Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
プロキシサーバ自作から学ぶ、HTTP通信
Search
kobatako
July 15, 2019
Technology
0
110
プロキシサーバ自作から学ぶ、HTTP通信
kobatako
July 15, 2019
Tweet
Share
More Decks by kobatako
See All by kobatako
ネットワークのことを知るため ソフトウェアルータを 自作した話
kobatako
0
3.3k
enginnerday.pdf
kobatako
0
42
Other Decks in Technology
See All in Technology
プロファイルとAIエージェントによる効率的なデバッグ / Effective debugging with profiler and AI assistant
ymotongpoo
1
150
SOTA競争から人間を超える画像認識へ
shinya7y
0
450
AIとともに歩んでいくデザイナーの役割の変化
lycorptech_jp
PRO
0
880
From Natural Language to K8s Operations: The MCP Architecture and Practice of kubectl-ai
appleboy
0
220
AI時代の開発を加速する組織づくり - ブログでは書けなかったリアル
hiro8ma
1
310
ViteとTypeScriptのProject Referencesで 大規模モノレポのUIカタログのリリースサイクルを高速化する
shuta13
3
200
ヘンリー会社紹介資料(エンジニア向け) / company deck for engineer
henryofficial
0
380
IBC 2025 動画技術関連レポート / IBC 2025 Report
cyberagentdevelopers
PRO
2
170
オブザーバビリティが育むシステム理解と好奇心
maruloop
2
1.1k
SRE × マネジメントレイヤーが挑戦した組織・会社のオブザーバビリティ改革 ― ビジネス価値と信頼性を両立するリアルな挑戦
coconala_engineer
0
240
webpack依存からの脱却!快適フロントエンド開発をViteで実現する #vuefes
bengo4com
3
3.4k
MCP ✖️ Apps SDKを触ってみた
hisuzuya
0
360
Featured
See All Featured
Docker and Python
trallard
46
3.6k
For a Future-Friendly Web
brad_frost
180
10k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.5k
Facilitating Awesome Meetings
lara
57
6.6k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.6k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.2k
The Illustrated Children's Guide to Kubernetes
chrisshort
49
51k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
Optimising Largest Contentful Paint
csswizardry
37
3.5k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
140
34k
Keith and Marios Guide to Fast Websites
keithpitt
411
23k
Testing 201, or: Great Expectations
jmmastey
45
7.7k
Transcript
ϓϩΩγαʔόࣗ࡞͔ΒֶͿɺ HTTP௨৴ PHPΧϯϑΝϨϯεԬ2019 খݪɹਸ 2019/06/29 ()
ࣗݾհ • ໊લ : খݪ ਸʢ͜Δ ͔ͨͻΖʣ • ॴଐ :
גࣜձࣾFusic • ࣄ : PHPɺGolangɺAWS • झຯ : ElixirɺErlangɺΠϯϑϥ͍Ζ͍Ζ • Twitter : kobatako_
ΞδΣϯμ • ϓϩΩγαʔόʹ͍ͭͯ • ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • ·ͱΊ
ϓϩΩγαʔόʹ͍ͭͯ
ϓϩΩγαʔόͷ ϨΠϠʔ
ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ
ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ <- ͜͜ʹ͍ͭͯ
L7 ϓϩΩγ HTTPϦΫΤετ • ΫϥΠΞϯτͱϓϩΩγαʔόɺϓϩΩγαʔόͱόοΫΤϯυͷ αʔόͦΕͧΕͰTCPଓΛߦ͏ • ΞϓϦέʔγϣϯϨϕϧͰͷ੍ޚʢHTTPͳͲʣ HTTPϦΫΤετ TCP
TCP ΫϥΠΞϯτ ϓϩΩγ όοΫΤϯυ
ϓϩΩγαʔόΛڬΉͱ Ͳ͏ͳΔ ???
