Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
knockrd / kichijojipm23
Search
FUJIWARA Shunichiro
July 21, 2020
Technology
1
290
knockrd / kichijojipm23
FUJIWARA Shunichiro
July 21, 2020
Tweet
Share
More Decks by FUJIWARA Shunichiro
See All by FUJIWARA Shunichiro
k6による負荷試験 入門から日常的な実践まで/Re:TechTalk #01
fujiwara3
2
66
困難を「一般解」で解く
fujiwara3
10
3.6k
「隙間家具OSS」に至る道/Fujiwara Tech Conference 2025
fujiwara3
7
12k
alecthomas/kong はいいぞ / kamakura.go#7
fujiwara3
1
980
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
10
1.3k
「最高のチューニング」をしないために / hack@delta 24.10
fujiwara3
21
4.4k
AWS Lambdaで実現するスケーラブルで低コストなWebサービス構築/YAPC::Hakodate2024
fujiwara3
10
6.3k
CEL(Common Expression Language)で書いた条件にマッチしたIAM Policyを見つける / iam-policy-finder
fujiwara3
2
1.8k
awslim - Goで実装された高速なAWS CLIの代替品を作った/layerx.go#1
fujiwara3
6
870
Other Decks in Technology
See All in Technology
やさしい認証認可
minorun365
PRO
29
11k
データベースの引越しを Ora2Pg でスマートにやろう
jri_narita
0
190
Kotlinで学ぶ 代数的データ型
ysknsid25
5
910
Flutterアプリを⾃然⾔語で操作する
yukisakai1225
0
210
ソフトウェア開発現代史: "LeanとDevOpsの科学"の「科学」とは何か? - DORA Report 10年の変遷を追って - #開発生産性_findy
takabow
1
320
Generational ZGCのメモリ運用改善 - その物理メモリ使用量、本当に正しい?
tabatad
1
290
AIコーディング新時代を生き残るための試行錯誤 / AI Coding Survival Guide
tomohisa
8
10k
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
6.1k
Drawing with LLMs
rist
0
230
型システムを知りたい人のための型検査器作成入門
mame
13
3.2k
Whats_new_in_Podman_and_CRI-O_2025-06
orimanabu
3
150
SwiftUI Transaction を徹底活用!ZOZOTOWN UI開発での活用事例
tsuzuki817
1
570
Featured
See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
349
20k
Adopting Sorbet at Scale
ufuk
77
9.4k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.5k
Build The Right Thing And Hit Your Dates
maggiecrowley
35
2.7k
It's Worth the Effort
3n
184
28k
Why You Should Never Use an ORM
jnunemaker
PRO
56
9.4k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
770
Side Projects
sachag
454
42k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
The Invisible Side of Design
smashingmag
299
50k
RailsConf 2023
tenderlove
30
1.1k
Transcript
knockrd @fujiwara 2020.07.21 ٢ࣉ.pm23
ࣗݾհ @fujiwara github.com/fujiwara
ʮࠓͷલͷ׆ಈΛৼΓฦΔʯ
ςϨϫʔΫ VPN ͕ ͳ͍ͱͩΊʁ
VPN ૿ڧରԠ
ͳͥ VPN ͕ඞཁ͔ 1. ࣾωοτϫʔΫͷαʔόʹΞΫηε͢ΔͨΊ • ํͳ͍ • Ͱฐࣾʹ͏΄΅ଘࡏ͠ͳ͍ (AWS,
G Suite...) 2. ֎෦ͷαʔό͕ଓݩIPΞυϨεΛ੍ݶ͍ͯ͠Δ • Θ͔Δ • Ͱਏ͍ɻͰ͖ΕΊ͍ͨ
IP ΞυϨε੍ݶͷͳʹ͕ਏ͍͔ ڌ͕͍ͬͺ͍͋Δ (ΦϑΟε͝ͱʹIPΞυϨε) ૿͑ͨΓݮͬͨΓ͢Δ (ͦͷͨͼʹՃআ໘) ݹ͍ΞυϨεΛফ͠ΕΔ (ଘࡏࣗମΕ͍ͯΔ) IPΞυϨεͰ੍ݶͯ͠Δ͔ΒͬͯϢϧϢϧʹ͕ͪ͠ (ଞͷೝূΛαϘΔ)
ϦϞʔτϫʔΫͰ VPN ͕ඞཁ !!!
IP ΞυϨε੍ݶҎ֎ͷೝূΛֻ͚Ε… • github.com/oauth2-proxy/oauth2-proxy • github.com/sorah/nginx_omniauth_adapter • github.com/shogo82148/go-nginx-oauth2-adapter • AWS
ALB طଘΞϓϦέʔγϣϯʹखΛೖΕͣʹ OAuth(OIDC)ೝূΛՃͰ͖Δɻ࠷ߴศར
ΉΛಘͣIPΞυϨε੍ݶΛ͍ͨ͠໘ ϒϥβҎ֎͔ΒΞΫηε͍ͨ͠Ϣʔεέʔε͕͋Δ CLI, ϒϥβͰͳ͍ήʔϜͷΫϥΠΞϯτͳͲ ϒϥβͰͳ͍ͨΊOAuth(OIDC)ೝূͰ͖ͳ͍ ฐࣾͰͷྫ • ։ൃதήʔϜͷσόοάAPI • αʔόϝϯςφϯεதʹಈ࡞֬ೝ
ͭ͘Γ·ͨ͠ knockrd github.com/fujiwara/knockrd
github.com/fujiwara/knockrd ϒϥβͰΞΫηεͨ͠IPΞυϨε͔ΒͷଓΛ ҰఆظؒڐՄ͢ΔͨΊͷιϑτΣΞ (໊લ port knocking ͔ΒΠϯεύΠΞ) 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ
2. POST /allow → IPΞυϨεΛ DynamoDB ʹه ͜ͷઌ͍͔ͭ͘ͷํ๏Ͱ…
nginx auth_request ͱΈ߹ΘͤΔ 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ 2. POST /allow →
IPΞυϨεΛ DynamoDB ʹه 3. ଞͷ URL ͷΞΫηεͰ nginx auth_request ͕ GET /auth 4. DynamoDB ʹ͋ΔIPΞυϨεͳΒ 200 OK 5. ͳ͔ͬͨΓ Expire ͢Δͱ 401 Unauthorized
None
AWS WAFv2 / SecurityGroupͱΈ߹ΘͤΔ 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ 2. POST /allow
→ IPΞυϨεΛ DynamoDB ʹه 3. DynamoDB Stream ͔Β Lambda ͕ىಈ 4. WAF IP Set / Security Group ʹ IPΞυϨεΛొ 5. Disallow / Expire ͢Δͱ Lambda ͕ىಈ 6. WAF IP Set / Security Group ͔Β IPΞυϨεΛআ
None
༻๏ɾ༻ྔΛक͓͍͍ͬͯͩ͘͞ ಛఆͷIPΞυϨεΛҰఆ࣌ؒ(ઃఆՄೳ)͚ͩڐՄͰ͖Δ ࣌ݶͰࣗಈআɻ์ஔͯ͠ةݥ͕ӬଓԽͮ͠Β͍ ϓϩόΠμͰNAT͞Ε͍ͯΔͱͦͷIPΞυϨεΛ͍ͬͯΔͷ ͚ࣗͩ͡Όͳ͍Մೳੑ͕͋ΔͷͰҙ (͋Δఔͷ͕ࣝ͋ΔΤϯδχΞ͚) ϒϥβ͚ͩͰΞΫηε͢Δͷૉʹ oauth2-proxy ͱ͔Ͱ github.com/fujiwara/knockrd