Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
プロキシサーバ自作から学ぶ、HTTP通信
Search
kobatako
July 15, 2019
Technology
0
110
プロキシサーバ自作から学ぶ、HTTP通信
kobatako
July 15, 2019
Tweet
Share
More Decks by kobatako
See All by kobatako
ネットワークのことを知るため ソフトウェアルータを 自作した話
kobatako
0
3.3k
enginnerday.pdf
kobatako
0
41
Other Decks in Technology
See All in Technology
[OCI Technical Deep Dive] OCIで生成AIを活用するためのソリューション解説(2025年8月5日開催)
oracle4engineer
PRO
0
120
いま、あらためて考えてみるアカウント管理 with IaC / Account management with IaC
kohbis
2
400
歴代のWeb Speed Hackathonの出題から考えるデグレしないパフォーマンス改善
shuta13
6
500
リモートワークで心掛けていること 〜AI活用編〜
naoki85
0
190
GCASアップデート(202506-202508)
techniczna
0
200
AIと描く、未来のBacklog 〜プロジェクト管理の次の10年を想像し、創造するセッション〜
hrm_o25
0
110
20250807_Kiroと私の反省会
riz3f7
0
260
家族の思い出を形にする 〜 1秒動画の生成を支えるインフラアーキテクチャ
ojima_h
3
1.3k
Foundation Model × VisionKit で実現するローカル OCR
sansantech
PRO
1
420
[kickflow]20250319_少人数チームでのAutify活用
otouhujej
0
160
いかにして命令の入れ替わりについて心配するのをやめ、メモリモデルを愛するようになったか(改)
nullpo_head
7
2.7k
工業高校で学習したとあるエンジニアのキャリアの話
shirayanagiryuji
0
120
Featured
See All Featured
The Cost Of JavaScript in 2023
addyosmani
53
8.8k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3k
Code Review Best Practice
trishagee
69
19k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
6k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Rails Girls Zürich Keynote
gr2m
95
14k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
33
2.4k
Music & Morning Musume
bryan
46
6.7k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
161
15k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Transcript
ϓϩΩγαʔόࣗ࡞͔ΒֶͿɺ HTTP௨৴ PHPΧϯϑΝϨϯεԬ2019 খݪɹਸ 2019/06/29 ()
ࣗݾհ • ໊લ : খݪ ਸʢ͜Δ ͔ͨͻΖʣ • ॴଐ :
גࣜձࣾFusic • ࣄ : PHPɺGolangɺAWS • झຯ : ElixirɺErlangɺΠϯϑϥ͍Ζ͍Ζ • Twitter : kobatako_
ΞδΣϯμ • ϓϩΩγαʔόʹ͍ͭͯ • ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • ·ͱΊ
ϓϩΩγαʔόʹ͍ͭͯ
ϓϩΩγαʔόͷ ϨΠϠʔ
ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ
ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ <- ͜͜ʹ͍ͭͯ
L7 ϓϩΩγ HTTPϦΫΤετ • ΫϥΠΞϯτͱϓϩΩγαʔόɺϓϩΩγαʔόͱόοΫΤϯυͷ αʔόͦΕͧΕͰTCPଓΛߦ͏ • ΞϓϦέʔγϣϯϨϕϧͰͷ੍ޚʢHTTPͳͲʣ HTTPϦΫΤετ TCP
TCP ΫϥΠΞϯτ ϓϩΩγ όοΫΤϯυ
ϓϩΩγαʔόΛڬΉͱ Ͳ͏ͳΔ ???
