Upgrade to Pro — share decks privately, control downloads, hide ads and more …

実践nginx〜メルカリの場合〜

Avatar for Tatsuhiko Kubo Tatsuhiko Kubo
April 22, 2015
Technology
53
33k

 実践nginx〜メルカリの場合〜

Avatar for Tatsuhiko Kubo

Tatsuhiko Kubo

April 22, 2015
Tweet

More Decks by Tatsuhiko Kubo

See All by Tatsuhiko Kubo
Handling a tremendous amount of images with Fastly / Yamagoya Traverse 2020
Avatar for Tatsuhiko Kubo cubicdaiya
2
1.5k
System Integration with Fastly
Avatar for Tatsuhiko Kubo cubicdaiya
0
620
実例で学ぶ画像最適化集 with ImageFlux / ImageFlux meetup#2
Avatar for Tatsuhiko Kubo cubicdaiya
4
19k
Software Engineer, Infrastructure
Avatar for Tatsuhiko Kubo cubicdaiya
4
3.2k
High Performance Count Up!
Avatar for Tatsuhiko Kubo cubicdaiya
0
370
ImageFluxを利用した画像配信の最適化 / ImageFlux meetup 201801
Avatar for Tatsuhiko Kubo cubicdaiya
0
3k
Building high performance push notification server in Go
Avatar for Tatsuhiko Kubo cubicdaiya
5
3.3k
メルカリのデータ分析基盤 / mercari data analysis infrastructure
Avatar for Tatsuhiko Kubo cubicdaiya
11
12k
On-call Engineering
Avatar for Tatsuhiko Kubo cubicdaiya
8
6.7k

Other Decks in Technology

See All in Technology
Connect 100+を支える技術
Avatar for Yamakan kanyamaguc
0
180
マネジメントって難しい、けどおもしろい / Management is tough, but fun! #em_findy
Avatar for ar_tama ar_tama
5
680
B2C&B2B&社内向けサービスを抱える開発組織におけるサービス価値を最大化するイニシアチブ管理
Avatar for Belong inc. belongadmin
1
5.6k
asken AI勉強会(Android)
Avatar for 佐藤忠 tadashi_sato
0
170
SmartNewsにおける 1000+ノード規模 K8s基盤 でのコスト最適化 – Spot・Gravitonの大規模導入への挑戦
Avatar for ishikawa ryu vsanna2
0
120
改めてAWS WAFを振り返る~業務で使うためのポイント~
Avatar for モブエンジニア masakiokuda
2
230
Witchcraft for Memory
Avatar for pocke pocke
1
740
OPENLOGI Company Profile for engineer
Avatar for OPENLOGI hr01
1
33k
生成AI時代 文字コードを学ぶ意義を見出せるか?
Avatar for hiroshi ueda hrsued
1
790
MobileActOsaka_250704.pdf
Avatar for AKAI Tadaaki akaitadaaki
0
110
品質と速度の両立:生成AI時代の品質保証アプローチ
Avatar for odasho odasho
1
190
Understanding_Thread_Tuning_for_Inference_Servers_of_Deep_Models.pdf
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
160

Featured

See All Featured
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
179
9.8k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
161
15k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
614
210k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
270
21k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
54
11k
The Language of Interfaces
Avatar for Des Traynor destraynor
158
25k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
35
6.7k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
62k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
134
9.4k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
367
19k
Building Adaptive Systems
Avatar for Chris Keathley keathley
43
2.6k

Transcript

  1. ࣮ફnginx ʙϝϧΧϦͷ৔߹ʙ Tatsuhiko Kubo@cubicdaiya ALM@2015/04/21

  2. ࣗݾ঺հ • ٱอୡ඙(Tatsuhiko Kubo) • bokko@cubicdaiya • Software Engineer in

    Infrastructure Engineering • Mercari, Inc. • Favorites: Go, C, nginx

  3. OSS࡞ͬͨΓίϯτϦϏϡʔτͨ͠Γ

  4. Agenda ϝϧΧϦͰͷnginxͷ׆༻ࣄྫʹ͍ͭͯ

  5. nginx • ੈքͰೋ൪໨ʹར༻͞Ε͍ͯΔOSSͷHTTPαʔό • C10Kʹ଱͑ΒΕΔΞʔΩςΫνϟ • Πϕϯτۦಈ • ϊϯϒϩοΩϯάI/O •

    ඇಉظI/O • ܰྔͰߴ଎

  6. ϝϧΧϦͰΑ͋͘Δޫܠ ࣮ࡍʹ͸͋Δఔ౓ू໿͍ͯ͠·͢

  7. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  8. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  9. ϦόʔεϓϩΩγͱͯ͠ͷnginx • ϦΫΤετͷϩΪϯά • ΞΫηε੍ޚ • ίϯςϯπͷѹॖɾΩϟογϡ • όοϑΝϦϯά •

    etc…

  10. nginx.confͷઃఆྫ server { listen 443 ssl spdy; server_name xxx.yyy; #

    ϓϩΩγઃఆ proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Connection ""; proxy_http_version 1.1; proxy_buffers 50 8k; # ੩తίϯςϯπ͸nginxͰฦ͢ location ~ /(styles|js|images)/ { root /usr/share/zabbix; expires 30d; } # Zabbix(༻ͷgoogle_auth_proxy)΁ϓϩΩγ location / { proxy_pass http://google_auth_proxy_for_zabbix; } }

  11. લஈʹnginxΛஔ͘ϝϦοτ • HTTP or HTTPSαʔόʹඞཁͳλεΫΛҰ௨Γ͜ͳͤΔ • ΞϓϦέʔγϣϯαʔό(e.g. Unicorn)ʹ଍Γͳ͍ػೳΛิ׬ • ωοτϫʔΫϨΠςϯγͷվળ

