動的証明書読み込み ngx_mruby編 #hoscon / GMO HosCon 2016

動的証明書読み込み ngx_mruby編 #hoscon / GMO HosCon 2016

"HosCon - GMO Hosting Conference - @渋谷" http://gmohoscon.connpass.com/event/41490/ の発表スライドです。10分 LT なのにだいぶ詰め込んでます。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

【資料に登場したURLs】
SSL_CTX_set_cert_cb() の説明:
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_cert_cb.html

ngx_mruby で動的証明書読み込みをサポートした旨のツイート:
https://twitter.com/matsumotory/status/685341115814289408

ngx_mruby に mruby_ssl_handshake_handler を実装した:
http://blog.hifumi.info/2016/10/03/ngx_mruby-mruby_ssl_handshake_handler/

mruby のテスト用に MySQL 環境を自動で構築する mruby-test-mysqld を書いた
:
http://blog.hifumi.info/2016/09/06/mruby-test-mysqld/

How to test code with mruby:
http://www.slideshare.net/hsbt/20150525-testing-casualtalks

47e8318347fb8cd6a2c39bc6cf6e333e?s=128

Takahiro Okumura

October 29, 2016
Tweet

Transcript

  1. OHY@NSVCZฤ Ԟଜߊ߂(.01FQBCP *OD (.0)PTUJOH$POGFSFODF!ौ୩ ಈతূ໌ॻಡΈࠐΈ

  2. ٕज़෦ΠϯϑϥάϧʔϓɾΤϯδχΞ Ԟଜߊ߂!IGN IUUQCMPHIJGVNJJOGP

  3. ࠓ೔͓࿩͢Δ͜ͱ w8FCαʔόͰେྔυϝΠϯͷূ໌ॻΛऔΓѻ ͏ࠔ೉ wOHY@NSVCZΛ࢖ͬͨಈతূ໌ॻಡΈࠐΈ wಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ wςετΛ͢ΔͨΊʹ࡞ͬͨ΋ͷ

  4. 8FCαʔόͰେྔυϝΠϯͷূ໌ ॻΛऔΓѻ͏ࠔ೉

  5. 8FCαʔόͰେྔυϝΠϯͷূ໌ॻΛऔΓѻ͏ࠔ೉ wূ໌ॻΛಡΈࠐΉͨΊͷઃఆ͕௕େԽ͢Δ wϓϩηεͷϝϞϦ΋υϝΠϯ਺͚ͩංେԽ͢Δ wOHJOYͷ৔߹ɺສͷূ໌ॻΛಡΈࠐΉͱ໿ .#΄Ͳʹ๲ΒΉ

  6. 44-@$59@TFU@DFSU@DC w0QFO44-Ͱ௥Ճ͞Εͨؔ਺ wূ໌ॻͷཁٻλΠϛϯάͰίʔϧόοΫؔ਺Λ ݺ΂Δ w IUUQTXXXPQFOTTMPSHEPDTNBOTTM44-@$59@TFU@DFSU@DCIUNM

  7. 44-@$59@TFU@DFSU@DC w0QFO44-Ͱ௥Ճ͞Εͨؔ਺ wূ໌ॻͷཁٻλΠϛϯάͰίʔϧόοΫؔ਺Λ ݺ΂Δ w IUUQTXXXPQFOTTMPSHEPDTNBOTTM44-@$59@TFU@DFSU@DCIUNM ಈతʹূ໌ॻΛಡΈࠐΉ ͨΊͷ؀ڥ͕੔͖ͬͯͨ

  8. IUUQTUXJUUFSDPNNBUTVNPUPSZTUBUVT

  9. IUUQTUXJUUFSDPNNBUTVNPUPSZTUBUVT OHY@NSVCZΛ࢖͑͹ ಈతʹূ໌ॻΛಡΈࠐΊΔ

  10. OHY@NSVCZΛ࢖ͬͨಈతূ໌ॻ ಡΈࠐΈ

  11. NSVCZ@TTM@IBOETIBLF@IBOEMFS@DPEF mruby_ssl_handshake_handler_code ' ssl = Nginx::SSL.new ssl.certificate = "/path/to/#{ssl.servername}.crt" ssl.certificate_key

    = "/path/to/#{ssl.servername}.key" ’;
  12. NSVCZ@TTM@IBOETIBLF@IBOEMFS@DPEFͷ՝୊ mruby_ssl_handshake_handler_code ' ssl = Nginx::SSL.new ssl.certificate = "/path/to/#{ssl.servername}.crt" ssl.certificate_key

    = "/path/to/#{ssl.servername}.key" ’; JOMJOFܗࣜͷσΟϨΫςΟϒ͸ίʔυ͕௕͘ͳΔͱಡΈͮΒ ͍͕ɺϑΝΠϧ͔ΒಡΈࠐΉσΟϨΫςΟϒ͸౰࣌ແ͔ͬͨɻ
  13. ࡞ͬͨ

  14. OHY@NSVCZʹ NSVCZ@TTM@IBOETIBLF@IBOEMFSΛ࣮૷ͨ͠ IUUQCMPHIJGVNJJOGPOHY@NSVCZNSVCZ@TTM@IBOETIBLF@IBOEMFS

  15. NSVCZ@TTM@IBOETIBLF@IBOEMFS mruby_ssl_handshake_handler /path/to/handler.rb cache; # /path/to/handler.rb ssl = Nginx::SSL.new ssl.certificate

