Upgrade to Pro — share decks privately, control downloads, hide ads and more …

実践nginx〜メルカリの場合〜

5d74d743eabd2bf7d4d2f68b9d3c727d?s=47 Tatsuhiko Kubo
April 22, 2015
Technology
53
31k

 実践nginx〜メルカリの場合〜

5d74d743eabd2bf7d4d2f68b9d3c727d?s=128

Tatsuhiko Kubo

April 22, 2015
Tweet

More Decks by Tatsuhiko Kubo

See All by Tatsuhiko Kubo
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
2
670
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
0
330
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
4
16k
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
4
2.6k
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
0
190
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
0
2.1k
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
5
2.6k
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
11
11k
5d74d743eabd2bf7d4d2f68b9d3c727d?s=48 cubicdaiya
8
5.5k

Other Decks in Technology

See All in Technology
091dd27febe18fcb155ffbdb0dd63e02?s=48 hatumeika
0
4.3k
7cb78d6108cc74bec0f2f001127f662a?s=48 hiroki_hasegawa
0
160
A645e7c3a6635ead8fa323c583769591?s=48 hololab
0
630
6d161fe47f36ac295189c3b6a0db2a9a?s=48 masahirokawahara
0
290
46e8de7d6e95be6327e8c49bf3b0c028?s=48 chao2suke
0
320
45daf58c77e9dbbab5a1c8a5afc7ac5c?s=48 koba04
1
740
B4dde7c05044041075d7e55d705e9cc3?s=48 youmitsu
1
2.5k
00101a1274d1f92977f4e442ef73be86?s=48 ahana
0
110
58d2fa98345951d9a57fdd6cfd5d0f64?s=48 aszx87410
0
240
413a764e6df9d7f2adbddb0b278ebb7e?s=48 sosai
0
170
0ed10d1154c696886ca483fe827cb299?s=48 thatjeffsmith
0
430
D8d463da5ab4a99265ffc1d12e76cbc9?s=48 sagara
1
400

Featured

See All Featured
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
56
3k
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
75
3.8k
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
15
720
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
396
61k
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
129
20k
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
43
4.9k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
11
1.1k
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
54
3.4k
78b475797a14c84799063c7cd073962f?s=48 holman
451
140k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
484
150k
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
594
210k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1021
400k

Transcript

  1. ࣮ફnginx ʙϝϧΧϦͷ৔߹ʙ Tatsuhiko Kubo@cubicdaiya ALM@2015/04/21

  2. ࣗݾ঺հ • ٱอୡ඙(Tatsuhiko Kubo) • bokko@cubicdaiya • Software Engineer in

    Infrastructure Engineering • Mercari, Inc. • Favorites: Go, C, nginx

  3. OSS࡞ͬͨΓίϯτϦϏϡʔτͨ͠Γ

  4. Agenda ϝϧΧϦͰͷnginxͷ׆༻ࣄྫʹ͍ͭͯ

  5. nginx • ੈքͰೋ൪໨ʹར༻͞Ε͍ͯΔOSSͷHTTPαʔό • C10Kʹ଱͑ΒΕΔΞʔΩςΫνϟ • Πϕϯτۦಈ • ϊϯϒϩοΩϯάI/O •

    ඇಉظI/O • ܰྔͰߴ଎

  6. ϝϧΧϦͰΑ͋͘Δޫܠ ࣮ࡍʹ͸͋Δఔ౓ू໿͍ͯ͠·͢

  7. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  8. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  9. ϦόʔεϓϩΩγͱͯ͠ͷnginx • ϦΫΤετͷϩΪϯά • ΞΫηε੍ޚ • ίϯςϯπͷѹॖɾΩϟογϡ • όοϑΝϦϯά •

    etc…

  10. nginx.confͷઃఆྫ server { listen 443 ssl spdy; server_name xxx.yyy; #

    ϓϩΩγઃఆ proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Connection ""; proxy_http_version 1.1; proxy_buffers 50 8k; # ੩తίϯςϯπ͸nginxͰฦ͢ location ~ /(styles|js|images)/ { root /usr/share/zabbix; expires 30d; } # Zabbix(༻ͷgoogle_auth_proxy)΁ϓϩΩγ location / { proxy_pass http://google_auth_proxy_for_zabbix; } }

  11. લஈʹnginxΛஔ͘ϝϦοτ • HTTP or HTTPSαʔόʹඞཁͳλεΫΛҰ௨Γ͜ͳͤΔ • ΞϓϦέʔγϣϯαʔό(e.g. Unicorn)ʹ଍Γͳ͍ػೳΛิ׬ • ωοτϫʔΫϨΠςϯγͷվળ

    • KeepAlive • gzipѹॖ • TLS Session (Cache | Tickets)ɺOCSP Stapling • SPDY • etc…

  12. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  13. HTTPS௨৴ͷߴ଎Խ • ҰൠʹHTTPS௨৴Ͱ͸TCP 3-way handshakeʹՃ͑ͯ TLS 3-way handshake͕ൃੜ͢ΔͷͰHTTP௨৴ΑΓ஗͘ͳΔ • HTTPS௨৴ߴ଎ԽͷͨΊͷࡾछͷਆث

    • TLS Session Cache • TLS Session Tickets • OCSP Stapling

  14. TLS Session Cache • TLSϋϯυγΣΠΫͷηογϣϯ৘ใΛαʔόʹ Ωϟογϡ • nginxͰ͸ڞ༗ϝϞϦ্ʹΩϟογϡ͞ΕΔ • ࣍ճͷTLSϋϯυγΣΠΫΛলུ

    • CPUͷϦιʔεͷ࡟ݮ΍ϨΠςϯγͷղফʹޮՌ͕͋Δ

  15. TLS Session Cache with nginx

  16. TLS Session Tickets • ҉߸Խͨ͠ηογϣϯ৘ใ(νέοτ)ΛΫϥΠΞϯ τʹ౉͢ • νέοτΛݩʹTLSηογϣϯΛ࠶։ • HTTPSαʔόෳ਺୆Ͱηογϣϯ৘ใΛڞ༗Ͱ͖Δ

    • εϚϗͩͱαϙʔτ͍ͯ͠Δ୺຤͕গͳ͍…

  17. TLS Session Tickets with nginx

  18. OCSP Stapling • OCSPʹΑΔSSLূ໌ॻͷࣦޮ֬ೝΛαʔόଆͰߦͬ ͯΩϟογϡ • ΫϥΠΞϯτଆͰ΍ΔͱTLSϋϯυγΣΠΫ࣌ʹϨΠ ςϯγ͕ൃੜ͢Δ • ΍ͬͺΓεϚϗͩͱ͋Μ·ΓରԠͯ͠ͳ͍

    • Google Chrome for iOSͩͱରԠͯͨ͠

  19. OCSP Stapling with nginx ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/xxx.yyy.ocsp.crt;

    resolver xxx.xxx.xxx.xxx valid=30s; resolver_timeout 5s;

  20. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  21. SPDY with nginx

  22. Ͱɺ࣮ࡍͷޮՌ͸ͱݴ͏ͱ

  23. TLS Session (Cache|Tickets) ಋೖλΠϛϯά

  24. TLS Session (Cache|Tickets) ಋೖλΠϛϯά

  25. SPDY 41%:ಋೖͨ͠೔ͷϐʔΫ

  26. ΋͏ͪΐͬͱ۩ମతͳྫ

  27. ೔ຊ͔Βւ֎ͷZabbix dashboardʹΞΫηε

  28. Client • MacBookPro • Google Chrome • HTTP/2༗ޮ • ϒϥ΢βΩϟογϡ͸ৗʹແޮˣ

  29. Server(ॳظঢ়ଶ) • Apache(prefork) + mod_php • த਎͸Zabbix • KeepAlive Off

    • gzipѹॖແޮ • TLS Session Cache & Tickets༗ޮ

  30. Server(ॳظঢ়ଶ) "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ୺ Ϣʔβೝূ

    Zabbix

  31. ύϑΥʔϚϯε(ॳظঢ়ଶ) ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,#   -PBE5JNF TFD   %0.$POUFOU-PBE FE5JNF TFD  

  32. νϡʔχϯά ͦͷ1 KeepAlive On KeepAliveΛ༗ޮʹ͢Δ

  33. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBE FE5JNF TFD TFD TFD

  34. νϡʔχϯά ͦͷ2 <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/css

    AddOutputFilterByType DEFLATE text/js AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/json-rpc </IfModule> gzipѹॖΛ༗ޮʹ͢Δ

  35. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD

  36. νϡʔχϯάͦͷ3 "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ୺ Ϣʔβೝূ

    Zabbix OHJOY 1PSU SSLऴ୺ΛnginxͰߦ͏

  37. νϡʔχϯάͦͷ3 # nginx.conf # in main context worker_processes auto; tcp_nopush

    on; keepalive_timeout 65s; open_file_cache max=1000 inactive=20s; ssl_session_cache shared:SSL:30m; gzip on; gzip_comp_level 9; gzip_types text/css text/plain text/js text/javascript application/javascript application/json-rpc; # in event context accept_mutex_delay 100ms; # in event context ੩తϑΝΠϧ͸શ෦nginxͰ഑৴͢Δ

  38. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD

  39. νϡʔχϯάͦͷ4 listen 443 ssl spdy; SPDY/3.1Λ༗ޮʹ͢Δ

  40. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD ࠷ऴతʹWebϖʔδͷϩʔυ͕࣌ؒ4ඵ͔Β1ඵʹ

  41. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  42. OHJOY

  43. ൚༻ϓογϡ௨஌γεςϜ PS CBUDIαʔό

  44. ·ͱΊ • nginx͸ • ϝϧΧϦ಺ͰαʔϏεɺࣾ಺γεςϜͰ͍ΖΜ ͳՕॴʹڬΜͰ׆༻͍ͯ͠·͢ • L7ϩʔυόϥϯαʔɺϦόϓϩɺSSLऴ୺αʔ όͱͯ͠ͱͯ΋༏ल •

    ࠓޙ΋ར༻Օॴ͕૿͑Δ༧ఆ