20150314_社内勉強会資料_イマサラでもいいぢゃない！Webアプリケーションとは？ / 20150314-growgent-corpstudyevents

Transcript

1. ΠϚαϥͰ΋͍͍ͫΌͳ͍ʂ WEBΞϓϦέʔγϣϯͱ͸ʁ 2015/03/14 גࣜձࣾάϩʔδΣϯτࣾ಺ษڧձࢿྉ

2. ࣗݾ঺հ ϋϜελʔͱϖϖϩϯνʔϊΛ͜Αͳ ͘Ѫ͢ΔࣗশGNU/LinuxˍPHP࢖͍ͷΤ ϯδχΞʢ౜༲͛͹͔ͬ৯ͬͯΔΘ͚ Ͱ͸ͳ͍ʣ גࣜձࣾάϩʔδΣϯτͱ͍͏ձࣾͰ ͓࢓ࣄͯ͠·͢ɻ PHP޲͚ϑϨʔϜϫʔΫʮRisolutoʯͷ ࣗশϓϩϚω΍ͬͯ·͢ ৄ͘͠͸ͪ͜Βʂ


   http://about.me/yuta.hayakawa

3. ·ͣ࠷ॳʹ……

4. ͜ͷษڧձͷͶΒ͍ ΈΜͳେ޷͖ͳWebΞϓϦʹ͍ͭͯཧղΛਂΊΑ͏ ԿؾʹͪΌΜͱֶͿػձͷগͳ͍෦෼Λֶ΅͏ ͱʹ͔͘جૅΛԡ͑͞Α͏

5. ஫ҙࣄ߲ ͜ͷࢿྉதʹ͸nݸͷؒҧؚ͍͕·Ε͍ͯΔΑʂ ͸Ό͔Η͞ΜɺكʹΑ͘ӕ͔ͭ͘ΒͶʂ ࣗ෼Ͱௐ΂Δͱ͔ͯ͠ɺຊ౰ʹਖ਼͍͠ͷ͔͸ݟۃΊͯͶʂ ؒҧͬͯΔͱ͜ΖΛݟ͚ͭͨΒڭ͑ͯͶʂ

6. WEBΞϓϦͷొ৔ਓ෺ ΫϥΠΞϯτɿWebϒϥ΢β αʔόɿWebαʔό ଞʹ΋͍Ζ͍Ζ͋Δ͚ΕͲɺओ໾͸͜ͷ2ਓ

7. ͦ΋ͦ΋WEBΞϓϦͬͯ ͳΜ͚ͩͬʁ

8. Webϒϥ΢βΛΫϥΠΞϯτͱͯ͠࢖༻͠ɺHTTP/HTTPS Λ࢖༻ͨ͠ΞϓϦέʔγϣϯ ΫϥΠΞϯτ͔ΒͷΞΫγϣϯʢ௨৴ʣ͋Γ͖Ͱਐߦ͢Δ ΫϥΠΞϯτˠαʔόɿϦΫΤετʢRequestʣ αʔόˠΫϥΠΞϯτɿϨεϙϯεʢResponseʣ

9. ϦΫΤετͱϨεϙϯεͷϖΞҰ૊ɿτϥϯβΫγϣϯ ʢTransactionʣ ௨৴ͦͷ΋ͷɿτϥϑΟοΫʢTraficʣ ͋Δج४ͱͳΔҰํ͔Βݟͯ…… ֎෦ˠج४ɿΠϯό΢ϯυʢInboundʣ ج४ˠ֎෦ɿΞ΢τό΢ϯυʢOutboundʣ