    = "/path/to/#{ssl.servername}.crt" ssl.certificate_key = "/path/to/#{ssl.servername}.key" NSVCZ@TTM@IBOETIBLF@IBOEMFS@DPEFͱಉ͡ػೳͰɺ
 QBUIUPIBOEMFSSCͷΑ͏ͳ֎෦ϑΝΠϧΛಡΈࠐΊΔ
  16. ଞʹ΋͍Ζ͍Ζͱύονૹͬͨ wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM wIUUQTHJUIVCDPNNBUTVNPUPSOHY@NSVCZQVMM ͋Μ·Γ਺ʹ͸ҙຯ͕ͳ͍͚Ͳ

  17. ͦ͏͜͏׆ಈͯͨ͠ΒQVTI ݖ΋Βͬͯϝϯςφʹɻ

  18. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯ ϑϥ

  19. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ wԿઍԿສͷূ໌ॻϑΝΠϧΛ؅ཧ͠ͳ͍ͱ͍͚ ͳ͍ wOHY@NSVCZΛಈ͔͢8FCαʔό͸୆ͱ͸ݶ Βͳ͍

  20. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ MC SFWFSTFQSPYZ OHY@NSVCZ BQQMJDBUJPO DBDIF SFEJT EC NZTRM ͍͍ͩͨ͜Μͳ

    งғؾʹͳΔ
  21. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ MC SFWFSTFQSPYZ OHY@NSVCZ BQQMJDBUJPO DBDIF SFEJT EC NZTRM 5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ

    ͍͍ͩͨ͜Μͳ งғؾʹͳΔ
  22. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ MC SFWFSTFQSPYZ OHY@NSVCZ BQQMJDBUJPO DBDIF SFEJT EC NZTRM 5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ

    ূ໌ॻͱ伴 ͍͍ͩͨ͜Μͳ งғؾʹͳΔ
  23. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ MC SFWFSTFQSPYZ OHY@NSVCZ BQQMJDBUJPO DBDIF SFEJT EC NZTRM 5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ

    ূ໌ॻͱ伴 Bແ͚Ε͹EC͔Βऔಘ ͍͍ͩͨ͜Μͳ งғؾʹͳΔ
  24. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ MC SFWFSTFQSPYZ OHY@NSVCZ BQQMJDBUJPO DBDIF SFEJT EC NZTRM 5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ

    ূ໌ॻͱ伴 Bແ͚Ε͹EC͔Βऔಘ CΩϟογϡ ͍͍ͩͨ͜Μͳ งғؾʹͳΔ
  25. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ MC SFWFSTFQSPYZ OHY@NSVCZ BQQMJDBUJPO DBDIF SFEJT EC NZTRM 5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ

    ূ໌ॻͱ伴 Bແ͚Ε͹EC͔Βऔಘ CΩϟογϡ ͍͍ͩͨ͜Μͳ งғؾʹͳΔ ϓϩΩγ
  26. ಈతূ໌ॻಡΈࠐΈͷͨΊͷΠϯϑϥ MC SFWFSTFQSPYZ OHY@NSVCZ BQQMJDBUJPO DBDIF SFEJT EC NZTRM 5-44/*֦ுͰTFSWFS@OBNFΛड͚औΔ

    ূ໌ॻͱ伴 Bແ͚Ε͹EC͔Βऔಘ CΩϟογϡ ͍͍ͩͨ͜Μͳ งғؾʹͳΔ ϓϩΩγ ςετ΄͍͠
  27. ςετΛ͢ΔͨΊʹ࡞ͬͨ΋ͷ

  28. IGNNSVCZUFTUNZTRME w5FTUNZTRMEͷNSVCZҠ২൛ wNSVCZͷςετ༻ʹ.Z42-؀ڥΛࣗಈͰߏங͢Δ NSVCZUFTUNZTRMEΛॻ͍ͨ
 IUUQCMPHIJGVNJJOGPNSVCZUFTUNZTRME

  29. IGNNSVCZJOJ w.Z42-΁ͷ઀ଓઃఆΛίʔυ͔Β෼཭͍ͨ͠ wઃఆϑΝΠϧͱ͍͑͹*/*͔ͳͱࢥͬͨʢʁʣ w:".-ͷΑ͏ͳن͕֨ແ͍ʢ࡞Γ࢝Ί͔ͯΒ ஌ͬͨʣ wݱঢ়͸ʮ*/*ͬΆ͍ϑΝΠϧΛಡΊΔʯ

  30. IUUQXXXTMJEFTIBSFOFUITCUUFTUJOHDBTVBMUBMLT NSVCZͰॻ͍ͨϓϩμΫτͷςετͷॻ͖ํ

  31. ࠓ೔͓࿩ͨ͜͠ͱ  OHY@NSVCZY0QFO44-Ͱಈతূ໌ॻͷಡΈࠐ Έ͕Ͱ͖Δͱ͍͏͜ͱ  ಈతূ໌ॻಡΈࠐΈΛ࣮ݱ͢ΔͨΊͷΠϯϑϥͷߏ੒  ςετ͢ΔͨΊʹࣗ࡞ͨ͠πʔϧ

  32. 044׆ಈ͸ָ͍͠ɻϏδωε΋େࣄɻ ཱ྆ग़དྷΔϖύϘ͸࠷ߴɻ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU