Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
knockrd / kichijojipm23
Search
FUJIWARA Shunichiro
July 21, 2020
Technology
1
290
knockrd / kichijojipm23
FUJIWARA Shunichiro
July 21, 2020
Tweet
Share
More Decks by FUJIWARA Shunichiro
See All by FUJIWARA Shunichiro
監視のこれまでとこれから/sakura monitoring seminar 2025
fujiwara3
11
3.9k
k6による負荷試験 入門から日常的な実践まで/Re:TechTalk #01
fujiwara3
2
81
困難を「一般解」で解く
fujiwara3
10
3.6k
「隙間家具OSS」に至る道/Fujiwara Tech Conference 2025
fujiwara3
7
12k
alecthomas/kong はいいぞ / kamakura.go#7
fujiwara3
1
1k
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
11
1.4k
「最高のチューニング」をしないために / hack@delta 24.10
fujiwara3
21
4.4k
AWS Lambdaで実現するスケーラブルで低コストなWebサービス構築/YAPC::Hakodate2024
fujiwara3
10
6.4k
CEL(Common Expression Language)で書いた条件にマッチしたIAM Policyを見つける / iam-policy-finder
fujiwara3
2
1.9k
Other Decks in Technology
See All in Technology
プロダクトエンジニアリング組織への歩み、その現在地 / Our journey to becoming a product engineering organization
hiro_torii
0
130
AIエージェント最前線! Amazon Bedrock、Amazon Q、そしてMCPを使いこなそう
minorun365
PRO
14
5.1k
Agentic Workflowという選択肢を考える
tkikuchi1002
1
500
生成AIでwebアプリケーションを作ってみた
tajimon
2
150
PHPでWebブラウザのレンダリングエンジンを実装する
dip_tech
PRO
0
200
AIのAIによるAIのための出力評価と改善
chocoyama
2
550
BrainPadプログラミングコンテスト記念LT会2025_社内イベント&問題解説
brainpadpr
1
160
250627 関西Ruby会議08 前夜祭 RejectKaigi「DJ on Ruby Ver.0.1」
msykd
PRO
2
270
製造業からパッケージ製品まで、あらゆる領域をカバー!生成AIを利用したテストシナリオ生成 / 20250627 Suguru Ishii
shift_evolve
PRO
1
140
Windows 11 で AWS Documentation MCP Server 接続実践/practical-aws-documentation-mcp-server-connection-on-windows-11
emiki
0
960
SalesforceArchitectGroupOsaka#20_CNX'25_Report
atomica7sei
0
170
Snowflake Summit 2025全体振り返り / Snowflake Summit 2025 Overall Review
mtpooh
2
400
Featured
See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Designing Experiences People Love
moore
142
24k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
5
210
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
How to Ace a Technical Interview
jacobian
277
23k
The Power of CSS Pseudo Elements
geoffreycrofte
77
5.8k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
48
2.8k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
124
52k
What's in a price? How to price your products and services
michaelherold
246
12k
Code Review Best Practice
trishagee
68
18k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
How STYLIGHT went responsive
nonsquared
100
5.6k
Transcript
knockrd @fujiwara 2020.07.21 ٢ࣉ.pm23
ࣗݾհ @fujiwara github.com/fujiwara
ʮࠓͷલͷ׆ಈΛৼΓฦΔʯ
ςϨϫʔΫ VPN ͕ ͳ͍ͱͩΊʁ
VPN ૿ڧରԠ
ͳͥ VPN ͕ඞཁ͔ 1. ࣾωοτϫʔΫͷαʔόʹΞΫηε͢ΔͨΊ • ํͳ͍ • Ͱฐࣾʹ͏΄΅ଘࡏ͠ͳ͍ (AWS,
G Suite...) 2. ֎෦ͷαʔό͕ଓݩIPΞυϨεΛ੍ݶ͍ͯ͠Δ • Θ͔Δ • Ͱਏ͍ɻͰ͖ΕΊ͍ͨ
IP ΞυϨε੍ݶͷͳʹ͕ਏ͍͔ ڌ͕͍ͬͺ͍͋Δ (ΦϑΟε͝ͱʹIPΞυϨε) ૿͑ͨΓݮͬͨΓ͢Δ (ͦͷͨͼʹՃআ໘) ݹ͍ΞυϨεΛফ͠ΕΔ (ଘࡏࣗମΕ͍ͯΔ) IPΞυϨεͰ੍ݶͯ͠Δ͔ΒͬͯϢϧϢϧʹ͕ͪ͠ (ଞͷೝূΛαϘΔ)
ϦϞʔτϫʔΫͰ VPN ͕ඞཁ !!!
