Upgrade to Pro — share decks privately, control downloads, hide ads and more …

プロキシサーバ自作から学ぶ、HTTP通信

kobatako
July 15, 2019
Technology
0
80

 プロキシサーバ自作から学ぶ、HTTP通信

kobatako

July 15, 2019
Tweet

More Decks by kobatako

See All by kobatako
ネットワークのことを知るため ソフトウェアルータを 自作した話
kobatako
0
2.6k
enginnerday.pdf
kobatako
0
37

Other Decks in Technology

See All in Technology
DMM.com アルファ室採用案内資料
hsugita
1
140
JSON攻略法.pdf
miyakemito
8
5k
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
320
Azureの基本的な権限管理の勉強会
yhana
0
490
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
3
570
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
620
JAWS-UG Bedrock Claude Night
yamahiro
3
610
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
190
いつか使うかも貯金してたらめちゃめちゃ機能が増えてた話
riyaamemiya
0
150
Python と Snowflake はズッ友だょ!~ Snowflake の Python 関連機能をふりかえる ~
__allllllllez__
1
120
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
現代CSSフレームワークの内部実装とその仕組み
poteboy
7
3.6k

Featured

See All Featured
Building Applications with DynamoDB
mza
88
5.6k
Embracing the Ebb and Flow
colly
80
4.1k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
40
4.4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k
Practical Orchestrator
shlominoach
182
9.7k
Designing with Data
zakiwarfel
96
4.8k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k
KATA
mclloyd
15
12k
Docker and Python
trallard
34
2.7k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k

Transcript

  1. ϓϩΩγαʔόࣗ࡞͔ΒֶͿɺ HTTP௨৴ PHPΧϯϑΝϨϯε෱Ԭ2019 খݪɹਸ׮ 2019/06/29 (౔)

  2. ࣗݾ঺հ • ໊લ : খݪ ਸ׮ʢ͜͹Δ ͔ͨͻΖʣ • ॴଐ :

    גࣜձࣾFusic • ࢓ࣄ : PHPɺGolangɺAWS • झຯ : ElixirɺErlangɺΠϯϑϥ͍Ζ͍Ζ • Twitter : kobatako_

  3. ΞδΣϯμ • ϓϩΩγαʔόʹ͍ͭͯ • ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • ·ͱΊ

  4. ϓϩΩγαʔόʹ͍ͭͯ

  5. ϓϩΩγαʔόͷ ϨΠϠʔ

  6. ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ

  7. ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ <- ͜͜ʹ͍ͭͯ

  8. L7 ϓϩΩγ HTTPϦΫΤετ • ΫϥΠΞϯτͱϓϩΩγαʔόɺϓϩΩγαʔόͱόοΫΤϯυͷ αʔόͦΕͧΕͰTCP઀ଓΛߦ͏ • ΞϓϦέʔγϣϯϨϕϧͰͷ੍ޚʢHTTPͳͲʣ HTTPϦΫΤετ TCP

    TCP ΫϥΠΞϯτ ϓϩΩγ όοΫΤϯυ

  9. ϓϩΩγαʔόΛڬΉͱ Ͳ͏ͳΔ ???

  10. ϓϩΩγαʔόͷ໾ׂ •௨৴಺༰ͷվม •ෛՙ෼ࢄ •ηΩϡΞͳ௨৴ɺೝূ

  11. ϚΠΫϩαʔϏεͰ΋ར༻

  12. ϓϩΩγαʔό •Envoy • L3/L4 filter architecture • L7 filter architecture

    • HTTP2 / gRPCΛαϙʔτ • αʔΩοτϒϨʔΧʔ • Etc…

  13. ࣗ࡞͢Δ͜ͱͰਂ͘ཧղ
 ϓϩΩγαʔόͷ ར༻ൣғ͕޿͕͖͍ͬͯͯΔ

  14. ࣗ࡞ͨ͠ HTTPϓϩΩγͷॲཧ

  15. ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • X-Forwarded • ෛՙ෼ࢄ • Upgrade-Insecure-Requests • αʔΩοτϒϨʔΧʔ

