$30 off During Our Annual Pro Sale. View Details »

knockrd / kichijojipm23

FUJIWARA Shunichiro
July 21, 2020
Technology
1
220

knockrd / kichijojipm23

FUJIWARA Shunichiro

July 21, 2020
Tweet

More Decks by FUJIWARA Shunichiro

See All by FUJIWARA Shunichiro
隙間家具OSS開発で『自分の庭』をつくる / kayac-andpad-event
fujiwara3
0
360
ISUCON作問入門/ ISUCON Summer Fes 2023
fujiwara3
1
1.4k
隙間家具職人が考えること/ecspresso meetup
fujiwara3
4
3.2k
MackerelとGrafana OnCallを連携してみた
fujiwara3
0
1.1k
Amazon ECS デプロイツール ecspresso 開発5年の歩み
fujiwara3
15
3.5k
k6による負荷試験 入門から実践まで
fujiwara3
8
4.2k
SRE不在のチームに入って2ヶ月でやったこと - 負荷試験ツールからはじめるSREプラクティスの導入
fujiwara3
12
4.2k
ISUCON運営を支えるAmazon ECSとAurora Serverless v2 / AWS Dev Day 2022 Japan
fujiwara3
5
1.2k
1年間のポストモーテム運用とそこから生まれたツール sre-advisor / SRE NEXT 2022
fujiwara3
6
12k

Other Decks in Technology

See All in Technology
お客様、そこは秘孔です!突かないでください! HTTP/2 Rapid reset の概要と対策
murachiakira
0
170
Azure OpenAI Serviceの採用と挑戦 - Azure AI Hub meetup #1
cimadai
1
290
Generative A.I. + Law - A Year in Review
danielkatz
PRO
0
160
Exploring Postgres VACUUM with the VACUUM Simulator
keiko713
5
710
AWS re:Invent 2023の主要キーノート4つ全部を15分でおさらい
minorun365
PRO
1
260
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
0
2.2k
開発組織の体制づくり、いつやるか問題
akiroom
0
1.9k
The Future of encoding/json
iamshunta
2
270
VRの世界でLTしていく (LT) - NIFTY Tech Day 2023
niftycorp
0
110
CTO of the year 2023ピッチ資料(オーディエンス賞)チューリングCTO青木
aoshun7
0
660
DMMプラットフォームにおける GKE を利用した プラットフォームエンジニアリングへの 取り組み
pospome
1
180
VS CodeとPostmanを活用した効率的なAPI開発 / Efficient API development using VS Code and Postman
yokawasa
3
330

Featured

See All Featured
Optimising Largest Contentful Paint
csswizardry
6
2k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
How GitHub Uses GitHub to Build GitHub
holman
467
280k
YesSQL, Process and Tooling at Scale
rocio
160
13k
Mobile First: as difficult as doing things right
swwweet
214
8.3k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
Designing for Performance
lara
601
66k
It's Worth the Effort
3n
180
27k
Debugging Ruby Performance
tmm1
68
11k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k

Transcript

  1. knockrd
    @fujiwara
    2020.07.21 ٢঵ࣉ.pm23

    View Slide

  2. ࣗݾ঺հ
    @fujiwara
    github.com/fujiwara

    View Slide

  3. ʮࠓ೥ͷલ൒ͷ׆ಈΛৼΓฦΔʯ

    View Slide

  4. ςϨϫʔΫ
    VPN ͕
    ͳ͍ͱͩΊʁ

    View Slide

  5. VPN ૿ڧରԠ

    View Slide

  6. ͳͥ VPN ͕ඞཁ͔
    1. ࣾ಺ωοτϫʔΫͷαʔόʹΞΫηε͢ΔͨΊ
    • ࢓ํͳ͍
    • Ͱ΋ฐࣾʹ͸΋͏΄΅ଘࡏ͠ͳ͍ (AWS, G Suite...)
    2. ֎෦ͷαʔό͕઀ଓݩIPΞυϨεΛ੍ݶ͍ͯ͠Δ
    • Θ͔Δ
    • Ͱ΋ਏ͍ɻͰ͖Ε͹΍Ί͍ͨ

    View Slide

  7. IP ΞυϨε੍ݶͷͳʹ͕ਏ͍͔
    ڌ఺͕͍ͬͺ͍͋Δ (ΦϑΟε͝ͱʹIPΞυϨε)
    ૿͑ͨΓݮͬͨΓ͢Δ (ͦͷͨͼʹ௥Ճ࡟আ໘౗)
    ݹ͍ΞυϨεΛফ͠๨ΕΔ (ଘࡏࣗମ๨Ε͍ͯΔ)
    IPΞυϨεͰ੍ݶͯ͠Δ͔ΒͬͯϢϧϢϧʹ͕ͪ͠
    (ଞͷೝূΛαϘΔ)
    ϦϞʔτϫʔΫͰ͸ VPN ͕ඞཁ !!!

