Dynamic certificate internals with ngx_mruby #nagoyark03

Dynamic certiﬁcate internals with ngx_mruby OKUMURA Takahiro / GMO Pepabo,
Inc. 2017.2.11 Nagoya Ruby Kaigi 03

Senior web operation engineer at GMO Pepabo, Inc. A maintainer
of ngx_mruby. http://blog.hifumi.info hfm hfm OKUMURA  Takahiro (okkun)

Today’s Agenda Introduce mruby/ngx_mruby How to build ngx_mruby How hosting
too many domains & certiﬁcates Dynamic certiﬁcate with ngx_mruby

IUUQTTQFBLFSEFDLDPNIGNHNPIPTDPO EXTENDED

mruby •lightweight and embeddable implementation of the Ruby language •https://github.com/mruby/mruby

Pepabo mruby IUUQTTQFBLFSEFDLDPNIBSBTPVNPXFCTBJUPXP[IJFSVSPSJQPUVQVUPNSVCZ

Pepabo mruby

ngx_mruby

ngx_mruby •A fast and memory-efﬁcient web server extension mechanism using
mruby for nginx •Created by @matsumotory •An alternative to mod_mruby

ngx_mruby sample code location /hello_world { mruby_content_handler_code ‘ Nginx.rputs "Hello
ngx_mruby world!" '; } $ curl http://127.0.0.1/hello_world Hello ngx_mruby world!

ngx_mruby sample code v = Nginx::Var.new Nginx.rputs "Date: #{v.date_local}" #=>
Date: Friday, 14-Oct-2016 02:20:00 JST # Using ngx_http_geoip_module Nginx.rputs "Country: #{v.geoip_country_name}" #=> Country: Japan

ngx_mruby sample code v = Nginx::Var.new Nginx.rputs "Date: #{v.date_local}" #=>
Date: Friday, 14-Oct-2016 02:20:00 JST # Using ngx_http_geoip_module Nginx.rputs "Country: #{v.geoip_country_name}" #=> Country: Japan Do you want to know Nginx::Var internal? => ngx_mruby ͷ Nginx::Var Ϋϥεͷ࣮૷Λཧղ͢Δʙม਺औಘฤ http://blog.hifumi.info/2016/11/07/ngx_mruby-nginx-var-using-method-missing/

How to build ngx_mruby •build.sh •hsbt/ngx_mruby-package-builder •Dockerﬁle •nginx-build

build.sh •Generate binary •https://github.com/matsumotory/ngx_mruby/wiki/Install

hsbt/ngx_mruby-package-builder •Providing RPM and DEB packages •CentOS 6, 7 •Ubuntu
14.04, 16.04 •https://github.com/hsbt/ngx_mruby-package-builder

Dockerﬁle •https://hub.docker.com/r/hfmgarden/ngx_mruby •Alpine Linux •Ubuntu 16.04

nginx-build •Created by @cubicdaiya •Use case •https://github.com/girafﬁ/docker-nginx-mruby-base

We use ngx_mruby in production. IUUQTTQFBLFSEFDLDPNCVUZYJOHBUVUBNPESFXJSUFXPOHYNSVCZEFTIVLJIVBOFUBIVB

Preliminary remarks mruby is good ngx_mruby is good We use
ngx_mruby in production

How hosting too many domains and certiﬁcates Certificate Certificate Certificate

Website builder “Goope”

Custom domains with SSL certiﬁcates

Two problems •IP address per domain •Web server load too
many certiﬁcates

Two problems •IP address per domain ➡ TLS SNI extension
•Web server load too many certiﬁcates

TLS SNI extension TLS SNI sample-a.com Certificate IP Address Certificate
IP Address Certificate IP Address sample-b.com sample-c.com IP Address Certificate Certificate Certificate sample-a.com sample-b.com sample-c.com

Two problems •IP address per domain ✓ TLS SNI extension

Too many domains and certiﬁcates https://a.jp application N https://b.jp Certificate
Certificate c’mon

Too many domains and certiﬁcates https://a.jp application N https://b.jp https://z.jp
… Certificate Certificate Certificate Certificate Certificate Certificate oh… Certificate Certificate Certificate

https://aa.jp … … Certificate Certificate Certificate Certificate Certificate Certificate Certificate Certificate Certificate Certificate Oops… Certificate Certificate Certificate

https://aa.jp … … Certificate Certificate Certificate Certificate Certificate Certificate Certificate Certificate Certificate Certificate x 10,000 # ps axfo rss,cmd RSS CMD 2872 bash 256168 nginx (master) 258384 \_ nginx (worker) Certificate Certificate Certificate

https://aa.jp … … Certificate Certificate Certificate Certificate Certificate Certificate Certificate Certificate Certificate Certificate x 10,000 # ps axfo rss,cmd RSS CMD 2824 bash 512808 nginx (master) 511396 \_ nginx (worker) SIGHUP !? Certificate Certificate Certificate Certificate reproduce: https://gist.github.com/hfm/4a045a429f9303c90eac7c348d1a424a

