ϓϩΩγαʔόࣗ࡞͔ΒֶͿɺHTTP௨৴PHPΧϯϑΝϨϯεԬ2019খݪɹਸ2019/06/29 ()
View Slide
ࣗݾհ• ໊લ : খݪ ਸʢ͜Δ ͔ͨͻΖʣ• ॴଐ : גࣜձࣾFusic• ࣄ : PHPɺGolangɺAWS• झຯ : ElixirɺErlangɺΠϯϑϥ͍Ζ͍Ζ• Twitter : kobatako_
ΞδΣϯμ• ϓϩΩγαʔόʹ͍ͭͯ• ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ• ·ͱΊ
ϓϩΩγαʔόʹ͍ͭͯ
ϓϩΩγαʔόͷϨΠϠʔ
ϓϩΩγαʔόͷϨΠϠʔ• L3/L4• TCP/IPϨϕϧͰͷϓϩΩγ• L7•ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ
ϓϩΩγαʔόͷϨΠϠʔ• L3/L4• TCP/IPϨϕϧͰͷϓϩΩγ• L7•ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ<- ͜͜ʹ͍ͭͯ
L7 ϓϩΩγHTTPϦΫΤετ• ΫϥΠΞϯτͱϓϩΩγαʔόɺϓϩΩγαʔόͱόοΫΤϯυͷαʔόͦΕͧΕͰTCPଓΛߦ͏• ΞϓϦέʔγϣϯϨϕϧͰͷ੍ޚʢHTTPͳͲʣHTTPϦΫΤετTCPTCPΫϥΠΞϯτ ϓϩΩγ όοΫΤϯυ
ϓϩΩγαʔόΛڬΉͱͲ͏ͳΔ ???
ϓϩΩγαʔόͷׂ•௨৴༰ͷվม•ෛՙࢄ•ηΩϡΞͳ௨৴ɺೝূ
ϚΠΫϩαʔϏεͰར༻
ϓϩΩγαʔό•Envoy• L3/L4 filter architecture• L7 filter architecture• HTTP2 / gRPCΛαϙʔτ• αʔΩοτϒϨʔΧʔ• Etc…
ࣗ࡞͢Δ͜ͱͰਂ͘ཧղ ϓϩΩγαʔόͷར༻ൣғ͕͕͖͍ͬͯͯΔ
ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ
ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ• X-Forwarded• ෛՙࢄ• Upgrade-Insecure-Requests• αʔΩοτϒϨʔΧʔ
X-Forwarded
X-Forwarded• RFC 7239• HTTP Headerͷ֦ு• ϓϩΩγΛதܧ͢Δࡍʹૹ৴ݩʢΫϥΠΞϯτʣͷ IPProtocolͳͲHeaderʹ͚Ճ͑Δ ˞ ͚ͭͳ͍ͱૹ৴ݩIPͳͲͰ੍ޚ͕Ͱ͖ͳ͘ͳΔ ʢX-Forwarded-Forʣ
X-Forwarded• X-Forwarded-For• ΫϥΠΞϯτͷIP• X-Forwarded-Host• ΫϥΠΞϯτ͔ΒૹΒΕ͖ͯͨHost Header• X-Forwarded-Proto• ΫϥΠΞϯτ͔ΒͷϦΫΤετ: HTTPɺHTTPSͱ͔• X-Forwarded-By• ΫϥΠΞϯτ͔ΒϦΫΤετΛड͚औͬͨϓϩΩγଆͷIP
X-Forwarded-For͚ͩͰͳ͘શ෦ೖΕΔΑ͏ʹ͢Δ
• X-Forwarded-For• Laravel(Symfony)CakePHPͰૹ৴ݩIPͷͱͯ͠ར༻• X-Forwarded-Proto• Laravel(Symfony)ͰηΩϡΞͳ௨৴͔Ͳ͏͔ͷࢀরͱͯ͠ར༻ https://github.com/symfony/http-foundation/blob/master/Request.php#L1113ϑϨʔϜϫʔΫͰར༻͞Ε͍ͯΔ
ෛՙࢄ
ෛՙࢄ• ෛՙʹԠͯ͡όοΫΤϯυͷαʔόʹϦΫΤετΛ ৼΓ͚Δ• ϦΫΤετͷछྨύεʹΑͬͯϦΫΤετઌΛܾΊΔ• .jsɺ.cssɺ.pngͷϦΫΤετ• /admin/ ͷϦΫΤετ
ෛՙࢄHTTP ϦΫΤετ/indexHTTP ϦΫΤετjs, cssHTTP ϦΫΤετ/indexGET /index HTTP/1.1
࣮ͨ࣌͠ͷߏ
ෛՙࢄ1. Proxyʢϓϩηεʣ͕HTTP RequestΛड͚औΓɺύε͔ΒClusterΛબ2. Cluster͕LoadBalancerʹϦΫΤετΛ͠ɺIndex൪߸Λฦ͢3. ฦ͞ΕͨIndex൪߸ΛݩʹCluster͕NodeΛฦ͠ɺϦΫΤετΛૹ৴$MVTUFS/PEF/PEF/PEF-PBE#BMBODFS1SPYZ)5513FRVFTU