ϓϩΩγαʔόͷׂ •௨৴༰ͷվม •ෛՙࢄ •ηΩϡΞͳ௨৴ɺೝূ
ϚΠΫϩαʔϏεͰར༻
ϓϩΩγαʔό •Envoy • L3/L4 filter architecture • L7 filter architecture
• HTTP2 / gRPCΛαϙʔτ • αʔΩοτϒϨʔΧʔ • Etc…
ࣗ࡞͢Δ͜ͱͰਂ͘ཧղ ϓϩΩγαʔόͷ ར༻ൣғ͕͕͖͍ͬͯͯΔ
ࣗ࡞ͨ͠ HTTPϓϩΩγͷॲཧ
ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • X-Forwarded • ෛՙࢄ • Upgrade-Insecure-Requests • αʔΩοτϒϨʔΧʔ
X-Forwarded
X-Forwarded • RFC 7239 • HTTP Headerͷ֦ு • ϓϩΩγΛதܧ͢Δࡍʹૹ৴ݩʢΫϥΠΞϯτʣͷ IPProtocolͳͲHeaderʹ͚Ճ͑Δ
˞ ͚ͭͳ͍ͱૹ৴ݩIPͳͲͰ੍ޚ͕Ͱ͖ͳ͘ͳΔ ʢX-Forwarded-Forʣ
X-Forwarded • X-Forwarded-For • ΫϥΠΞϯτͷIP • X-Forwarded-Host • ΫϥΠΞϯτ͔ΒૹΒΕ͖ͯͨHost Header
• X-Forwarded-Proto • ΫϥΠΞϯτ͔ΒͷϦΫΤετ: HTTPɺHTTPSͱ͔ • X-Forwarded-By • ΫϥΠΞϯτ͔ΒϦΫΤετΛड͚औͬͨϓϩΩγଆͷIP
X-Forwarded-For͚ͩͰͳ͘ શ෦ೖΕΔΑ͏ʹ͢Δ
• X-Forwarded-For • Laravel(Symfony)CakePHPͰૹ৴ݩIPͷͱͯ͠ར༻ • X-Forwarded-Proto • Laravel(Symfony)ͰηΩϡΞͳ௨৴͔Ͳ͏͔ͷࢀরͱͯ͠ར༻ https://github.com/symfony/http-foundation/blob/master/Request.php#L1113 ϑϨʔϜϫʔΫͰར༻͞Ε͍ͯΔ
ෛՙࢄ
ෛՙࢄ • ෛՙʹԠͯ͡όοΫΤϯυͷαʔόʹϦΫΤετΛ ৼΓ͚Δ • ϦΫΤετͷछྨύεʹΑͬͯϦΫΤετઌΛܾΊΔ • .jsɺ.cssɺ.pngͷϦΫΤετ • /admin/
ͷϦΫΤετ
ෛՙࢄ HTTP ϦΫΤετ /index HTTP ϦΫΤετ js, css HTTP ϦΫΤετ
/index GET /index HTTP/1.1
࣮ͨ࣌͠ͷߏ
ෛՙࢄ 1. Proxyʢϓϩηεʣ͕HTTP RequestΛड͚औΓɺύε͔ΒClusterΛબ 2. Cluster͕LoadBalancerʹϦΫΤετΛ͠ɺIndex൪߸Λฦ͢ 3. ฦ͞ΕͨIndex൪߸ΛݩʹCluster͕NodeΛฦ͠ɺϦΫΤετΛૹ৴ $MVTUFS /PEF
/PEF /PEF -PBE#BMBODFS 1SPYZ )5513FRVFTU
Upgrade-Insecure-Requests
Upgrade-Insecure-Requests • HTTPSԽΛଅਐ͢Δ • ηΩϡΞͰอޢ͞ΕͨURLͰஔ͖͑ΒΕ͔ͨͷΑ͏ʹॲ ཧ͢ΔΑ͏ࢦࣔΛ͢Δ
Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰHeaderʹ͍ͭͯΔ • αʔό
• Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱՄೳ
Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰHeaderʹ͍ͭͯΔ • αʔό
• Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱՄೳ <- ͜͜ʹ͍ͭͯ
Upgrade-Insecure-Requests • αʔό 1. HTTPϦΫΤετ 2. όοΫάϥϯυϦΫΤετ 3. HTTPϨεϙϯε 4.