    View Slide

  8. IP ΞυϨε੍ݶҎ֎ͷೝূΛֻ͚Ε͹…
    • github.com/oauth2-proxy/oauth2-proxy
    • github.com/sorah/nginx_omniauth_adapter
    • github.com/shogo82148/go-nginx-oauth2-adapter
    • AWS ALB
    طଘΞϓϦέʔγϣϯʹखΛೖΕͣʹ
    OAuth(OIDC)ೝূΛ௥ՃͰ͖Δɻ࠷ߴศར

    View Slide

  9. ΍ΉΛಘͣIPΞυϨε੍ݶΛ͍ͨ͠৔໘
    ϒϥ΢βҎ֎͔ΒΞΫηε͍ͨ͠Ϣʔεέʔε͕͋Δ
    CLI, ϒϥ΢βͰ͸ͳ͍ήʔϜͷΫϥΠΞϯτͳͲ
    ϒϥ΢βͰ͸ͳ͍ͨΊOAuth(OIDC)ೝূͰ͖ͳ͍
    ฐࣾͰͷྫ
    • ։ൃதήʔϜͷσόοάAPI
    • αʔόϝϯςφϯεதʹಈ࡞֬ೝ

    View Slide

  10. ͭ͘Γ·ͨ͠
    knockrd github.com/fujiwara/knockrd

    View Slide

  11. github.com/fujiwara/knockrd
    ϒϥ΢βͰΞΫηεͨ͠IPΞυϨε͔Βͷ઀ଓΛ
    ҰఆظؒڐՄ͢ΔͨΊͷιϑτ΢ΣΞ
    (໊લ͸ port knocking ͔ΒΠϯεύΠΞ)
    1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ
    2. POST /allow → IPΞυϨεΛ DynamoDB ʹه࿥
    ͜ͷઌ͸͍͔ͭ͘ͷํ๏Ͱ…

    View Slide

  12. nginx auth_request ͱ૊Έ߹ΘͤΔ
    1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ
    2. POST /allow → IPΞυϨεΛ DynamoDB ʹه࿥
    3. ଞͷ URL ͷΞΫηεͰ͸ nginx auth_request ͕ GET /auth
    4. DynamoDB ʹ͋ΔIPΞυϨεͳΒ 200 OK
    5. ͳ͔ͬͨΓ Expire ͢Δͱ 401 Unauthorized

    View Slide

  13. View Slide

  14. AWS WAFv2 / SecurityGroupͱ૊Έ߹ΘͤΔ
    1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ
    2. POST /allow → IPΞυϨεΛ DynamoDB ʹه࿥
    3. DynamoDB Stream ͔Β Lambda ͕ىಈ
    4. WAF IP Set / Security Group ʹ IPΞυϨεΛొ࿥
    5. Disallow / Expire ͢Δͱ Lambda ͕ىಈ
    6. WAF IP Set / Security Group ͔Β IPΞυϨεΛ࡟আ

    View Slide

  15. View Slide

  16. ༻๏ɾ༻ྔΛक͓ͬͯ࢖͍͍ͩ͘͞
    ಛఆͷIPΞυϨεΛҰఆ࣌ؒ(ઃఆՄೳ)͚ͩڐՄͰ͖Δ
    ࣌ݶͰࣗಈ࡟আɻ์ஔͯ͠΋ةݥ͕ӬଓԽͮ͠Β͍
    ϓϩόΠμͰNAT͞Ε͍ͯΔͱͦͷIPΞυϨεΛ࢖͍ͬͯΔͷ͸
    ࣗ෼͚ͩ͡Όͳ͍Մೳੑ͕͋ΔͷͰ஫ҙ
    (͋Δఔ౓ͷ஌͕ࣝ͋ΔΤϯδχΞ޲͚)
    ϒϥ΢β͚ͩͰΞΫηε͢Δ΋ͷ͸ૉ௚ʹ oauth2-proxy ͱ͔Ͱ
    github.com/fujiwara/knockrd

    View Slide