Too many domains and certiﬁcates •Heavy load •Large amounts of
memory

•Web server load too many certiﬁcates ➡ Dynamic certiﬁcates

Dynamic certiﬁcate with ngx_mruby

SSL_CTX_set_cert_cb() •available in OpenSSL 1.0.2 and later •handle certiﬁcate callback
function •It’s called before certiﬁcate will be used by client/server •https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_cert_cb.html

SSL_CTX_set_cert_cb() Client Server ClientHello (server_name) ServerHello Certiﬁcate ɾ ɾ ɾ
awesome_ssl_cert_handler

IUUQTUXJUUFSDPNNBUTVNPUPSZTUBUVT IUUQTHJUIVCDPNNBUTVNPUPSZOHY@NSVCZQVMM ngx_mruby supports it

mruby_ssl_handshake_handler_code # simple pattern (inline) mruby_ssl_handshake_handler_code ' ssl = Nginx::SSL.new
ssl.certificate = "/path/to/#{ssl.servername}.crt" ssl.certificate_key = "/path/to/#{ssl.servername}.key" ’;

mruby_ssl_handshake_handler # simple pattern (file) mruby_ssl_handshake_handler /path/to/handler.rb cache; # /path/to/handler.rb
ssl = Nginx::SSL.new ssl.certificate = "/path/to/#{ssl.servername}.crt" ssl.certificate_key = "/path/to/#{ssl.servername}.key"

mruby_ssl_handshake_handler # simple pattern (file) mruby_ssl_handshake_handler /path/to/handler.rb cache; # /path/to/handler.rb
ssl = Nginx::SSL.new ssl.certificate = "/path/to/#{ssl.servername}.crt" ssl.certificate_key = "/path/to/#{ssl.servername}.key" => ngx_mruby ʹ mruby_ssl_handshake_handler Λ࣮૷ͨ͠ http://blog.hifumi.info/2016/10/03/ngx_mruby-mruby_ssl_handshake_handler/

Two problems •IP address per domain ✓ TLS SNI extention
•Web server load too many certiﬁcates ✓ Dynamic certiﬁcates with ngx_mruby

The service architecture for dynamic certiﬁcate

Dynamic certiﬁcates architecture client application cache db 1. sent server_name
2. fetch crt/key pair from cache or db 3. proxy 2-a. set cache if missing direct pattern

Dynamic certiﬁcates architecture client application cache db 1. sent server_name
2. fetch crt/key pair 3. proxy internal api api pattern

worker handlers mruby_init_worker /path/to/mruby_init_worker.rb cache; mruby_exit_worker /path/to/mruby_exit_worker.rb cache;

mruby_init_worker.rb conf = Ini.load_file('config.ini') redis = Redis.new(conf['redis']['server'], 6379) Userdata.new(“redis_#{Process.pid}").redis_conn =
redis mysql = MySQL::Database.new(conf[‘mysql’][‘host’], conf[‘mysql’][‘user’], conf[‘mysql’][‘pass’], conf[‘mysql’]['db']) Userdata.new(“mysql_#{Process.pid}").mysql_conn = mysql mruby_init_worker /path/to/mruby_init_worker.rb cache; mruby_exit_worker /path/to/mruby_exit_worker.rb cache;

Connecting with nginx workers nginx master worker worker redis mysql

mruby_exit_worker.rb # Close all connections redis = Userdata.new("redis_#{Process.pid}").redis_conn redis.close unless
redis.nil? mysql = Userdata.new("mysql_#{Process.pid}").mysql_conn mysql.close unless mysql.nil? mruby_init_worker /path/to/mruby_init_worker.rb cache; mruby_exit_worker /path/to/mruby_exit_worker.rb cache;

Disconnecting with nginx workers nginx master worker worker redis mysql

Reconnecting with nginx workers nginx master worker worker redis mysql

MySQL server has gone away × ×

Reconnection def mysql_reconnect ... mysql = MySQL::Database.new(host, user, pass, db) Userdata.new("mysql_#{Process.pid}").mysql_conn = mysql end

Testing

hfm/mruby-test-mysqld •mruby porting from Test::mysqld of perl •mysqld runner for
tests with mruby http://blog.hifumi.info/2016/09/06/mruby-test-mysqld/

Testing sample (1/2) if Object.const_defined?(:MTest) class DynCrtTest < MTest::Unit::TestCase def
setup @mysqld = TestMysqld.new(database: 'foo') @mysql = MySQL::Database.new '127.0.0.1', 'root', '', 'foo', 3306 end def teardown @mysql.close @mysqld.stop end ...

Testing sample (2/2) if Object.const_defined?(:MTest) ... def test_dyn_crt ... end
end MTest::Unit.new.run else ... end

IUUQXXXTMJEFTIBSFOFUITCUUFTUJOHDBTVBMUBMLT TFFBMTP

Summary We use ngx_mruby in production ngx_mruby supports dynamic certiﬁcates
using SNI and OpenSSL 1.0.2

Dynamic certificate internals with ngx_mruby #nagoyark03

Dynamic certificate internals with ngx_mruby #nagoyark03

More Decks by Okumura Takahiro

Other Decks in Programming

Featured

Transcript