Ϩεϙϯεϔομʔʹ `upgrade-insecure-requests` Λ͚ͭΔ ᶃ ᶄ ᶅ ᶆ
࣮ࡍͷಈ࡞
Upgrade-Insecure-Requests <img src=“http://example.com/img.png"> IUUQTFYBNQMFDPN ը૾ͷϦΫΤετA)551Aͱͯ͠ϦΫΤετ͢Δ 6QHSBEF*OTFDVSF3FRVFTUT͕ͳ͍߹
Upgrade-Insecure-Requests IUUQTFYBNQMFDPN 6QHSBEF*OTFDVSF3FRVFTUT͕͋Δ߹ <img src=“http://example.com/img.png"> ը૾ͷϦΫΤετA)5514Aͱͯ͠ϦΫΤετ͢Δ ˞JNHλάͷTSDAIUUQAͷ··
Consoleʹܯࠂ͕ग़ͳ͘ͳΔ Mixed Content: The page at ‘https://example.com' was loaded over
HTTPS, but requested an insecure image ‘http://example.com/img.png'. This content should also be served over HTTPS.
αʔΩοτϒϨʔΧʔ
αʔΩοτϒϨʔΧʔ Failͨ͠αʔόʹରͯ͠େྔͷϦΫΤετ͕ ߦ͔ͳ͍Α͏ʹ੍ޚ͢Δ
αʔΩοτϒϨʔΧʔ Fail = 5xxͷ εςʔλείʔυ
αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ •εςʔλείʔυΛࢹ͢Δ
αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ
αʔΩοτϒϨʔΧʔ •όοΫΤϯυͷαʔόϦΫΤετΛߦΘͣ circuit breaker͔ΒϦΫΤετΛฦ͢ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ
ඵܦաʜ
αʔΩοτϒϨʔΧʔ •Ұఆ࣌ؒա͗ΔͱϒϨʔΧʔΛ͢ )551ϦΫΤετ εςʔλείʔυ
࣮ͨ࣌͠ͷߏ
• CircuitBreakerʹϦΫΤετͷύεΛૹΓON͔Λ֬ೝ • ONʹͳ͍ͬͯΔ߹όοΫΤϯυϦΫΤετ • OFFʹͳ͍ͬͯΔ߹ΤϥʔΛϓϩΩγαʔό͔ΒϨεϙϯε 1SPYZ )5513FRVFTU $JSDVJU#SFBLFS αʔΩοτϒϨʔΧʔ
αʔΩοτϒϨʔΧʔ • ࣮ͷํࣜ • ϦΫΤετ࣌ʹߦͬͨPathʹରͯ͠3ճ5xxܥͷεςʔλείʔυ͕ ฦ͖ͬͯͨ߹ͦΕҎ߱ͷϦΫΤεταʔΩοτϒϨʔΧʔΛ ONʹ͢Δ • ఀࢭ͔ͯ͠Β30ඵܦա͔ͯ͠ΒαʔΩοτϒϨʔΧʔΛOFFʹ͢Δ
-> ଞʹϔϧενΣοΫͳͲͷΓํ͕͋Δʢະ࣮ʣ
·ͱΊ
·ͱΊ • HTTPγϯϓϧ͕ͩɺগ͠ෳࡶͳ͜ͱΛ͢Δͱ͘͠ͳΔ • ϦΫΤετ͝ͱʹϓϩηεΛ͚͍ͯΔͷͰɺϩʔυόϥϯαʔͱ αʔΩοτϒϨʔΧʔͷ࣮ʹ͕ඞཁͩͬͨ ʢHTTPϓϩΩγͱผ͕ͩ… • ϒϥβ͝ͱʹTCPίωΫγϣϯͷ࣋ͪํ͕ҧͬͨ •
ߴෛՙ࣌ͷϓϩηε੍ޚͰۤઓͨ͠ʢݱࡏਐߦܗʣ
͝੩ௌ͋Γ͕ͱ͏ ͍͟͝·ͨ͠