    • KeepAlive • gzipѹॖ • TLS Session (Cache | Tickets)ɺOCSP Stapling • SPDY • etc…

  12. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  13. HTTPS௨৴ͷߴ଎Խ • ҰൠʹHTTPS௨৴Ͱ͸TCP 3-way handshakeʹՃ͑ͯ TLS 3-way handshake͕ൃੜ͢ΔͷͰHTTP௨৴ΑΓ஗͘ͳΔ • HTTPS௨৴ߴ଎ԽͷͨΊͷࡾछͷਆث

    • TLS Session Cache • TLS Session Tickets • OCSP Stapling

  14. TLS Session Cache • TLSϋϯυγΣΠΫͷηογϣϯ৘ใΛαʔόʹ Ωϟογϡ • nginxͰ͸ڞ༗ϝϞϦ্ʹΩϟογϡ͞ΕΔ • ࣍ճͷTLSϋϯυγΣΠΫΛলུ

    • CPUͷϦιʔεͷ࡟ݮ΍ϨΠςϯγͷղফʹޮՌ͕͋Δ

  15. TLS Session Cache with nginx

  16. TLS Session Tickets • ҉߸Խͨ͠ηογϣϯ৘ใ(νέοτ)ΛΫϥΠΞϯ τʹ౉͢ • νέοτΛݩʹTLSηογϣϯΛ࠶։ • HTTPSαʔόෳ਺୆Ͱηογϣϯ৘ใΛڞ༗Ͱ͖Δ

    • εϚϗͩͱαϙʔτ͍ͯ͠Δ୺຤͕গͳ͍…

  17. TLS Session Tickets with nginx

  18. OCSP Stapling • OCSPʹΑΔSSLূ໌ॻͷࣦޮ֬ೝΛαʔόଆͰߦͬ ͯΩϟογϡ • ΫϥΠΞϯτଆͰ΍ΔͱTLSϋϯυγΣΠΫ࣌ʹϨΠ ςϯγ͕ൃੜ͢Δ • ΍ͬͺΓεϚϗͩͱ͋Μ·ΓରԠͯ͠ͳ͍

    • Google Chrome for iOSͩͱରԠͯͨ͠

  19. OCSP Stapling with nginx ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/xxx.yyy.ocsp.crt;

    resolver xxx.xxx.xxx.xxx valid=30s; resolver_timeout 5s;

  20. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  21. SPDY with nginx

  22. Ͱɺ࣮ࡍͷޮՌ͸ͱݴ͏ͱ

  23. TLS Session (Cache|Tickets) ಋೖλΠϛϯά

  24. TLS Session (Cache|Tickets) ಋೖλΠϛϯά

  25. SPDY 41%:ಋೖͨ͠೔ͷϐʔΫ

  26. ΋͏ͪΐͬͱ۩ମతͳྫ

  27. ೔ຊ͔Βւ֎ͷZabbix dashboardʹΞΫηε

  28. Client • MacBookPro • Google Chrome • HTTP/2༗ޮ • ϒϥ΢βΩϟογϡ͸ৗʹແޮˣ

  29. Server(ॳظঢ়ଶ) • Apache(prefork) + mod_php • த਎͸Zabbix • KeepAlive Off

    • gzipѹॖແޮ • TLS Session Cache & Tickets༗ޮ

  30. Server(ॳظঢ়ଶ) "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ୺ Ϣʔβೝূ

    Zabbix

  31. ύϑΥʔϚϯε(ॳظঢ়ଶ) ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,#   -PBE5JNF TFD   %0.$POUFOU-PBE FE5JNF TFD  

  32. νϡʔχϯά ͦͷ1 KeepAlive On KeepAliveΛ༗ޮʹ͢Δ

  33. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBE FE5JNF TFD TFD TFD

  34. νϡʔχϯά ͦͷ2 <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/css

    AddOutputFilterByType DEFLATE text/js AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/json-rpc </IfModule> gzipѹॖΛ༗ޮʹ͢Δ

  35. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD

  36. νϡʔχϯάͦͷ3 "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ୺ Ϣʔβೝূ

    Zabbix OHJOY 1PSU SSLऴ୺ΛnginxͰߦ͏

  37. νϡʔχϯάͦͷ3 # nginx.conf # in main context worker_processes auto; tcp_nopush

    on; keepalive_timeout 65s; open_file_cache max=1000 inactive=20s; ssl_session_cache shared:SSL:30m; gzip on; gzip_comp_level 9; gzip_types text/css text/plain text/js text/javascript application/javascript application/json-rpc; # in event context accept_mutex_delay 100ms; # in event context ੩తϑΝΠϧ͸શ෦nginxͰ഑৴͢Δ

  38. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD

  39. νϡʔχϯάͦͷ4 listen 443 ssl spdy; SPDY/3.1Λ༗ޮʹ͢Δ

  40. ύϑΥʔϚϯε ߲໨໊ ܭଌ஋ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT  

     %BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD ࠷ऴతʹWebϖʔδͷϩʔυ͕࣌ؒ4ඵ͔Β1ඵʹ

  41. Agenda • Reverse proxy • SSL termination • SPDY gateway

    • L7 load balancer

  42. OHJOY

  43. ൚༻ϓογϡ௨஌γεςϜ PS CBUDIαʔό

  44. ·ͱΊ • nginx͸ • ϝϧΧϦ಺ͰαʔϏεɺࣾ಺γεςϜͰ͍ΖΜ ͳՕॴʹڬΜͰ׆༻͍ͯ͠·͢ • L7ϩʔυόϥϯαʔɺϦόϓϩɺSSLऴ୺αʔ όͱͯ͠ͱͯ΋༏ल •

    ࠓޙ΋ར༻Օॴ͕૿͑Δ༧ఆ