$30 off During Our Annual Pro Sale. View Details »

実践nginx〜メルカリの場合〜

Tatsuhiko Kubo
April 22, 2015
Technology
53
32k

 実践nginx〜メルカリの場合〜

Tatsuhiko Kubo

April 22, 2015
Tweet

More Decks by Tatsuhiko Kubo

See All by Tatsuhiko Kubo
Handling a tremendous amount of images with Fastly / Yamagoya Traverse 2020
cubicdaiya
2
1.3k
System Integration with Fastly
cubicdaiya
0
480
実例で学ぶ画像最適化集 with ImageFlux / ImageFlux meetup#2
cubicdaiya
4
18k
Software Engineer, Infrastructure
cubicdaiya
4
2.9k
High Performance Count Up!
cubicdaiya
0
250
ImageFluxを利用した画像配信の最適化 / ImageFlux meetup 201801
cubicdaiya
0
2.6k
Building high performance push notification server in Go
cubicdaiya
5
3k
メルカリのデータ分析基盤 / mercari data analysis infrastructure
cubicdaiya
11
11k
On-call Engineering
cubicdaiya
8
6.1k

Other Decks in Technology

See All in Technology
つくばチャレンジ2023EX with PLATEAU@つくばセンター広場課題コース
tsukubachallenge
0
300
走馬灯のIaCは考えておいて
nwiizo
6
3.2k
エンタープライズSaaSへの挑戦〜顧客の事業を成長させるプロダクトマネジメントとは?〜 / pmconf2023
route06
2
320
リアルで価値を発揮するデジタルプロダクトを開発する
aki_iinuma
0
920
開発組織の体制づくり、いつやるか問題
akiroom
0
1.1k
SOLID Is Dead, Long Live SOLID
lemiorhan
2
180
実装がすべてではない、開発者の周りから考える Web プロダクトセキュリティ
oldbigbuddha
0
200
Making your Kubernetes-based log collection reliable & durable with Vector
palark
0
300
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
2
3.9k
RDBを使う単体テストの前に 用意しておきたい環境を考え てみたの
bun913
0
390
負債と言わないことが負債と向き合うこと
kenchan
4
1.8k
Snowflake x Terraformに自動テストを導入した話
kddisnowvillage
0
160

Featured

See All Featured
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
177
10k
Building Flexible Design Systems
yeseniaperezcruz
317
36k
Building a Scalable Design System with Sketch
lauravandoore
453
32k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.2k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.7k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.5k
Designing Experiences People Love
moore
133
23k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
240
20k
A designer walks into a library…
pauljervisheath
199
20k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
656
120k
Into the Great Unknown - MozCon
thekraken
7
650

Transcript

  1. ࣮ફnginx
    ʙϝϧΧϦͷ৔߹ʙ
    Tatsuhiko Kubo@cubicdaiya
    ALM@2015/04/21

    View Slide

  2. ࣗݾ঺հ
    • ٱอୡ඙(Tatsuhiko Kubo)
    • bokko@cubicdaiya
    • Software Engineer in Infrastructure Engineering
    • Mercari, Inc.
    • Favorites: Go, C, nginx

    View Slide

  3. OSS࡞ͬͨΓίϯτϦϏϡʔτͨ͠Γ

    View Slide

  4. Agenda
    ϝϧΧϦͰͷnginxͷ׆༻ࣄྫʹ͍ͭͯ

    View Slide

  5. nginx
    • ੈքͰೋ൪໨ʹར༻͞Ε͍ͯΔOSSͷHTTPαʔό
    • C10Kʹ଱͑ΒΕΔΞʔΩςΫνϟ
    • Πϕϯτۦಈ
    • ϊϯϒϩοΩϯάI/O
    • ඇಉظI/O
    • ܰྔͰߴ଎

    View Slide

  6. ϝϧΧϦͰΑ͋͘Δޫܠ
    ࣮ࡍʹ͸͋Δఔ౓ू໿͍ͯ͠·͢

    View Slide

  7. Agenda
    • Reverse proxy
    • SSL termination
    • SPDY gateway
    • L7 load balancer

    View Slide

  8. Agenda
    • Reverse proxy
    • SSL termination
    • SPDY gateway
    • L7 load balancer

    View Slide

  9. ϦόʔεϓϩΩγͱͯ͠ͷnginx
    • ϦΫΤετͷϩΪϯά
    • ΞΫηε੍ޚ
    • ίϯςϯπͷѹॖɾΩϟογϡ
    • όοϑΝϦϯά
    • etc…

    View Slide

  10. nginx.confͷઃఆྫ
    server {
    listen 443 ssl spdy;
    server_name xxx.yyy;
    # ϓϩΩγઃఆ
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Connection "";
    proxy_http_version 1.1;
    proxy_buffers 50 8k;
    # ੩తίϯςϯπ͸nginxͰฦ͢
    location ~ /(styles|js|images)/ {
    root /usr/share/zabbix;
    expires 30d;
    }
    # Zabbix(༻ͷgoogle_auth_proxy)΁ϓϩΩγ
    location / {
    proxy_pass http://google_auth_proxy_for_zabbix;
    }
    }

    View Slide

  11. લஈʹnginxΛஔ͘ϝϦοτ
    • HTTP or HTTPSαʔόʹඞཁͳλεΫΛҰ௨Γ͜ͳͤΔ
    • ΞϓϦέʔγϣϯαʔό(e.g. Unicorn)ʹ଍Γͳ͍ػೳΛิ׬
    • ωοτϫʔΫϨΠςϯγͷվળ
    • KeepAlive
    • gzipѹॖ
    • TLS Session (Cache | Tickets)ɺOCSP Stapling
    • SPDY
    • etc…

    View Slide

  12. Agenda
    • Reverse proxy
    • SSL termination
    • SPDY gateway
    • L7 load balancer

    View Slide

  13. HTTPS௨৴ͷߴ଎Խ
    • ҰൠʹHTTPS௨৴Ͱ͸TCP 3-way handshakeʹՃ͑ͯ
    TLS 3-way handshake͕ൃੜ͢ΔͷͰHTTP௨৴ΑΓ஗͘ͳΔ
    • HTTPS௨৴ߴ଎ԽͷͨΊͷࡾछͷਆث
    • TLS Session Cache
    • TLS Session Tickets
    • OCSP Stapling

    View Slide

  14. TLS Session Cache
    • TLSϋϯυγΣΠΫͷηογϣϯ৘ใΛαʔόʹ
    Ωϟογϡ
    • nginxͰ͸ڞ༗ϝϞϦ্ʹΩϟογϡ͞ΕΔ
    • ࣍ճͷTLSϋϯυγΣΠΫΛলུ
    • CPUͷϦιʔεͷ࡟ݮ΍ϨΠςϯγͷղফʹޮՌ͕͋Δ

    View Slide

  15. TLS Session Cache with nginx

    View Slide

  16. TLS Session Tickets
    • ҉߸Խͨ͠ηογϣϯ৘ใ(νέοτ)ΛΫϥΠΞϯ
    τʹ౉͢
    • νέοτΛݩʹTLSηογϣϯΛ࠶։
    • HTTPSαʔόෳ਺୆Ͱηογϣϯ৘ใΛڞ༗Ͱ͖Δ
    • εϚϗͩͱαϙʔτ͍ͯ͠Δ୺຤͕গͳ͍…

    View Slide

  17. TLS Session Tickets with nginx

    View Slide

  18. OCSP Stapling
    • OCSPʹΑΔSSLূ໌ॻͷࣦޮ֬ೝΛαʔόଆͰߦͬ
    ͯΩϟογϡ
    • ΫϥΠΞϯτଆͰ΍ΔͱTLSϋϯυγΣΠΫ࣌ʹϨΠ
    ςϯγ͕ൃੜ͢Δ
    • ΍ͬͺΓεϚϗͩͱ͋Μ·ΓରԠͯ͠ͳ͍
    • Google Chrome for iOSͩͱରԠͯͨ͠

    View Slide

  19. OCSP Stapling with nginx
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/ssl/xxx.yyy.ocsp.crt;
    resolver xxx.xxx.xxx.xxx valid=30s;
    resolver_timeout 5s;

    View Slide

  20. Agenda
    • Reverse proxy
    • SSL termination
    • SPDY gateway
    • L7 load balancer

    View Slide

  21. SPDY with nginx

    View Slide

  22. Ͱɺ࣮ࡍͷޮՌ͸ͱݴ͏ͱ

    View Slide

  23. TLS Session (Cache|Tickets)
    ಋೖλΠϛϯά

    View Slide

  24. TLS Session (Cache|Tickets)
    ಋೖλΠϛϯά

    View Slide

  25. SPDY
    41%:ಋೖͨ͠೔ͷϐʔΫ

    View Slide

  26. ΋͏ͪΐͬͱ۩ମతͳྫ

    View Slide

  27. ೔ຊ͔Βւ֎ͷZabbix dashboardʹΞΫηε

    View Slide

  28. Client
    • MacBookPro
    • Google Chrome
    • HTTP/2༗ޮ
    • ϒϥ΢βΩϟογϡ͸ৗʹແޮˣ

    View Slide

  29. Server(ॳظঢ়ଶ)
    • Apache(prefork) + mod_php
    • த਎͸Zabbix
    • KeepAlive Off
    • gzipѹॖແޮ
    • TLS Session Cache & Tickets༗ޮ

    View Slide

  30. Server(ॳظঢ়ଶ)
    "QBDIF
    1PSU
    HTTPS
    Server
    (PPHMF"VUI1SPYZ
    "QBDIF
    1PSU
    SSLऴ୺ Ϣʔβೝূ Zabbix

    View Slide

  31. ύϑΥʔϚϯε(ॳظঢ়ଶ)
    ߲໨໊ ܭଌ஋
    લճ
    ͱͷൺֱ
    ॳظঢ়ଶ
    ͱͷൺֱ
    3FDFJWFESFRVFTUT
    %BUB5SBOTGFS ,#
    -PBE5JNF TFD
    %0.$POUFOU-PBE
    FE5JNF
    TFD

    View Slide

  32. νϡʔχϯά ͦͷ1
    KeepAlive On
    KeepAliveΛ༗ޮʹ͢Δ

    View Slide

  33. ύϑΥʔϚϯε
    ߲໨໊ ܭଌ஋
    લճ
    ͱͷൺֱ
    ॳظঢ়ଶ
    ͱͷൺֱ
    3FDFJWFESFRVFTUT
    %BUB5SBOTGFS ,# ,# ,#
    -PBE5JNF TFD TFD TFD
    %0.$POUFOU-PBE
    FE5JNF
    TFD TFD TFD

    View Slide

  34. νϡʔχϯά ͦͷ2

    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/js
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/json-rpc

    gzipѹॖΛ༗ޮʹ͢Δ

    View Slide

  35. ύϑΥʔϚϯε
    ߲໨໊ ܭଌ஋
    લճ
    ͱͷൺֱ
    ॳظঢ়ଶ
    ͱͷൺֱ
    3FDFJWFESFRVFTUT
    %BUB5SBOTGFS ,# ,# ,#
    -PBE5JNF TFD TFD TFD
    %0.$POUFOU-PBEF
    E5JNF
    TFD TFD TFD

    View Slide

  36. νϡʔχϯάͦͷ3
    "QBDIF
    1PSU
    HTTPS
    Server
    (PPHMF"VUI1SPYZ
    "QBDIF
    1PSU
    SSLऴ୺ Ϣʔβೝূ Zabbix
    OHJOY
    1PSU
    SSLऴ୺ΛnginxͰߦ͏

    View Slide

  37. νϡʔχϯάͦͷ3
    # nginx.conf
    # in main context
    worker_processes auto;
    tcp_nopush on;
    keepalive_timeout 65s;
    open_file_cache max=1000 inactive=20s;
    ssl_session_cache shared:SSL:30m;
    gzip on;
    gzip_comp_level 9;
    gzip_types text/css text/plain text/js
    text/javascript application/javascript
    application/json-rpc;
    # in event context
    accept_mutex_delay 100ms; # in event context
    ੩తϑΝΠϧ͸શ෦nginxͰ഑৴͢Δ

    View Slide

  38. ύϑΥʔϚϯε
    ߲໨໊ ܭଌ஋
    લճ
    ͱͷൺֱ
    ॳظঢ়ଶ
    ͱͷൺֱ
    3FDFJWFESFRVFTUT
    %BUB5SBOTGFS ,# ,# ,#
    -PBE5JNF TFD TFD TFD
    %0.$POUFOU-PBEF
    E5JNF
    TFD TFD TFD

    View Slide

  39. νϡʔχϯάͦͷ4
    listen 443 ssl spdy;
    SPDY/3.1Λ༗ޮʹ͢Δ

    View Slide

  40. ύϑΥʔϚϯε
    ߲໨໊ ܭଌ஋
    લճ
    ͱͷൺֱ
    ॳظঢ়ଶ
    ͱͷൺֱ
    3FDFJWFESFRVFTUT
    %BUB5SBOTGFS ,# ,# ,#
    -PBE5JNF TFD TFD TFD
    %0.$POUFOU-PBEF
    E5JNF
    TFD TFD TFD
    ࠷ऴతʹWebϖʔδͷϩʔυ͕࣌ؒ4ඵ͔Β1ඵʹ

    View Slide

  41. Agenda
    • Reverse proxy
    • SSL termination
    • SPDY gateway
    • L7 load balancer

    View Slide

  42. OHJOY

    View Slide

  43. ൚༻ϓογϡ௨஌γεςϜ
    PS
    CBUDIαʔό

    View Slide

  44. ·ͱΊ
    • nginx͸
    • ϝϧΧϦ಺ͰαʔϏεɺࣾ಺γεςϜͰ͍ΖΜ
    ͳՕॴʹڬΜͰ׆༻͍ͯ͠·͢
    • L7ϩʔυόϥϯαʔɺϦόϓϩɺSSLऴ୺αʔ
    όͱͯ͠ͱͯ΋༏ल
    • ࠓޙ΋ར༻Օॴ͕૿͑Δ༧ఆ

    View Slide