Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
knockrd / kichijojipm23
Search
FUJIWARA Shunichiro
July 21, 2020
Technology
1
300
knockrd / kichijojipm23
FUJIWARA Shunichiro
July 21, 2020
Tweet
Share
More Decks by FUJIWARA Shunichiro
See All by FUJIWARA Shunichiro
パフォーマンスチューニングのために普段からできること/Performance Tuning: Daily Practices
fujiwara3
2
150
alecthomas/kong はいいぞ
fujiwara3
6
1.9k
ecspressoの設計思想に至る道 / sekkeinight2025
fujiwara3
12
2.9k
さくらのIaaS基盤のモニタリングとOpenTelemetry/OSC Hokkaido 2025
fujiwara3
3
1.3k
監視のこれまでとこれから/sakura monitoring seminar 2025
fujiwara3
11
5.4k
k6による負荷試験 入門から日常的な実践まで/Re:TechTalk #01
fujiwara3
2
170
困難を「一般解」で解く
fujiwara3
10
3.9k
「隙間家具OSS」に至る道/Fujiwara Tech Conference 2025
fujiwara3
7
13k
alecthomas/kong はいいぞ / kamakura.go#7
fujiwara3
1
1.2k
Other Decks in Technology
See All in Technology
SOTA競争から人間を超える画像認識へ
shinya7y
0
610
プロダクト開発と社内データ活用での、BI×AIの現在地 / Data_Findy
sansan_randd
1
620
ViteとTypeScriptのProject Referencesで 大規模モノレポのUIカタログのリリースサイクルを高速化する
shuta13
3
220
Okta Identity Governanceで実現する最小権限の原則
demaecan
0
190
IBC 2025 動画技術関連レポート / IBC 2025 Report
cyberagentdevelopers
PRO
2
220
20251027_マルチエージェントとは
almondo_event
1
470
アノテーション作業書作成のGood Practice
cierpa0905
PRO
0
260
serverless team topology
_kensh
3
240
生成AI時代のPythonセキュリティとガバナンス
abenben
0
150
Behind Postgres 18: The People, the Code, & the Invisible Work | Claire Giordano | PGConfEU 2025
clairegiordano
0
150
GPUをつかってベクトル検索を扱う手法のお話し~NVIDIA cuVSとCAGRA~
fshuhe
0
220
SRE × マネジメントレイヤーが挑戦した組織・会社のオブザーバビリティ改革 ― ビジネス価値と信頼性を両立するリアルな挑戦
coconala_engineer
0
290
Featured
See All Featured
Leading Effective Engineering Teams in the AI Era
addyosmani
7
660
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
140
34k
GraphQLとの向き合い方2022年版
quramy
49
14k
Building a Modern Day E-commerce SEO Strategy
aleyda
44
7.9k
Building an army of robots
kneath
305
46k
Scaling GitHub
holman
463
140k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
Building Adaptive Systems
keathley
44
2.8k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.6k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
2
120
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Transcript
knockrd @fujiwara 2020.07.21 ٢ࣉ.pm23
ࣗݾհ @fujiwara github.com/fujiwara
ʮࠓͷલͷ׆ಈΛৼΓฦΔʯ
ςϨϫʔΫ VPN ͕ ͳ͍ͱͩΊʁ
VPN ૿ڧରԠ
ͳͥ VPN ͕ඞཁ͔ 1. ࣾωοτϫʔΫͷαʔόʹΞΫηε͢ΔͨΊ • ํͳ͍ • Ͱฐࣾʹ͏΄΅ଘࡏ͠ͳ͍ (AWS,
G Suite...) 2. ֎෦ͷαʔό͕ଓݩIPΞυϨεΛ੍ݶ͍ͯ͠Δ • Θ͔Δ • Ͱਏ͍ɻͰ͖ΕΊ͍ͨ
IP ΞυϨε੍ݶͷͳʹ͕ਏ͍͔ ڌ͕͍ͬͺ͍͋Δ (ΦϑΟε͝ͱʹIPΞυϨε) ૿͑ͨΓݮͬͨΓ͢Δ (ͦͷͨͼʹՃআ໘) ݹ͍ΞυϨεΛফ͠ΕΔ (ଘࡏࣗମΕ͍ͯΔ) IPΞυϨεͰ੍ݶͯ͠Δ͔ΒͬͯϢϧϢϧʹ͕ͪ͠ (ଞͷೝূΛαϘΔ)
ϦϞʔτϫʔΫͰ VPN ͕ඞཁ !!!