  16. X-Forwarded

  17. X-Forwarded • RFC 7239 • HTTP Headerͷ֦ு • ϓϩΩγΛதܧ͢Δࡍʹૹ৴ݩʢΫϥΠΞϯτʣͷ
 IP΍ProtocolͳͲHeaderʹ෇͚Ճ͑Δ


    ˞ ͚ͭͳ͍ͱૹ৴ݩIPͳͲͰ੍ޚ͕Ͱ͖ͳ͘ͳΔ
 ʢX-Forwarded-Forʣ

  18. X-Forwarded • X-Forwarded-For • ΫϥΠΞϯτͷIP • X-Forwarded-Host • ΫϥΠΞϯτ͔ΒૹΒΕ͖ͯͨHost Header

    • X-Forwarded-Proto • ΫϥΠΞϯτ͔ΒͷϦΫΤετ: HTTPɺHTTPSͱ͔ • X-Forwarded-By • ΫϥΠΞϯτ͔ΒϦΫΤετΛड͚औͬͨϓϩΩγଆͷIP

  19. X-Forwarded-For͚ͩͰͳ͘ શ෦ೖΕΔΑ͏ʹ͢Δ

  20. • X-Forwarded-For • Laravel(Symfony)΍CakePHPͰ͸ૹ৴ݩIPͷ஋ͱͯ͠ར༻ • X-Forwarded-Proto • Laravel(Symfony)ͰηΩϡΞͳ௨৴͔Ͳ͏͔ͷࢀরͱͯ͠ར༻
 https://github.com/symfony/http-foundation/blob/master/Request.php#L1113 ϑϨʔϜϫʔΫ಺Ͱར༻͞Ε͍ͯΔ

  21. ෛՙ෼ࢄ

  22. ෛՙ෼ࢄ • ෛՙʹԠͯ͡όοΫΤϯυͷαʔόʹϦΫΤετΛ
 ৼΓ෼͚Δ • ϦΫΤετͷछྨ΍ύεʹΑͬͯϦΫΤετઌΛܾΊΔ • .jsɺ.cssɺ.png΁ͷϦΫΤετ • /admin/

    ΁ͷϦΫΤετ

  23. ෛՙ෼ࢄ HTTP ϦΫΤετ /index HTTP ϦΫΤετ js, css HTTP ϦΫΤετ

    /index GET /index HTTP/1.1

  24. ࣮૷ͨ࣌͠ͷߏ੒

  25. ෛՙ෼ࢄ 1. Proxyʢϓϩηεʣ͕HTTP RequestΛड͚औΓɺύε͔ΒClusterΛબ୒ 2. Cluster͕LoadBalancerʹϦΫΤετΛ͠ɺIndex൪߸Λฦ͢ 3. ฦ͞ΕͨIndex൪߸ΛݩʹCluster͕NodeΛฦ͠ɺϦΫΤετΛૹ৴ $MVTUFS /PEF

    /PEF /PEF -PBE#BMBODFS 1SPYZ )5513FRVFTU

  26. Upgrade-Insecure-Requests

  27. Upgrade-Insecure-Requests • HTTPSԽΛଅਐ͢Δ • ηΩϡΞͰอޢ͞ΕͨURLͰஔ͖׵͑ΒΕ͔ͨͷΑ͏ʹॲ ཧ͢ΔΑ͏ࢦࣔΛ͢Δ

  28. Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰ͸Headerʹ͍ͭͯΔ • αʔό

    • Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱ΋Մೳ

  29. Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰ͸Headerʹ͍ͭͯΔ • αʔό

    • Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱ΋Մೳ <- ͜͜ʹ͍ͭͯ

  30. Upgrade-Insecure-Requests • αʔό 1. HTTPϦΫΤετ 2. όοΫάϥϯυ΁ϦΫΤετ 3. HTTPϨεϙϯε 4.

    Ϩεϙϯεϔομʔʹ `upgrade-insecure-requests` Λ͚ͭΔ ᶃ ᶄ ᶅ ᶆ

  31. ࣮ࡍͷಈ࡞

  32. Upgrade-Insecure-Requests <img src=“http://example.com/img.png"> IUUQTFYBNQMFDPN ը૾ͷϦΫΤετ͸A)551Aͱͯ͠ϦΫΤετ͢Δ 6QHSBEF*OTFDVSF3FRVFTUT͕ͳ͍৔߹

