Upgrade to Pro — share decks privately, control downloads, hide ads and more …

動的証明書読み込み ngx_mruby編 #hoscon / GMO HosCon 2016

動的証明書読み込み ngx_mruby編 #hoscon / GMO HosCon 2016

"HosCon - GMO Hosting Conference - @渋谷" http://gmohoscon.connpass.com/event/41490/ の発表スライドです。10分 LT なのにだいぶ詰め込んでます。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

【資料に登場したURLs】
SSL_CTX_set_cert_cb() の説明:
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_cert_cb.html

ngx_mruby で動的証明書読み込みをサポートした旨のツイート:
https://twitter.com/matsumotory/status/685341115814289408

ngx_mruby に mruby_ssl_handshake_handler を実装した:
http://blog.hifumi.info/2016/10/03/ngx_mruby-mruby_ssl_handshake_handler/

mruby のテスト用に MySQL 環境を自動で構築する mruby-test-mysqld を書いた
:
http://blog.hifumi.info/2016/09/06/mruby-test-mysqld/

How to test code with mruby:
http://www.slideshare.net/hsbt/20150525-testing-casualtalks

Okumura Takahiro

October 29, 2016
Tweet

More Decks by Okumura Takahiro

Other Decks in Technology

Transcript

  1. OHY@NSVCZฤ
    Ԟଜߊ߂(.01FQBCP *OD
    (.0)PTUJOH$POGFSFODF!ौ୩
    ಈతূ໌ॻಡΈࠐΈ

    View Slide

  2. ٕज़෦ΠϯϑϥάϧʔϓɾΤϯδχΞ
    Ԟଜߊ߂!IGN
    IUUQCMPHIJGVNJJOGP

    View Slide

  3. ࠓ೔͓࿩͢Δ͜ͱ
    w8FCαʔόͰେྔυϝΠϯͷূ໌ॻΛऔΓѻ
    ͏ࠔ೉
    wOHY@NSVCZΛ࢖ͬͨಈతূ໌ॻಡΈࠐΈ
    wಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ
    wςετΛ͢ΔͨΊʹ࡞ͬͨ΋ͷ

    View Slide

  4. 8FCαʔόͰେྔυϝΠϯͷূ໌
    ॻΛऔΓѻ͏ࠔ೉

    View Slide

  5. 8FCαʔόͰେྔυϝΠϯͷূ໌ॻΛऔΓѻ͏ࠔ೉
    wূ໌ॻΛಡΈࠐΉͨΊͷઃఆ͕௕େԽ͢Δ
    wϓϩηεͷϝϞϦ΋υϝΠϯ਺͚ͩංେԽ͢Δ
    wOHJOYͷ৔߹ɺສͷূ໌ॻΛಡΈࠐΉͱ໿
    .#΄Ͳʹ๲ΒΉ

    View Slide

  6. 44-@$59@TFU@DFSU@DC

    w0QFO44-Ͱ௥Ճ͞Εͨؔ਺
    wূ໌ॻͷཁٻλΠϛϯάͰίʔϧόοΫؔ਺Λ
    ݺ΂Δ
    w IUUQTXXXPQFOTTMPSHEPDTNBOTTM44-@$59@TFU@DFSU@DCIUNM

    View Slide

  7. 44-@$59@TFU@DFSU@DC

    w0QFO44-Ͱ௥Ճ͞Εͨؔ਺
    wূ໌ॻͷཁٻλΠϛϯάͰίʔϧόοΫؔ਺Λ
    ݺ΂Δ
    w IUUQTXXXPQFOTTMPSHEPDTNBOTTM44-@$59@TFU@DFSU@DCIUNM
    ಈతʹূ໌ॻΛಡΈࠐΉ
    ͨΊͷ؀ڥ͕੔͖ͬͯͨ