IP ΞυϨε੍ݶҎ֎ͷೝূΛֻ͚Ε… • github.com/oauth2-proxy/oauth2-proxy • github.com/sorah/nginx_omniauth_adapter • github.com/shogo82148/go-nginx-oauth2-adapter • AWS
ALB طଘΞϓϦέʔγϣϯʹखΛೖΕͣʹ OAuth(OIDC)ೝূΛՃͰ͖Δɻ࠷ߴศར
ΉΛಘͣIPΞυϨε੍ݶΛ͍ͨ͠໘ ϒϥβҎ֎͔ΒΞΫηε͍ͨ͠Ϣʔεέʔε͕͋Δ CLI, ϒϥβͰͳ͍ήʔϜͷΫϥΠΞϯτͳͲ ϒϥβͰͳ͍ͨΊOAuth(OIDC)ೝূͰ͖ͳ͍ ฐࣾͰͷྫ • ։ൃதήʔϜͷσόοάAPI • αʔόϝϯςφϯεதʹಈ࡞֬ೝ
ͭ͘Γ·ͨ͠ knockrd github.com/fujiwara/knockrd
github.com/fujiwara/knockrd ϒϥβͰΞΫηεͨ͠IPΞυϨε͔ΒͷଓΛ ҰఆظؒڐՄ͢ΔͨΊͷιϑτΣΞ (໊લ port knocking ͔ΒΠϯεύΠΞ) 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ
2. POST /allow → IPΞυϨεΛ DynamoDB ʹه ͜ͷઌ͍͔ͭ͘ͷํ๏Ͱ…
nginx auth_request ͱΈ߹ΘͤΔ 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ 2. POST /allow →
IPΞυϨεΛ DynamoDB ʹه 3. ଞͷ URL ͷΞΫηεͰ nginx auth_request ͕ GET /auth 4. DynamoDB ʹ͋ΔIPΞυϨεͳΒ 200 OK 5. ͳ͔ͬͨΓ Expire ͢Δͱ 401 Unauthorized
None
AWS WAFv2 / SecurityGroupͱΈ߹ΘͤΔ 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ 2. POST /allow
→ IPΞυϨεΛ DynamoDB ʹه 3. DynamoDB Stream ͔Β Lambda ͕ىಈ 4. WAF IP Set / Security Group ʹ IPΞυϨεΛొ 5. Disallow / Expire ͢Δͱ Lambda ͕ىಈ 6. WAF IP Set / Security Group ͔Β IPΞυϨεΛআ
None
༻๏ɾ༻ྔΛक͓͍͍ͬͯͩ͘͞ ಛఆͷIPΞυϨεΛҰఆ࣌ؒ(ઃఆՄೳ)͚ͩڐՄͰ͖Δ ࣌ݶͰࣗಈআɻ์ஔͯ͠ةݥ͕ӬଓԽͮ͠Β͍ ϓϩόΠμͰNAT͞Ε͍ͯΔͱͦͷIPΞυϨεΛ͍ͬͯΔͷ ͚ࣗͩ͡Όͳ͍Մೳੑ͕͋ΔͷͰҙ (͋Δఔͷ͕ࣝ͋ΔΤϯδχΞ͚) ϒϥβ͚ͩͰΞΫηε͢Δͷૉʹ oauth2-proxy ͱ͔Ͱ github.com/fujiwara/knockrd