Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
プロキシサーバ自作から学ぶ、HTTP通信
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
kobatako
July 15, 2019
Technology
0
110
プロキシサーバ自作から学ぶ、HTTP通信
kobatako
July 15, 2019
Tweet
Share
More Decks by kobatako
See All by kobatako
ネットワークのことを知るため ソフトウェアルータを 自作した話
kobatako
0
3.5k
enginnerday.pdf
kobatako
0
42
Other Decks in Technology
See All in Technology
登壇駆動学習のすすめ — CfPのネタの見つけ方と書くときに意識していること
bicstone
3
130
猫でもわかるKiro CLI(セキュリティ編)
kentapapa
0
120
コンテナセキュリティの最新事情 ~ 2026年版 ~
kyohmizu
7
2.4k
顧客の言葉を、そのまま信じない勇気
yamatai1212
1
370
Cloud Runでコロプラが挑む 生成AI×ゲーム『神魔狩りのツクヨミ』の裏側
colopl
0
150
Oracle AI Database移行・アップグレード勉強会 - RAT活用編
oracle4engineer
PRO
0
110
日本の85%が使う公共SaaSは、どう育ったのか
taketakekaho
1
250
ブロックテーマ、WordPress でウェブサイトをつくるということ / 2026.02.07 Gifu WordPress Meetup
torounit
0
210
Exadata Fleet Update
oracle4engineer
PRO
0
1.1k
インフラエンジニア必見!Kubernetesを用いたクラウドネイティブ設計ポイント大全
daitak
1
390
SREが向き合う大規模リアーキテクチャ 〜信頼性とアジリティの両立〜
zepprix
0
480
今日から始めるAmazon Bedrock AgentCore
har1101
4
420
Featured
See All Featured
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
110
HDC tutorial
michielstock
1
400
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
130
Applied NLP in the Age of Generative AI
inesmontani
PRO
4
2.1k
Making the Leap to Tech Lead
cromwellryan
135
9.7k
Building the Perfect Custom Keyboard
takai
2
690
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
120
Designing for Timeless Needs
cassininazir
0
130
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
New Earth Scene 8
popppiees
1
1.5k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
130
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
rkaga
60
42k
Transcript
ϓϩΩγαʔόࣗ࡞͔ΒֶͿɺ HTTP௨৴ PHPΧϯϑΝϨϯεԬ2019 খݪɹਸ 2019/06/29 ()
ࣗݾհ • ໊લ : খݪ ਸʢ͜Δ ͔ͨͻΖʣ • ॴଐ :
גࣜձࣾFusic • ࣄ : PHPɺGolangɺAWS • झຯ : ElixirɺErlangɺΠϯϑϥ͍Ζ͍Ζ • Twitter : kobatako_
ΞδΣϯμ • ϓϩΩγαʔόʹ͍ͭͯ • ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • ·ͱΊ
ϓϩΩγαʔόʹ͍ͭͯ
ϓϩΩγαʔόͷ ϨΠϠʔ
ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ
ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ <- ͜͜ʹ͍ͭͯ
L7 ϓϩΩγ HTTPϦΫΤετ • ΫϥΠΞϯτͱϓϩΩγαʔόɺϓϩΩγαʔόͱόοΫΤϯυͷ αʔόͦΕͧΕͰTCPଓΛߦ͏ • ΞϓϦέʔγϣϯϨϕϧͰͷ੍ޚʢHTTPͳͲʣ HTTPϦΫΤετ TCP
TCP ΫϥΠΞϯτ ϓϩΩγ όοΫΤϯυ
ϓϩΩγαʔόΛڬΉͱ Ͳ͏ͳΔ ???
