Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
実践nginx〜メルカリの場合〜
Tatsuhiko Kubo
April 22, 2015
Technology
53
31k
実践nginx〜メルカリの場合〜
Tatsuhiko Kubo
April 22, 2015
Tweet
Share
More Decks by Tatsuhiko Kubo
See All by Tatsuhiko Kubo
Handling a tremendous amount of images with Fastly / Yamagoya Traverse 2020
cubicdaiya
2
970
System Integration with Fastly
cubicdaiya
0
400
実例で学ぶ画像最適化集 with ImageFlux / ImageFlux meetup#2
cubicdaiya
4
17k
Software Engineer, Infrastructure
cubicdaiya
4
2.7k
High Performance Count Up!
cubicdaiya
0
200
ImageFluxを利用した画像配信の最適化 / ImageFlux meetup 201801
cubicdaiya
0
2.2k
Building high performance push notification server in Go
cubicdaiya
5
2.7k
メルカリのデータ分析基盤 / mercari data analysis infrastructure
cubicdaiya
11
11k
On-call Engineering
cubicdaiya
8
5.7k
Other Decks in Technology
See All in Technology
UWBを使ってみた
norioikedo
0
410
Istio入門
nutslove
15
5k
SI企業が「アジャイル推し」になったら 幸せになれますか?/Can SI company be happy if it becomes “Agile stan” ?
chinmo
1
1.2k
ソフトウェアテスト自動化、一歩前へ
yoshikiito
3
300
PUTとPOSTどっち使う?
hankehly
0
250
リファインメントは楽しいかね?
kitamu_mu
1
430
要約 "Add Live Text interaction to your app"
ushisantoasobu
0
150
JAWS-UG re:Habilitaion 報告 / JAWS-UG OITA rehabilitation
hiranofumio
0
130
SlackBotで あらゆる業務を自動化。問い合わせ〜DevOpsまで #CODT2022
kogatakanori
0
850
モブに早く慣れたい人のためのガイド / A Guide to Getting Started Quickly with Mob Programming
cybozuinsideout
PRO
2
1.8k
現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19
ritou
2
450
miisan's career talk
mii3king
0
220
Featured
See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
106
5.6k
Fantastic passwords and where to find them - at NoRuKo
philnash
27
1.5k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
213
11k
Automating Front-end Workflow
addyosmani
1351
200k
How to name files
jennybc
40
61k
Mobile First: as difficult as doing things right
swwweet
213
7.5k
The Illustrated Children's Guide to Kubernetes
chrisshort
15
36k
Principles of Awesome APIs and How to Build Them.
keavy
113
15k
The Pragmatic Product Professional
lauravandoore
19
3k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
10k
Happy Clients
brianwarren
89
5.6k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
498
130k
Transcript
࣮ફnginx ʙϝϧΧϦͷ߹ʙ Tatsuhiko Kubo@cubicdaiya ALM@2015/04/21
ࣗݾհ • ٱอୡ(Tatsuhiko Kubo) • bokko@cubicdaiya • Software Engineer in
Infrastructure Engineering • Mercari, Inc. • Favorites: Go, C, nginx
OSS࡞ͬͨΓίϯτϦϏϡʔτͨ͠Γ
Agenda ϝϧΧϦͰͷnginxͷ׆༻ࣄྫʹ͍ͭͯ
nginx • ੈքͰೋ൪ʹར༻͞Ε͍ͯΔOSSͷHTTPαʔό • C10Kʹ͑ΒΕΔΞʔΩςΫνϟ • Πϕϯτۦಈ • ϊϯϒϩοΩϯάI/O •
ඇಉظI/O • ܰྔͰߴ
ϝϧΧϦͰΑ͋͘Δޫܠ ࣮ࡍʹ͋Δఔू͍ͯ͠·͢
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
ϦόʔεϓϩΩγͱͯ͠ͷnginx • ϦΫΤετͷϩΪϯά • ΞΫηε੍ޚ • ίϯςϯπͷѹॖɾΩϟογϡ • όοϑΝϦϯά •
etc…
nginx.confͷઃఆྫ server { listen 443 ssl spdy; server_name xxx.yyy; #
