରԠͯͨ͠
OCSP Stapling with nginxssl_stapling on;ssl_stapling_verify on;ssl_trusted_certificate /etc/nginx/ssl/xxx.yyy.ocsp.crt;resolver xxx.xxx.xxx.xxx valid=30s;resolver_timeout 5s;
SPDY with nginx
Ͱɺ࣮ࡍͷޮՌͱݴ͏ͱ
TLS Session (Cache|Tickets)ಋೖλΠϛϯά
SPDY41%:ಋೖͨ͠ͷϐʔΫ
͏ͪΐͬͱ۩ମతͳྫ
ຊ͔Βւ֎ͷZabbix dashboardʹΞΫηε
Client• MacBookPro• Google Chrome• HTTP/2༗ޮ• ϒϥβΩϟογϡৗʹແޮˣ
Server(ॳظঢ়ଶ)• Apache(prefork) + mod_php• தZabbix• KeepAlive Off• gzipѹॖແޮ• TLS Session Cache & Tickets༗ޮ
Server(ॳظঢ়ଶ)"QBDIF1PSUHTTPSServer(PPHMF"VUI1SPYZ"QBDIF1PSUSSLऴ Ϣʔβೝূ Zabbix
ύϑΥʔϚϯε(ॳظঢ়ଶ)໊߲ ܭଌલճͱͷൺֱॳظঢ়ଶͱͷൺֱ3FDFJWFESFRVFTUT %BUB5SBOTGFS ,# -PBE5JNF TFD %0.$POUFOU-PBEFE5JNFTFD
νϡʔχϯά ͦͷ1KeepAlive OnKeepAliveΛ༗ޮʹ͢Δ
ύϑΥʔϚϯε໊߲ ܭଌલճͱͷൺֱॳظঢ়ଶͱͷൺֱ3FDFJWFESFRVFTUT %BUB5SBOTGFS ,# ,# ,#-PBE5JNF TFD TFD TFD%0.$POUFOU-PBEFE5JNFTFD TFD TFD
νϡʔχϯά ͦͷ2AddOutputFilterByType DEFLATE text/htmlAddOutputFilterByType DEFLATE text/cssAddOutputFilterByType DEFLATE text/jsAddOutputFilterByType DEFLATE text/javascriptAddOutputFilterByType DEFLATE application/javascriptAddOutputFilterByType DEFLATE application/json-rpcgzipѹॖΛ༗ޮʹ͢Δ
νϡʔχϯάͦͷ3"QBDIF1PSUHTTPSServer(PPHMF"VUI1SPYZ"QBDIF1PSUSSLऴ Ϣʔβೝূ ZabbixOHJOY1PSUSSLऴΛnginxͰߦ͏
νϡʔχϯάͦͷ3# nginx.conf# in main contextworker_processes auto;tcp_nopush on;keepalive_timeout 65s;open_file_cache max=1000 inactive=20s;ssl_session_cache shared:SSL:30m;gzip on;gzip_comp_level 9;gzip_types text/css text/plain text/jstext/javascript application/javascriptapplication/json-rpc;# in event contextaccept_mutex_delay 100ms; # in event context੩తϑΝΠϧશ෦nginxͰ৴͢Δ
νϡʔχϯάͦͷ4listen 443 ssl spdy;SPDY/3.1Λ༗ޮʹ͢Δ
ύϑΥʔϚϯε໊߲ ܭଌલճͱͷൺֱॳظঢ়ଶͱͷൺֱ3FDFJWFESFRVFTUT %BUB5SBOTGFS ,# ,# ,#-PBE5JNF TFD TFD TFD%0.$POUFOU-PBEFE5JNFTFD TFD TFD࠷ऴతʹWebϖʔδͷϩʔυ͕࣌ؒ4ඵ͔Β1ඵʹ
OHJOY
൚༻ϓογϡ௨γεςϜPSCBUDIαʔό
·ͱΊ• nginx• ϝϧΧϦͰαʔϏεɺࣾγεςϜͰ͍ΖΜͳՕॴʹڬΜͰ׆༻͍ͯ͠·͢• L7ϩʔυόϥϯαʔɺϦόϓϩɺSSLऴαʔόͱͯ͠ͱͯ༏ल• ࠓޙར༻Օॴ͕૿͑Δ༧ఆ
cubicdaiya
superbrothers
shimashima35
kazumax55
kthrtty
you5805
renjikari
dena_tech
tsubakimoto_s
ikuyamada
stefafafan
sbtechnight
gen519
shpigford
jacobian
moore
eileencodes
lara
zakiyama
panda_program
eitanlees
searls
iamctodd
chriscoyier
shlominoach