IP ΞυϨε੍ݶҎ֎ͷೝূΛֻ͚Ε… • github.com/oauth2-proxy/oauth2-proxy • github.com/sorah/nginx_omniauth_adapter • github.com/shogo82148/go-nginx-oauth2-adapter • AWS
ALB طଘΞϓϦέʔγϣϯʹखΛೖΕͣʹ OAuth(OIDC)ೝূΛՃͰ͖Δɻ࠷ߴศར
ΉΛಘͣIPΞυϨε੍ݶΛ͍ͨ͠໘ ϒϥβҎ֎͔ΒΞΫηε͍ͨ͠Ϣʔεέʔε͕͋Δ CLI, ϒϥβͰͳ͍ήʔϜͷΫϥΠΞϯτͳͲ ϒϥβͰͳ͍ͨΊOAuth(OIDC)ೝূͰ͖ͳ͍ ฐࣾͰͷྫ • ։ൃதήʔϜͷσόοάAPI • αʔόϝϯςφϯεதʹಈ࡞֬ೝ
ͭ͘Γ·ͨ͠ knockrd github.com/fujiwara/knockrd
github.com/fujiwara/knockrd ϒϥβͰΞΫηεͨ͠IPΞυϨε͔ΒͷଓΛ ҰఆظؒڐՄ͢ΔͨΊͷιϑτΣΞ (໊લ port knocking ͔ΒΠϯεύΠΞ) 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ
2. POST /allow → IPΞυϨεΛ DynamoDB ʹه ͜ͷઌ͍͔ͭ͘ͷํ๏Ͱ…
nginx auth_request ͱΈ߹ΘͤΔ 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ 2. POST /allow →
IPΞυϨεΛ DynamoDB ʹه 3. ଞͷ URL ͷΞΫηεͰ nginx auth_request ͕ GET /auth 4. DynamoDB ʹ͋ΔIPΞυϨεͳΒ 200 OK 5. ͳ͔ͬͨΓ Expire ͢Δͱ 401 Unauthorized
None
AWS WAFv2 / SecurityGroupͱΈ߹ΘͤΔ 1. /allow ΛͳΜΒ͔ͷํ๏(OAuthͱ͔)Ͱอޢ 2. POST /allow
→ IPΞυϨεΛ DynamoDB ʹه 3. DynamoDB Stream ͔Β Lambda ͕ىಈ 4. WAF IP Set / Security Group ʹ IPΞυϨεΛొ 5. Disallow / Expire ͢Δͱ Lambda ͕ىಈ 6. WAF IP Set / Security Group ͔Β IPΞυϨεΛআ
None
༻๏ɾ༻ྔΛक͓͍͍ͬͯͩ͘͞ ಛఆͷIPΞυϨεΛҰఆ࣌ؒ(ઃఆՄೳ)͚ͩڐՄͰ͖Δ ࣌ݶͰࣗಈআɻ์ஔͯ͠ةݥ͕ӬଓԽͮ͠Β͍ ϓϩόΠμͰNAT͞Ε͍ͯΔͱͦͷIPΞυϨεΛ͍ͬͯΔͷ ͚ࣗͩ͡Όͳ͍Մೳੑ͕͋ΔͷͰҙ (͋Δఔͷ͕ࣝ͋ΔΤϯδχΞ͚) ϒϥβ͚ͩͰΞΫηε͢Δͷૉʹ oauth2-proxy ͱ͔Ͱ github.com/fujiwara/knockrd