ϓϩΩγαʔόͷׂ •௨৴༰ͷվม •ෛՙࢄ •ηΩϡΞͳ௨৴ɺೝূ
ϚΠΫϩαʔϏεͰར༻
ϓϩΩγαʔό •Envoy • L3/L4 filter architecture • L7 filter architecture
• HTTP2 / gRPCΛαϙʔτ • αʔΩοτϒϨʔΧʔ • Etc…
ࣗ࡞͢Δ͜ͱͰਂ͘ཧղ ϓϩΩγαʔόͷ ར༻ൣғ͕͕͖͍ͬͯͯΔ
ࣗ࡞ͨ͠ HTTPϓϩΩγͷॲཧ
ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • X-Forwarded • ෛՙࢄ • Upgrade-Insecure-Requests • αʔΩοτϒϨʔΧʔ
X-Forwarded
X-Forwarded • RFC 7239 • HTTP Headerͷ֦ு • ϓϩΩγΛதܧ͢Δࡍʹૹ৴ݩʢΫϥΠΞϯτʣͷ IPProtocolͳͲHeaderʹ͚Ճ͑Δ
˞ ͚ͭͳ͍ͱૹ৴ݩIPͳͲͰ੍ޚ͕Ͱ͖ͳ͘ͳΔ ʢX-Forwarded-Forʣ
X-Forwarded • X-Forwarded-For • ΫϥΠΞϯτͷIP • X-Forwarded-Host • ΫϥΠΞϯτ͔ΒૹΒΕ͖ͯͨHost Header
• X-Forwarded-Proto • ΫϥΠΞϯτ͔ΒͷϦΫΤετ: HTTPɺHTTPSͱ͔ • X-Forwarded-By • ΫϥΠΞϯτ͔ΒϦΫΤετΛड͚औͬͨϓϩΩγଆͷIP
X-Forwarded-For͚ͩͰͳ͘ શ෦ೖΕΔΑ͏ʹ͢Δ
• X-Forwarded-For • Laravel(Symfony)CakePHPͰૹ৴ݩIPͷͱͯ͠ར༻ • X-Forwarded-Proto • Laravel(Symfony)ͰηΩϡΞͳ௨৴͔Ͳ͏͔ͷࢀরͱͯ͠ར༻ https://github.com/symfony/http-foundation/blob/master/Request.php#L1113 ϑϨʔϜϫʔΫͰར༻͞Ε͍ͯΔ
ෛՙࢄ
ෛՙࢄ • ෛՙʹԠͯ͡όοΫΤϯυͷαʔόʹϦΫΤετΛ ৼΓ͚Δ • ϦΫΤετͷछྨύεʹΑͬͯϦΫΤετઌΛܾΊΔ • .jsɺ.cssɺ.pngͷϦΫΤετ • /admin/
ͷϦΫΤετ
ෛՙࢄ HTTP ϦΫΤετ /index HTTP ϦΫΤετ js, css HTTP ϦΫΤετ
/index GET /index HTTP/1.1
࣮ͨ࣌͠ͷߏ
ෛՙࢄ 1. Proxyʢϓϩηεʣ͕HTTP RequestΛड͚औΓɺύε͔ΒClusterΛબ 2. Cluster͕LoadBalancerʹϦΫΤετΛ͠ɺIndex൪߸Λฦ͢ 3. ฦ͞ΕͨIndex൪߸ΛݩʹCluster͕NodeΛฦ͠ɺϦΫΤετΛૹ৴ $MVTUFS /PEF
/PEF /PEF -PBE#BMBODFS 1SPYZ )5513FRVFTU
Upgrade-Insecure-Requests
Upgrade-Insecure-Requests • HTTPSԽΛଅਐ͢Δ • ηΩϡΞͰอޢ͞ΕͨURLͰஔ͖͑ΒΕ͔ͨͷΑ͏ʹॲ ཧ͢ΔΑ͏ࢦࣔΛ͢Δ
Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰHeaderʹ͍ͭͯΔ • αʔό
• Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱՄೳ
Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰHeaderʹ͍ͭͯΔ • αʔό
• Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱՄೳ <- ͜͜ʹ͍ͭͯ
Upgrade-Insecure-Requests • αʔό 1. HTTPϦΫΤετ 2. όοΫάϥϯυϦΫΤετ 3. HTTPϨεϙϯε 4.