ϓϩΩγαʔόͷׂ •௨৴༰ͷվม •ෛՙࢄ •ηΩϡΞͳ௨৴ɺೝূ
ϚΠΫϩαʔϏεͰར༻
ϓϩΩγαʔό •Envoy • L3/L4 filter architecture • L7 filter architecture
• HTTP2 / gRPCΛαϙʔτ • αʔΩοτϒϨʔΧʔ • Etc…
ࣗ࡞͢Δ͜ͱͰਂ͘ཧղ ϓϩΩγαʔόͷ ར༻ൣғ͕͕͖͍ͬͯͯΔ
ࣗ࡞ͨ͠ HTTPϓϩΩγͷॲཧ
ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • X-Forwarded • ෛՙࢄ • Upgrade-Insecure-Requests • αʔΩοτϒϨʔΧʔ
X-Forwarded
X-Forwarded • RFC 7239 • HTTP Headerͷ֦ு • ϓϩΩγΛதܧ͢Δࡍʹૹ৴ݩʢΫϥΠΞϯτʣͷ IPProtocolͳͲHeaderʹ͚Ճ͑Δ
˞ ͚ͭͳ͍ͱૹ৴ݩIPͳͲͰ੍ޚ͕Ͱ͖ͳ͘ͳΔ ʢX-Forwarded-Forʣ
X-Forwarded • X-Forwarded-For • ΫϥΠΞϯτͷIP • X-Forwarded-Host • ΫϥΠΞϯτ͔ΒૹΒΕ͖ͯͨHost Header
• X-Forwarded-Proto • ΫϥΠΞϯτ͔ΒͷϦΫΤετ: HTTPɺHTTPSͱ͔ • X-Forwarded-By • ΫϥΠΞϯτ͔ΒϦΫΤετΛड͚औͬͨϓϩΩγଆͷIP
X-Forwarded-For͚ͩͰͳ͘ શ෦ೖΕΔΑ͏ʹ͢Δ
• X-Forwarded-For • Laravel(Symfony)CakePHPͰૹ৴ݩIPͷͱͯ͠ར༻ • X-Forwarded-Proto • Laravel(Symfony)ͰηΩϡΞͳ௨৴͔Ͳ͏͔ͷࢀরͱͯ͠ར༻ https://github.com/symfony/http-foundation/blob/master/Request.php#L1113 ϑϨʔϜϫʔΫͰར༻͞Ε͍ͯΔ
ෛՙࢄ
ෛՙࢄ • ෛՙʹԠͯ͡όοΫΤϯυͷαʔόʹϦΫΤετΛ ৼΓ͚Δ • ϦΫΤετͷछྨύεʹΑͬͯϦΫΤετઌΛܾΊΔ • .jsɺ.cssɺ.pngͷϦΫΤετ • /admin/
ͷϦΫΤετ
ෛՙࢄ HTTP ϦΫΤετ /index HTTP ϦΫΤετ js, css HTTP ϦΫΤετ
/index GET /index HTTP/1.1
࣮ͨ࣌͠ͷߏ
ෛՙࢄ 1. Proxyʢϓϩηεʣ͕HTTP RequestΛड͚औΓɺύε͔ΒClusterΛબ 2. Cluster͕LoadBalancerʹϦΫΤετΛ͠ɺIndex൪߸Λฦ͢ 3. ฦ͞ΕͨIndex൪߸ΛݩʹCluster͕NodeΛฦ͠ɺϦΫΤετΛૹ৴ $MVTUFS /PEF
/PEF /PEF -PBE#BMBODFS 1SPYZ )5513FRVFTU
Upgrade-Insecure-Requests
Upgrade-Insecure-Requests • HTTPSԽΛଅਐ͢Δ • ηΩϡΞͰอޢ͞ΕͨURLͰஔ͖͑ΒΕ͔ͨͷΑ͏ʹॲ ཧ͢ΔΑ͏ࢦࣔΛ͢Δ
Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰHeaderʹ͍ͭͯΔ • αʔό
• Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱՄೳ
Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰHeaderʹ͍ͭͯΔ • αʔό
• Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱՄೳ <- ͜͜ʹ͍ͭͯ
Upgrade-Insecure-Requests • αʔό 1. HTTPϦΫΤετ 2. όοΫάϥϯυϦΫΤετ 3. HTTPϨεϙϯε 4.