ϓϩΩγઃఆ proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Connection ""; proxy_http_version 1.1; proxy_buffers 50 8k; # ੩తίϯςϯπnginxͰฦ͢ location ~ /(styles|js|images)/ { root /usr/share/zabbix; expires 30d; } # Zabbix(༻ͷgoogle_auth_proxy)ϓϩΩγ location / { proxy_pass http://google_auth_proxy_for_zabbix; } }
લஈʹnginxΛஔ͘ϝϦοτ • HTTP or HTTPSαʔόʹඞཁͳλεΫΛҰ௨Γ͜ͳͤΔ • ΞϓϦέʔγϣϯαʔό(e.g. Unicorn)ʹΓͳ͍ػೳΛิ • ωοτϫʔΫϨΠςϯγͷվળ
• KeepAlive • gzipѹॖ • TLS Session (Cache | Tickets)ɺOCSP Stapling • SPDY • etc…
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
HTTPS௨৴ͷߴԽ • ҰൠʹHTTPS௨৴ͰTCP 3-way handshakeʹՃ͑ͯ TLS 3-way handshake͕ൃੜ͢ΔͷͰHTTP௨৴ΑΓ͘ͳΔ • HTTPS௨৴ߴԽͷͨΊͷࡾछͷਆث
• TLS Session Cache • TLS Session Tickets • OCSP Stapling
TLS Session Cache • TLSϋϯυγΣΠΫͷηογϣϯใΛαʔόʹ Ωϟογϡ • nginxͰڞ༗ϝϞϦ্ʹΩϟογϡ͞ΕΔ • ࣍ճͷTLSϋϯυγΣΠΫΛলུ
• CPUͷϦιʔεͷݮϨΠςϯγͷղফʹޮՌ͕͋Δ
TLS Session Cache with nginx
TLS Session Tickets • ҉߸Խͨ͠ηογϣϯใ(νέοτ)ΛΫϥΠΞϯ τʹ͢ • νέοτΛݩʹTLSηογϣϯΛ࠶։ • HTTPSαʔόෳͰηογϣϯใΛڞ༗Ͱ͖Δ
• εϚϗͩͱαϙʔτ͍ͯ͠Δ͕গͳ͍…
TLS Session Tickets with nginx
OCSP Stapling • OCSPʹΑΔSSLূ໌ॻͷࣦޮ֬ೝΛαʔόଆͰߦͬ ͯΩϟογϡ • ΫϥΠΞϯτଆͰΔͱTLSϋϯυγΣΠΫ࣌ʹϨΠ ςϯγ͕ൃੜ͢Δ • ͬͺΓεϚϗͩͱ͋Μ·ΓରԠͯ͠ͳ͍
• Google Chrome for iOSͩͱରԠͯͨ͠
OCSP Stapling with nginx ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/xxx.yyy.ocsp.crt;
resolver xxx.xxx.xxx.xxx valid=30s; resolver_timeout 5s;
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
SPDY with nginx
Ͱɺ࣮ࡍͷޮՌͱݴ͏ͱ
TLS Session (Cache|Tickets) ಋೖλΠϛϯά
TLS Session (Cache|Tickets) ಋೖλΠϛϯά
SPDY 41%:ಋೖͨ͠ͷϐʔΫ
͏ͪΐͬͱ۩ମతͳྫ
ຊ͔Βւ֎ͷZabbix dashboardʹΞΫηε
Client • MacBookPro • Google Chrome • HTTP/2༗ޮ • ϒϥβΩϟογϡৗʹແޮˣ
Server(ॳظঢ়ଶ) • Apache(prefork) + mod_php • தZabbix • KeepAlive Off
• gzipѹॖແޮ • TLS Session Cache & Tickets༗ޮ
Server(ॳظঢ়ଶ) "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ Ϣʔβೝূ
Zabbix
ύϑΥʔϚϯε(ॳظঢ়ଶ) ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# -PBE5JNF TFD %0.$POUFOU-PBE FE5JNF TFD
νϡʔχϯά ͦͷ1 KeepAlive On KeepAliveΛ༗ޮʹ͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBE FE5JNF TFD TFD TFD
νϡʔχϯά ͦͷ2 <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/js AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/json-rpc </IfModule> gzipѹॖΛ༗ޮʹ͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD
νϡʔχϯάͦͷ3 "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ Ϣʔβೝূ
Zabbix OHJOY 1PSU SSLऴΛnginxͰߦ͏
νϡʔχϯάͦͷ3 # nginx.conf # in main context worker_processes auto; tcp_nopush
on; keepalive_timeout 65s; open_file_cache max=1000 inactive=20s; ssl_session_cache shared:SSL:30m; gzip on; gzip_comp_level 9; gzip_types text/css text/plain text/js text/javascript application/javascript application/json-rpc; # in event context accept_mutex_delay 100ms; # in event context ੩తϑΝΠϧશ෦nginxͰ৴͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD
νϡʔχϯάͦͷ4 listen 443 ssl spdy; SPDY/3.1Λ༗ޮʹ͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD ࠷ऴతʹWebϖʔδͷϩʔυ͕࣌ؒ4ඵ͔Β1ඵʹ
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
OHJOY
൚༻ϓογϡ௨γεςϜ PS CBUDIαʔό
·ͱΊ • nginx • ϝϧΧϦͰαʔϏεɺࣾγεςϜͰ͍ΖΜ ͳՕॴʹڬΜͰ׆༻͍ͯ͠·͢ • L7ϩʔυόϥϯαʔɺϦόϓϩɺSSLऴαʔ όͱͯ͠ͱͯ༏ल •
ࠓޙར༻Օॴ͕૿͑Δ༧ఆ