Ϩεϙϯεϔομʔʹ `upgrade-insecure-requests` Λ͚ͭΔ ᶃ ᶄ ᶅ ᶆ
࣮ࡍͷಈ࡞
Upgrade-Insecure-Requests <img src=“http://example.com/img.png"> IUUQTFYBNQMFDPN ը૾ͷϦΫΤετA)551Aͱͯ͠ϦΫΤετ͢Δ 6QHSBEF*OTFDVSF3FRVFTUT͕ͳ͍߹
Upgrade-Insecure-Requests IUUQTFYBNQMFDPN 6QHSBEF*OTFDVSF3FRVFTUT͕͋Δ߹ <img src=“http://example.com/img.png"> ը૾ͷϦΫΤετA)5514Aͱͯ͠ϦΫΤετ͢Δ ˞JNHλάͷTSDAIUUQAͷ··
Consoleʹܯࠂ͕ग़ͳ͘ͳΔ Mixed Content: The page at ‘https://example.com' was loaded over
HTTPS, but requested an insecure image ‘http://example.com/img.png'. This content should also be served over HTTPS.
αʔΩοτϒϨʔΧʔ
αʔΩοτϒϨʔΧʔ Failͨ͠αʔόʹରͯ͠େྔͷϦΫΤετ͕ ߦ͔ͳ͍Α͏ʹ੍ޚ͢Δ
αʔΩοτϒϨʔΧʔ Fail = 5xxͷ εςʔλείʔυ
αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ •εςʔλείʔυΛࢹ͢Δ
αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ
αʔΩοτϒϨʔΧʔ •όοΫΤϯυͷαʔόϦΫΤετΛߦΘͣ circuit breaker͔ΒϦΫΤετΛฦ͢ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ
ඵܦաʜ
αʔΩοτϒϨʔΧʔ •Ұఆ࣌ؒա͗ΔͱϒϨʔΧʔΛ͢ )551ϦΫΤετ εςʔλείʔυ
࣮ͨ࣌͠ͷߏ
• CircuitBreakerʹϦΫΤετͷύεΛૹΓON͔Λ֬ೝ • ONʹͳ͍ͬͯΔ߹όοΫΤϯυϦΫΤετ • OFFʹͳ͍ͬͯΔ߹ΤϥʔΛϓϩΩγαʔό͔ΒϨεϙϯε 1SPYZ )5513FRVFTU $JSDVJU#SFBLFS αʔΩοτϒϨʔΧʔ
αʔΩοτϒϨʔΧʔ • ࣮ͷํࣜ • ϦΫΤετ࣌ʹߦͬͨPathʹରͯ͠3ճ5xxܥͷεςʔλείʔυ͕ ฦ͖ͬͯͨ߹ͦΕҎ߱ͷϦΫΤεταʔΩοτϒϨʔΧʔΛ ONʹ͢Δ • ఀࢭ͔ͯ͠Β30ඵܦա͔ͯ͠ΒαʔΩοτϒϨʔΧʔΛOFFʹ͢Δ
-> ଞʹϔϧενΣοΫͳͲͷΓํ͕͋Δʢະ࣮ʣ
·ͱΊ
·ͱΊ • HTTPγϯϓϧ͕ͩɺগ͠ෳࡶͳ͜ͱΛ͢Δͱ͘͠ͳΔ • ϦΫΤετ͝ͱʹϓϩηεΛ͚͍ͯΔͷͰɺϩʔυόϥϯαʔͱ αʔΩοτϒϨʔΧʔͷ࣮ʹ͕ඞཁͩͬͨ ʢHTTPϓϩΩγͱผ͕ͩ… • ϒϥβ͝ͱʹTCPίωΫγϣϯͷ࣋ͪํ͕ҧͬͨ •
ߴෛՙ࣌ͷϓϩηε੍ޚͰۤઓͨ͠ʢݱࡏਐߦܗʣ
͝੩ௌ͋Γ͕ͱ͏ ͍͟͝·ͨ͠