    View Slide

  8. IUUQTUXJUUFSDPNNBUTVNPUPSZTUBUVT

    View Slide

  9. IUUQTUXJUUFSDPNNBUTVNPUPSZTUBUVT
    OHY@NSVCZΛ࢖͑͹
    ಈతʹূ໌ॻΛಡΈࠐΊΔ

    View Slide

  10. OHY@NSVCZΛ࢖ͬͨಈతূ໌ॻ
    ಡΈࠐΈ

    View Slide

  11. NSVCZ@TTM@IBOETIBLF@IBOEMFS@DPEF
    mruby_ssl_handshake_handler_code '
    ssl = Nginx::SSL.new
    ssl.certificate = "/path/to/#{ssl.servername}.crt"
    ssl.certificate_key = "/path/to/#{ssl.servername}.key"
    ’;

    View Slide

  12. NSVCZ@TTM@IBOETIBLF@IBOEMFS@DPEFͷ՝୊
    mruby_ssl_handshake_handler_code '
    ssl = Nginx::SSL.new
    ssl.certificate = "/path/to/#{ssl.servername}.crt"
    ssl.certificate_key = "/path/to/#{ssl.servername}.key"
    ’;
    JOMJOFܗࣜͷσΟϨΫςΟϒ͸ίʔυ͕௕͘ͳΔͱಡΈͮΒ
    ͍͕ɺϑΝΠϧ͔ΒಡΈࠐΉσΟϨΫςΟϒ͸౰࣌ແ͔ͬͨɻ

    View Slide

  13. ࡞ͬͨ

    View Slide

  14. OHY@NSVCZʹ
    NSVCZ@TTM@IBOETIBLF@IBOEMFSΛ࣮૷ͨ͠
    IUUQCMPHIJGVNJJOGPOHY@NSVCZNSVCZ@TTM@IBOETIBLF@IBOEMFS

    View Slide

  15. NSVCZ@TTM@IBOETIBLF@IBOEMFS
    mruby_ssl_handshake_handler /path/to/handler.rb cache;
    # /path/to/handler.rb
    ssl = Nginx::SSL.new
    ssl.certificate = "/path/to/#{ssl.servername}.crt"
    ssl.certificate_key = "/path/to/#{ssl.servername}.key"
    NSVCZ@TTM@IBOETIBLF@IBOEMFS@DPEFͱಉ͡ػೳͰɺ

    QBUIUPIBOEMFSSCͷΑ͏ͳ֎෦ϑΝΠϧΛಡΈࠐΊΔ

    View Slide

  16. ଞʹ΋͍Ζ͍Ζͱύονૹͬͨ
    wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM
    wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM
    wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM
    wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM
    wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM
    wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM
    wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM
    ͋Μ·Γ਺ʹ͸ҙຯ͕ͳ͍͚Ͳ

    View Slide

  17. ͦ͏͜͏׆ಈͯͨ͠ΒQVTI
    ݖ΋Βͬͯϝϯςφʹɻ

    View Slide

  18. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯ
    ϑϥ

    View Slide

  19. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ
    wԿઍԿສͷূ໌ॻϑΝΠϧΛ؅ཧ͠ͳ͍ͱ͍͚
    ͳ͍
    wOHY@NSVCZΛಈ͔͢8FCαʔό͸୆ͱ͸ݶ
    Βͳ͍

    View Slide

  20. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ
    MC
    SFWFSTFQSPYZ
    OHY@NSVCZ

    BQQMJDBUJPO
    DBDIF
    SFEJT

    EC
    NZTRM

    ͍͍ͩͨ͜Μͳ
    งғؾʹͳΔ

    View Slide

  21. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ
    MC
    SFWFSTFQSPYZ
    OHY@NSVCZ

    BQQMJDBUJPO
    DBDIF
    SFEJT

    EC
    NZTRM

    5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ
    ͍͍ͩͨ͜Μͳ
    งғؾʹͳΔ

    View Slide

  22. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ
    MC
    SFWFSTFQSPYZ
    OHY@NSVCZ

