System Integration with Fastly

System Integration with Fastly

5d74d743eabd2bf7d4d2f68b9d3c727d?s=128

Tatsuhiko Kubo

February 20, 2019
Tweet

Transcript

  1. 3.
  2. 4.

    ϝϧΧϦʹ͍ͭͯ • ೔ຊ࠷େͷϑϦϚΞϓϦ • 3෼Ͱ؆୯ʹग़඼ • 1) ࣸਅΛࡱΔ • 2)

    ঎඼৘ใΛهೖ • 3) ग़඼ϘλϯΛԡ͢ • ҆৺҆શͳܾࡁɾऔҾ • ΤεΫϩʔ • ಗ໊഑ૹ
  3. 6.

    Fastly products in Mercari • Full-Site Delivery • ImageOptimizer •

    Web Application Firewall • Enterprise Support • etc…
  4. 10.

    Datadog Integration with Fastly • FastlyͷϝτϦΫεΛDatadog্ͰදࣔɺΧελϚΠζͰ͖Δ • e.g. hit_ratio, requests,

    bandwidth, status_4xx, status_5xx, etc… • ෳ਺ͷϝτϦΫεΛ૊Έ߹ΘͤͯಠࣗͷϝτϦΫεΛ࡞੒͢Δ͜ͱ΋Մೳ • ᮢ஋Λઃఆͯ͠ΞϥʔτΛඈ͹͢͜ͱ΋Ͱ͖Δ • Historical Stats APIͷσʔλ͕ͦͷ··Datadog্Ͱѻ͑ΔΠϝʔδ
  5. 13.

    Ωϟογϡώοτ཰ͷܭࢉʢShielding͕༗ޮͳ৔߹ʣ Hit Ratio(True) = (1 − miss − shield requests

    − shield ) × 100 miss: Number of cache misses shield: number of requests from Shield to Origin requests: Number of Requests Processed The truth about cache hit ratios: https://www.fastly.com/blog/truth-about-cache-hit-ratios
  6. 15.

    Origin Shield • Edge POPͱOriginͷதؒʹ഑ஔ͢ΔPOP • Edge POPͷΩϟογϡʹώοτ͠ͳ͔ͬͨ෼ΛΧόʔ • Ωϟογϡώοτ཰ͷେ͖ͳ޲্͕ݟࠐΊΔ

    • Documents • https://docs.fastly.com/ja/guides/performance-tuning/shielding • hit_ratio͸Edge POPͷΈͷΩϟογϡώοτ཰
  7. 16.

    Shieldingͷon/offͰӨڹΛड͚ΔϝτϦΫεͷྫ • hit_ratio • only Edge POP • requests •

    involve shield • bandwidth • beresp_header_bytes + beresp_body_bytes + resp_header_bytes + resp_body_bytes • resp_header_bytes, resp_body_bytes • involve shield_header_bytes, shield_body_bytes
  8. 18.

    ϦϞʔτϩάετϦʔϛϯά • Amazon S3΍Google Cloud StorageɺGoogle BigQueryΛ͸͡Ίɺ ৭ʑͳαʔϏεʹϩάΛసૹՄೳ • Syslog΋Մೳ

    • Datadog IntegrationΑΓ΋खؒ͸ଟ͍͚Ͳɺॊೈੑ͸ߴ͍ • ϩάͷεΩʔϚʹVCLͷม਺͕ར༻Ͱ͖Δ
  9. 20.

    Fastly API • FastlyͷػೳΛRESTfulͳAPIӽ͠ʹར༻Ͱ͖Δ • e.g. PurgeɺStatsɺConfigurationɺWAFɺetc… • Documents •

    https://docs.fastly.com/api/ • ػೳʹΑͬͯ͸API͔Β͔͠ར༻Ͱ͖ͳ͍΋ͷ΋͋Δ • όʔδϣϯͷϩοΫɺWAF౳
  10. 22.

    curlͰFastly APIΛୟ͘ $ curl \ -X GET -H ‘Fastly-Key: xxx’

    \ -H ‘Accept: application/json’ \ https://api.fastly.com/…
  11. 24.

    mfc

  12. 25.

    mfc • In-house Fastly CLI at Mercari • GoͰ࣮૷ •

    ओʹACL΍WAFܥͷΦϖϨʔγϣϯͰͨ·ʹ࢖͏
  13. 26.

    mfc configuration $ cat ~/.fastly/conf.toml [target] service = “service-A” [[services]]

    service = “service-A” apikey = “…” waf = “…” [[services]] service = “service-B” apikey = “…”
  14. 27.

    Usage of mfc • $ mfc Usage of mfc: config

    the utility for mfc configuration service the utility for fastly service acl the utility for fastly ACL waf the utlity fro fastly WAF (etc…) • ػೳྖҬຖʹαϒίϚϯυΛఆٛ • ACL, Service, Version౳ • ౰ॳ͸ผʑͷϓϩάϥϜ͚ͩͬͨͲɺ૿͖͑ͯͨͷͰ౷߹ switch args[1] { case “config”: return config.NewCLI().Run(args) case “service”: return service.NewCLI().Run(args) case “acl”: return acl.NewCLI().Run(args) case “…” … } ಈ࡞Πϝʔδ
  15. 28.

    ACL operation $ mfc acl show | jq -r ‘.[].name’

    whitelist blacklist … $ mfc acl list -name whitelist $ mfc acl add -name whitelist \ -ip x.x.x.x/32 \ -comment “Added x to whitelist” ▪ACLͷҰཡΛྻڍ ▪ACLΤϯτϦͷҰཡΛྻڍ ▪ACLʹΤϯτϦΛ௥Ճ $ mfc acl del -name blacklist \ -entry-id xxx ▪ACL͔ΒΤϯτϦΛ࡟আ ▪ACLΛ࡞੒ $ mfc acl create -name whitelist -version 10 ▪ ACLʹσʔλΛಉظ $ mfc acl sync -name blacklist \ -provider blacklist.json
  16. 29.

    WAF operation $ mfc waf list … $ mfc acl

    -h Usage of waf: mfc waf list list all active waf objects mfc waf rule show show waf rule mfc waf rule status show and change waf rule status mfc waf rule vcl show waf rule vcl mfc waf ruleset show show waf ruleset mfc waf ruleset update update waf ruleset $ mfc waf rule show -id rule_id $ mfc waf rule status -id rule_id ▪ WAF ObjectͷҰཡΛྻڍ ▪ WAF Ruleͷ֓ཁΛ֬ೝ ▪ WAF RuleͷεςʔλεΛ֬ೝ ▪ Help $ mfc waf rule status -id rule_id -set disabled ▪ WAF RuleͷεςʔλεΛdisabledʹมߋ ▪ WAF Ruleͷ࣮૷(VCL)ΛಡΉ $ mfc waf rule vcl -id rule_id
  17. 32.

    ActiveͳόʔδϣϯΛநग़͢Δ • ConfigurationܥͷAPI͸όʔδϣϯͷࢦఆΛཁٻ͢Δ΋ͷ͕ଟ͍ • e.g. ACL • GET /service/service_id/version/version/acl •

    mfcʹΑΔૢ࡞͸activeͳόʔδϣϯʹରͯ͠ߦ͏΋ͷ͕ଟ͍ • ຖճactiveͳόʔδϣϯͲΕ͚ͩͬʁΈ͍ͨͳࣄଶ͸໘౗ͳͷͰආ͚͍ͨ • e.g. mfc acl show ͸activeͳόʔδϣϯΛࣗಈͰऔಘ࣮ͯ͠ߦ͞ΕΔ