10. ௨৴ͷࡍͷ͓໿ଋࣄɿϓϩτίϧʢProtocolʣ RFCʢRequest For Commentsʣͱͯ͠ɺੈͷதʹग़ճΔ

11. HTTP/HTTPSͱ͸ʁ

12. ·ͣ͸HTTPͷ͓࿩

13. HTTPʢHyperText Transfer Protocolʣ HTTP/1.1͕޿͘࢖ΘΕ͍ͯΔ͕ɺ࠷ۙHTTP/2ͷؾ഑͕…… HTTP/2͸ٽ͘ࢠ΋໧ΔSPDYϕʔεͩΑʂ GoogleઌੜͷΞϨͶ

14. RFCͷ࿩Λ͠Α͏

15. HTTP/1.0ܥͳΒ RFC1945ʢ"Hypertext Transfer Protocol -- HTTP/1.0", May 1996ʣhttp://www.rfc-editor.org/info/rfc1945

16. HTTP/1.1ܥͳΒ RFC7230ʢ"Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", June

    2014ʣhttp://www.rfc-editor.org/info/rfc7230 RFC7231ʢ"Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", June 2014ʣ http://www.rfc-editor.org/info/rfc7231 RFC7232ʢ"Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests", June 2014ʣ http://www.rfc-editor.org/info/rfc7232 RFC7233ʢ"Hypertext Transfer Protocol (HTTP/1.1): Range Requests", June 2014ʣhttp:// www.rfc-editor.org/info/rfc7233 RFC7234ʢ"Hypertext Transfer Protocol (HTTP/1.1): Caching", June 2014ʣhttp://www.rfc- editor.org/info/rfc7234 RFC7235ʢ"Hypertext Transfer Protocol (HTTP/1.1): Authentication", June 2014ʣhttp:// www.rfc-editor.org/info/rfc7235

17. HTTP/2ܥͳΒ RFC͸·ͩͳ͍͕RFCͷDraftͳΒ͋Δ https://tools.ietf.org/html/draft-ietf-httpbis-http2-17

18. ͦͯ͠HTTPSͷ͓࿩

19. HTTPSʢHyperText Transfer Protocol Secureʣ ͔ͬͯɺHTTP over the SSL/TLS ͭ·ΓSSLʢSecure Sockets

    Layerʣ/TLSʢTransport Layer Securityʣϓϩτίϧ্ʹHTTPϓϩτίϧΛ৐ ͤͨ΋ͷ ݱ࣌఺Ͱ͸SSLܥͷ࢖༻͸ਪ঑͞Ε͓ͯΒͣɺTLSܥ͕ਪ ঑͞Ε͍ͯΔʢʁʣ SSL1.0/2.0/3.0ͱTLS1.0͸๨ΕΑ͏

20. RFCͷ࿩Λ͠Α͏

21. RFC2818ʢ"HTTP Over TLS", May 2000ʣhttp://www.rfc- editor.org/info/rfc2818 RFC4346ʢ"The Transport Layer Security

    (TLS) Protocol Version 1.1", April 2006ʣhttp://www.rfc-editor.org/info/rfc4346 RFC5246ʢ"The Transport Layer Security (TLS) Protocol Version 1.2", August 2008ʣhttp://www.rfc-editor.org/info/rfc5246

22. ͔͜͜Β͕ຊ൪

23. εςʔτϨεͱεςʔτϑϧͬ ͯͳ͊ʹʁ

24. ͦ΋ͦ΋HTTP͸εςʔτϨε ͨͱ͑͹ɺRFC7230ʢHTTP/1.1ͷجຊ࢓༷ʣͷAbstractʹ͸ ͜͏ॻ͍ͯ͋Δ The Hypertext Transfer Protocol (HTTP) is a

    stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations.

25. ෳ਺ͷτϥϯβΫγϣϯ͕ଘࡏͨ͠ͱ͖ɺؔ࿈͢Δτϥϯ βΫγϣϯͷඥ෇͚͕Ͱ͖ͳ͍ εςʔτϨεʢStatelessɺStateɿঢ়ଶɺLessɿʙͷͳ͍ʣ ෳ਺ͷτϥϯβΫγϣϯ͕ଘࡏͨ͠ͱ͖ɺؔ࿈͢Δτϥϯ βΫγϣϯͷඥ෇͚͕ߦ͑Δ εςʔτϑϧʢStatefulɺStateɿঢ়ଶɺfulɿʙͷੑ࣭Λ༗ ͢Δʣ

26. εςʔτϨεͳϓϩτίϧͰεςʔτϑϧͳڍಈΛ࣮ݱ͢ ΔͨΊͷखஈ͕ٻΊΒΕΔ ԿΒ͔ͷܗͰτϥϯβΫγϣϯͱτϥϯβΫγϣϯΛඥ ͚ͮΔ৘ใΛ෇༩͢Ε͹ΠέΔʂ ͦͷखஈͷͻͱ͕ͭSessionɺCookieʹΑΓ࣮ݱ͞ΕΔ

27. ਖ਼֬ʹݴ͑͹ɺSessionͱ͍͏༻ޠͦͷ΋ͷ͸͋ΔҰ࿈ͷ௨ ৴Λࢦ͢ ͦͷηογϣϯதͰ༗ޮͱͳΔ৘ใΛ֨ೲͨ͠΋ͷɿ ηογϣϯม਺ ͳͲ

28. COOKIEͬͯͳ͊ʹʁ

29. ΫϥΠΞϯτͱαʔόؒͰঢ়ଶʢStateʣΛ؅ཧ͢Δϓϩτ ίϧɺ΢Σϒϒϥ΢βʹอଘ͞Εͨ৘ใ RFC6265ʢ"HTTP State Management Mechanism", April 2011ʣ http://www.rfc-editor.org/info/rfc6265

30. HTTPϔομʹؚ·ΕΔܗͰαʔόʹૹΒΕΔ ΫϥΠΞϯταΠυͰͷมߋ͕༰қɺେ͖ͳσʔλ͸֨ೲ͠ ʹ͍͘ ࠷௿Ͱ΋Լهͷൣғ·Ͱ͸ड͚ೖΕՄೳͳ͸ͣ 1 Cookie͋ͨΓগͳ͘ͱ΋4,096bytesʢCookie໊΍ͦͷ஋ɺ ଐੑ஋ΛؚΉʣ 1υϝΠϯ͋ͨΓগͳ͘ͱ΋50 Cookie গͳ͘ͱ΋߹ܭ3,000

    Cookie

31. SESSIONͬͯͳ͊ʹʁ

32. αʔό্ͰϢχʔΫʢҰҙʣͳIDΛੜ੒͠ɺͦΕΛΫϥΠΞϯτͷ Cookieʹ֨ೲʢ͍ΘΏΔʮηογϣϯIDʯʣ ࣮σʔλ͸αʔό্ʹอଘʢ͍ΘΏΔʮηογϣϯʯɺʮηογϣϯม ਺ʯʣ ΫϥΠΞϯτͱαʔό্ͷσʔλͷඥ෇͚͸ηογϣϯIDʹΑΓߦ͏ ঢ়ଶΛอ࣋Ͱ͖ΔΑ͏ʹͳΔͷͰɺεςʔτϑϧʹͳΔ ΫϥΠΞϯτଆʹ͸ηογϣϯIDͷ৘ใ͔͠౉Βͳ͍ɺଟ͘ͷσʔλΛ ஝ੵͰ͖Δ ϩάΠϯ৘ใͷอ࣋΍ը໘ؒͷ৘ใड͚౉͠ʢγϣοϐϯάΧʔτͳ Ͳʣͷ࣮ݱͳͲʹ޿͘༻͍ΒΕ͍ͯΔ

33. ηογϣϯID͕༰қʹਪଌ͞Εͳ͍Α͏ʹ͠ͳ͍ͱɺηο γϣϯϋΠδϟοΫʢSession Hijackʣͷ੬ऑੑͷڪΕ ηογϣϯIDΛ֎෦͔Β༰қʹηοτͰ͖ΔΑ͏ͩͱɺ ηογϣϯݻఆԽʢSession Fixationʣͷ੬ऑੑͷڪΕ େ఍͸ݴޠ΍ϑϨʔϜϫʔΫͳͲ͕͍͍ײ͡ʹ΍ͬͯ͘ ΕͯΔ͸͚ͣͩͲͶ

34. URLͬͯͳ͊ʹʁ

35. URLʢUniform Resource LocatorɺURIʢUniform Resource IdentifierʣͷҰ෦ʣ ʮhttp://www.example.com/foobar.htmlʯΈ͍ͨͳ΍ͭ

36. ύʔπʹ෼ղͯ͠ΈΔͱ……

37. {Scheme}://{User}:{Password}@{Host}:{Port}/{Path}?{Query}#{Flagment} ʮSchemeʯɿεΩʔϜɺHTTP΍HTTPSͳͲ ʮUserʯɿϢʔβ໊ɺBASICೝূͳαΠτͰμΠΞϩάʹೖྗ͢Δ୅ΘΓʹ࢖͑Δ͜ͱ΋͋ Δ ʮPasswordʯɿύεϫʔυɺBASICೝূͳαΠτͰμΠΞϩάʹೖྗ͢Δ୅ΘΓʹ࢖͑Δ͜ ͱ΋͋Δ ʮHostʯɿϗετ໊ ʮPortʯɿϙʔτ൪߸ ʮPathʯɿϦιʔεΛಛఆ͢ΔͨΊͷύε ʮQueryʯɿΫΤϦจࣈྻɺΫΤϦετϦϯάɺGETύϥϝλͳͲͱ͍ΘΕΔͷ͸͜ͷ෦෼

    ʮFlagmentʯɿϑϥάϝϯτɺϖʔδ಺ϦϯΫͳͲͰϦϯΫઌΛࣝผ͢Δࣝผࢠ

38. GETͬͯͳ͊ʹʁ

39. HTTPϝιουͷͻͱͭ ΫϥΠΞϯτ͕αʔόͷϦιʔεΛཁٻ͢Δํ๏ͷͻͱͭ αʔόʹ৘ใΛ౉͍ͨ͠৔߹͸ɺΫΤϦจࣈྻͰࢦఆ͢Δ ෭࡞༻ͷͳ͍৔߹ɺৗʹಉҰͷ݁ՌΛಘ͍ͨͱ͖ͳͲʹ༻ ͍Δ

40. Webαʔό΍Webϒϥ΢βͳͲʹΑΓڐ༰Մೳͳจࣈྻ௕ ͕ҟͳΔ ͋·Γʹ΋௕͗͢ΔURL͸͸͔͡ΕΔڪΕ͕͋Δ ͋͘·Ͱ࠷খݶʹͱͲΊ͓ͯ͘ͷ͕٢

41. ϦϑΝϥʢRefererʣ΍ΞΫηεϩάʹه࿥͞ΕΔ ͦΕ͕޷·͘͠ͳ͍Α͏ͳ৘ใʹ͸ద༻͠ͳ͍ํ͕Α͞ ͛

42. POSTͬͯͳ͊ʹʁ

43. HTTPϝιουͷͻͱͭ ΫϥΠΞϯτ͕αʔόʹ৘ใΛ౉͢ํ๏ͷͻͱͭ େྔͷσʔλΛ౉͍ͨ͠ͱ͖ͳͲ͸͜ΕҰ୒ HTTP Bodyʹ৘ใؚ͕·ΕΔ

44. HTTPϝιουͬͯͳ͊ʹʁ

45. GET΍POSTͷ͜ͱΛHTTPϝιουʢHTTP MethodʣͳͲ ͱ͍͏ ͜ͷ΄͔ʹ΋PUT΍DELETEͳΜͯͷ͸REST ʢREpresentational State TransferʣfulͳAPIͳΜ͔ͰΑ͘࢖Θ Ε͍ͯΔ TwitterͷREST APIͳΜͯͷͰ৮ΕΔػձ͕ଟ͍͔΋

46. ͓·͚ TELNETͰHTTPϦΫΤετ ……ཁ͸ɺWEBϒϥ΢β͕΍ͬͯΔ͜ͱΛࣗ෼Ͱ΍ͬͯΈΑ͏ʂ

47. TELNETͰHTTPϦΫΤετ > telnet example.com 80 GET / HTTP/1.1ʢΤϯλʔʣ HOST: hyec.orgʢΤϯλʔʣʢΤϯλʔʣ

48. TELNETͰHTTPϦΫΤετ HTTP/1.1 301 Moved Permanently Date: {DAY OF THE WEEK},

    {DAY} {MONTH} {YEAR} {DATE} {TIMEZONE} Server: Apache/x.y.z (Unix) OpenSSL/x.y.z PHP/x.y.z mod_fcgid/x.y.z X-Powered-By: PHP/x.y.z Location: http://www.hyec.org/ Vary: User-Agent Content-Length: 0 Content-Type: text/html; charset=UTF-8

49. ؆୯ͩͶʢ͸͊ͱ

50. ͓͠ΐ͏͠ͳʂ ༁ɿ͋Γ͕ͱ͏ʊϊԵ(ɺϯɺ)ʊ