  33. Upgrade-Insecure-Requests IUUQTFYBNQMFDPN 6QHSBEF*OTFDVSF3FRVFTUT͕͋Δ৔߹ <img src=“http://example.com/img.png"> ը૾ͷϦΫΤετ͸A)5514Aͱͯ͠ϦΫΤετ͢Δ ˞JNHλάͷTSD͸AIUUQAͷ··

  34. Consoleʹܯࠂ͕ग़ͳ͘ͳΔ Mixed Content: The page at ‘https://example.com' was loaded over

    HTTPS, but requested an insecure image ‘http://example.com/img.png'. This content should also be served over HTTPS.

  35. αʔΩοτϒϨʔΧʔ

  36. αʔΩοτϒϨʔΧʔ Failͨ͠αʔόʹରͯ͠େྔͷϦΫΤετ͕ ߦ͔ͳ͍Α͏ʹ੍ޚ͢Δ

  37. αʔΩοτϒϨʔΧʔ Fail = 5xxͷ εςʔλείʔυ

  38. αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ  •εςʔλείʔυΛ؂ࢹ͢Δ

  39. αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ

  40. αʔΩοτϒϨʔΧʔ •όοΫΤϯυͷαʔό΁ϦΫΤετΛߦΘͣ
 circuit breaker͔ΒϦΫΤετΛฦ͢ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ

  41. ඵܦաʜ

  42. αʔΩοτϒϨʔΧʔ •Ұఆ࣌ؒա͗ΔͱϒϨʔΧʔΛ໭͢ )551ϦΫΤετ εςʔλείʔυ 

  43. ࣮૷ͨ࣌͠ͷߏ੒

  44. • CircuitBreakerʹϦΫΤετͷύεΛૹΓON͔Λ֬ೝ • ONʹͳ͍ͬͯΔ৔߹͸όοΫΤϯυ΁ϦΫΤετ • OFFʹͳ͍ͬͯΔ৔߹͸ΤϥʔΛϓϩΩγαʔό͔ΒϨεϙϯε 1SPYZ )5513FRVFTU $JSDVJU#SFBLFS αʔΩοτϒϨʔΧʔ

  45. αʔΩοτϒϨʔΧʔ • ࣮૷ͷํࣜ • ϦΫΤετ࣌ʹߦͬͨPathʹରͯ͠3ճ5xxܥͷεςʔλείʔυ͕
 ฦ͖ͬͯͨ৔߹͸ͦΕҎ߱ͷϦΫΤετ͸αʔΩοτϒϨʔΧʔΛ
 ONʹ͢Δ • ఀࢭ͔ͯ͠Β30ඵܦա͔ͯ͠ΒαʔΩοτϒϨʔΧʔΛOFFʹ͢Δ
 


    -> ଞʹ΋ϔϧενΣοΫͳͲͷ΍Γํ͕͋Δʢະ࣮૷ʣ

  46. ·ͱΊ

  47. ·ͱΊ • HTTP͸γϯϓϧ͕ͩɺগ͠ෳࡶͳ͜ͱΛ͢Δͱ೉͘͠ͳΔ • ϦΫΤετ͝ͱʹϓϩηεΛ෼͚͍ͯΔͷͰɺϩʔυόϥϯαʔͱ
 αʔΩοτϒϨʔΧʔͷ࣮૷ʹ޻෉͕ඞཁͩͬͨ ʢHTTPϓϩΩγͱ͸ผ͕ͩ… • ϒϥ΢β͝ͱʹTCPίωΫγϣϯͷ࣋ͪํ͕ҧͬͨ •

    ߴෛՙ࣌ͷϓϩηε੍ޚͰۤઓͨ͠ʢݱࡏਐߦܗʣ

  48. ͝੩ௌ͋Γ͕ͱ͏ ͍͟͝·ͨ͠