Upgrade-Insecure-Requests
Upgrade-Insecure-Requests• HTTPSԽΛଅਐ͢Δ• ηΩϡΞͰอޢ͞ΕͨURLͰஔ͖͑ΒΕ͔ͨͷΑ͏ʹॲཧ͢ΔΑ͏ࢦࣔΛ͢Δ
Upgrade-Insecure-Requests• ΫϥΠΞϯτ• Upgrade-Insecure-Requests: 1• ChromeͰHeaderʹ͍ͭͯΔ• αʔό• Content-Security-Policy: upgrade-insecure-requests• ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱՄೳ
Upgrade-Insecure-Requests• ΫϥΠΞϯτ• Upgrade-Insecure-Requests: 1• ChromeͰHeaderʹ͍ͭͯΔ• αʔό• Content-Security-Policy: upgrade-insecure-requests• ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱՄೳ<- ͜͜ʹ͍ͭͯ
Upgrade-Insecure-Requests• αʔό1. HTTPϦΫΤετ2. όοΫάϥϯυϦΫΤετ3. HTTPϨεϙϯε4. Ϩεϙϯεϔομʔʹ `upgrade-insecure-requests` Λ͚ͭΔᶃ ᶄᶅᶆ
࣮ࡍͷಈ࡞
Upgrade-Insecure-RequestsIUUQTFYBNQMFDPNը૾ͷϦΫΤετA)551Aͱͯ͠ϦΫΤετ͢Δ6QHSBEF*OTFDVSF3FRVFTUT͕ͳ͍߹
Upgrade-Insecure-RequestsIUUQTFYBNQMFDPN6QHSBEF*OTFDVSF3FRVFTUT͕͋Δ߹ը૾ͷϦΫΤετA)5514Aͱͯ͠ϦΫΤετ͢Δ˞JNHλάͷTSDAIUUQAͷ··
Consoleʹܯࠂ͕ग़ͳ͘ͳΔMixed Content: The page at ‘https://example.com' wasloaded over HTTPS, but requested an insecure image‘http://example.com/img.png'. This content should alsobe served over HTTPS.
αʔΩοτϒϨʔΧʔ
αʔΩοτϒϨʔΧʔFailͨ͠αʔόʹରͯ͠େྔͷϦΫΤετ͕ߦ͔ͳ͍Α͏ʹ੍ޚ͢Δ
αʔΩοτϒϨʔΧʔFail = 5xxͷεςʔλείʔυ
αʔΩοτϒϨʔΧʔ)551ϦΫΤετεςʔλείʔυ•εςʔλείʔυΛࢹ͢Δ
αʔΩοτϒϨʔΧʔ)551ϦΫΤετεςʔλείʔυʢ'BJMʣ)551ϦΫΤετεςʔλείʔυʢ'BJMʣ
αʔΩοτϒϨʔΧʔ•όοΫΤϯυͷαʔόϦΫΤετΛߦΘͣ circuit breaker͔ΒϦΫΤετΛฦ͢)551ϦΫΤετεςʔλείʔυʢ'BJMʣ
ඵܦաʜ
αʔΩοτϒϨʔΧʔ•Ұఆ࣌ؒա͗ΔͱϒϨʔΧʔΛ͢)551ϦΫΤετεςʔλείʔυ
• CircuitBreakerʹϦΫΤετͷύεΛૹΓON͔Λ֬ೝ• ONʹͳ͍ͬͯΔ߹όοΫΤϯυϦΫΤετ• OFFʹͳ͍ͬͯΔ߹ΤϥʔΛϓϩΩγαʔό͔ΒϨεϙϯε1SPYZ)5513FRVFTU $JSDVJU#SFBLFSαʔΩοτϒϨʔΧʔ
αʔΩοτϒϨʔΧʔ• ࣮ͷํࣜ• ϦΫΤετ࣌ʹߦͬͨPathʹରͯ͠3ճ5xxܥͷεςʔλείʔυ͕ ฦ͖ͬͯͨ߹ͦΕҎ߱ͷϦΫΤεταʔΩοτϒϨʔΧʔΛ ONʹ͢Δ• ఀࢭ͔ͯ͠Β30ඵܦա͔ͯ͠ΒαʔΩοτϒϨʔΧʔΛOFFʹ͢Δ -> ଞʹϔϧενΣοΫͳͲͷΓํ͕͋Δʢະ࣮ʣ
·ͱΊ
·ͱΊ• HTTPγϯϓϧ͕ͩɺগ͠ෳࡶͳ͜ͱΛ͢Δͱ͘͠ͳΔ• ϦΫΤετ͝ͱʹϓϩηεΛ͚͍ͯΔͷͰɺϩʔυόϥϯαʔͱ αʔΩοτϒϨʔΧʔͷ࣮ʹ͕ඞཁͩͬͨʢHTTPϓϩΩγͱผ͕ͩ…• ϒϥβ͝ͱʹTCPίωΫγϣϯͷ࣋ͪํ͕ҧͬͨ• ߴෛՙ࣌ͷϓϩηε੍ޚͰۤઓͨ͠ʢݱࡏਐߦܗʣ
͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