    BQQMJDBUJPO
    DBDIF
    SFEJT

    EC
    NZTRM

    5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ
    ূ໌ॻͱ伴
    ͍͍ͩͨ͜Μͳ
    งғؾʹͳΔ

    View Slide

  23. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ
    MC
    SFWFSTFQSPYZ
    OHY@NSVCZ

    BQQMJDBUJPO
    DBDIF
    SFEJT

    EC
    NZTRM

    5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ
    ূ໌ॻͱ伴
    Bແ͚Ε͹EC͔Βऔಘ
    ͍͍ͩͨ͜Μͳ
    งғؾʹͳΔ

    View Slide

  24. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ
    MC
    SFWFSTFQSPYZ
    OHY@NSVCZ

    BQQMJDBUJPO
    DBDIF
    SFEJT

    EC
    NZTRM

    5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ
    ূ໌ॻͱ伴
    Bແ͚Ε͹EC͔Βऔಘ
    CΩϟογϡ
    ͍͍ͩͨ͜Μͳ
    งғؾʹͳΔ

    View Slide

  25. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ
    MC
    SFWFSTFQSPYZ
    OHY@NSVCZ

    BQQMJDBUJPO
    DBDIF
    SFEJT

    EC
    NZTRM

    5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ
    ূ໌ॻͱ伴
    Bແ͚Ε͹EC͔Βऔಘ
    CΩϟογϡ
    ͍͍ͩͨ͜Μͳ
    งғؾʹͳΔ
    ϓϩΩγ

    View Slide

  26. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ
    MC
    SFWFSTFQSPYZ
    OHY@NSVCZ

    BQQMJDBUJPO
    DBDIF
    SFEJT

    EC
    NZTRM

    5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ
    ূ໌ॻͱ伴
    Bແ͚Ε͹EC͔Βऔಘ
    CΩϟογϡ
    ͍͍ͩͨ͜Μͳ
    งғؾʹͳΔ
    ϓϩΩγ
    ςετ΄͍͠

    View Slide

  27. ςετΛ͢ΔͨΊʹ࡞ͬͨ΋ͷ

    View Slide

  28. IGNNSVCZUFTUNZTRME
    w5FTUNZTRMEͷNSVCZҠ২൛
    wNSVCZͷςετ༻ʹ.Z42-؀ڥΛࣗಈͰߏங͢Δ
    NSVCZUFTUNZTRMEΛॻ͍ͨ

    IUUQCMPHIJGVNJJOGPNSVCZUFTUNZTRME

    View Slide

  29. IGNNSVCZJOJ
    w.Z42-΁ͷ઀ଓઃఆΛίʔυ͔Β෼཭͍ͨ͠
    wઃఆϑΝΠϧͱ͍͑͹*/*͔ͳͱࢥͬͨʢʁʣ
    w:".-ͷΑ͏ͳن͕֨ແ͍ʢ࡞Γ࢝Ί͔ͯΒ
    ஌ͬͨʣ
    wݱঢ়͸ʮ*/*ͬΆ͍ϑΝΠϧΛಡΊΔʯ

    View Slide

  30. IUUQXXXTMJEFTIBSFOFUITCUUFTUJOHDBTVBMUBMLT
    NSVCZͰॻ͍ͨϓϩμΫτͷςετͷॻ͖ํ

    View Slide

  31. ࠓ೔͓࿩ͨ͜͠ͱ
    OHY@NSVCZY0QFO44-Ͱಈతূ໌ॻͷಡΈࠐ
    Έ͕Ͱ͖Δͱ͍͏͜ͱ
    ಈతূ໌ॻಡΈࠐΈΛ࣮ݱ͢ΔͨΊͷΠϯϑϥͷߏ੒
    ςετ͢ΔͨΊʹࣗ࡞ͨ͠πʔϧ

    View Slide

  32. 044׆ಈ͸ָ͍͠ɻϏδωε΋େࣄɻ
    ཱ྆ग़དྷΔϖύϘ͸࠷ߴɻ
    ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU

    View Slide