Ϩεϙϯεϔομʔʹ `upgrade-insecure-requests` Λ͚ͭΔ ᶃ ᶄ ᶅ ᶆ
࣮ࡍͷಈ࡞
Upgrade-Insecure-Requests <img src=“http://example.com/img.png"> IUUQTFYBNQMFDPN ը૾ͷϦΫΤετA)551Aͱͯ͠ϦΫΤετ͢Δ 6QHSBEF*OTFDVSF3FRVFTUT͕ͳ͍߹
Upgrade-Insecure-Requests IUUQTFYBNQMFDPN 6QHSBEF*OTFDVSF3FRVFTUT͕͋Δ߹ <img src=“http://example.com/img.png"> ը૾ͷϦΫΤετA)5514Aͱͯ͠ϦΫΤετ͢Δ ˞JNHλάͷTSDAIUUQAͷ··
Consoleʹܯࠂ͕ग़ͳ͘ͳΔ Mixed Content: The page at ‘https://example.com' was loaded over
HTTPS, but requested an insecure image ‘http://example.com/img.png'. This content should also be served over HTTPS.
αʔΩοτϒϨʔΧʔ
αʔΩοτϒϨʔΧʔ Failͨ͠αʔόʹରͯ͠େྔͷϦΫΤετ͕ ߦ͔ͳ͍Α͏ʹ੍ޚ͢Δ
αʔΩοτϒϨʔΧʔ Fail = 5xxͷ εςʔλείʔυ
αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ •εςʔλείʔυΛࢹ͢Δ
αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ
αʔΩοτϒϨʔΧʔ •όοΫΤϯυͷαʔόϦΫΤετΛߦΘͣ circuit breaker͔ΒϦΫΤετΛฦ͢ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ
ඵܦաʜ
αʔΩοτϒϨʔΧʔ •Ұఆ࣌ؒա͗ΔͱϒϨʔΧʔΛ͢ )551ϦΫΤετ εςʔλείʔυ
࣮ͨ࣌͠ͷߏ
• CircuitBreakerʹϦΫΤετͷύεΛૹΓON͔Λ֬ೝ • ONʹͳ͍ͬͯΔ߹όοΫΤϯυϦΫΤετ • OFFʹͳ͍ͬͯΔ߹ΤϥʔΛϓϩΩγαʔό͔ΒϨεϙϯε 1SPYZ )5513FRVFTU $JSDVJU#SFBLFS αʔΩοτϒϨʔΧʔ
αʔΩοτϒϨʔΧʔ • ࣮ͷํࣜ • ϦΫΤετ࣌ʹߦͬͨPathʹରͯ͠3ճ5xxܥͷεςʔλείʔυ͕ ฦ͖ͬͯͨ߹ͦΕҎ߱ͷϦΫΤεταʔΩοτϒϨʔΧʔΛ ONʹ͢Δ • ఀࢭ͔ͯ͠Β30ඵܦա͔ͯ͠ΒαʔΩοτϒϨʔΧʔΛOFFʹ͢Δ
-> ଞʹϔϧενΣοΫͳͲͷΓํ͕͋Δʢະ࣮ʣ
·ͱΊ
·ͱΊ • HTTPγϯϓϧ͕ͩɺগ͠ෳࡶͳ͜ͱΛ͢Δͱ͘͠ͳΔ • ϦΫΤετ͝ͱʹϓϩηεΛ͚͍ͯΔͷͰɺϩʔυόϥϯαʔͱ αʔΩοτϒϨʔΧʔͷ࣮ʹ͕ඞཁͩͬͨ ʢHTTPϓϩΩγͱผ͕ͩ… • ϒϥβ͝ͱʹTCPίωΫγϣϯͷ࣋ͪํ͕ҧͬͨ •
ߴෛՙ࣌ͷϓϩηε੍ޚͰۤઓͨ͠ʢݱࡏਐߦܗʣ
͝੩ௌ͋Γ͕ͱ͏ ͍͟͝·ͨ͠