Upgrade to Pro — share decks privately, control downloads, hide ads and more …

プロキシサーバ自作から学ぶ、HTTP通信

kobatako
July 15, 2019
Technology
0
100

 プロキシサーバ自作から学ぶ、HTTP通信

kobatako

July 15, 2019
Tweet

More Decks by kobatako

See All by kobatako
ネットワークのことを知るため ソフトウェアルータを 自作した話
kobatako
0
3k
enginnerday.pdf
kobatako
0
39

Other Decks in Technology

See All in Technology
AWSマルチアカウント統制環境のすゝめ / 20250115 Mitsutoshi Matsuo
shift_evolve
0
100
2025年のARグラスの潮流
kotauchisunsun
0
780
あなたの知らないクラフトビールの世界
miura55
0
110
テストを書かないためのテスト/ Tests for not writing tests
sinsoku
1
170
20250116_JAWS_Osaka
takuyay0ne
2
190
Goで実践するBFP
hiroyaterui
1
120
Oracle Base Database Service:サービス概要のご紹介
oracle4engineer
PRO
1
16k
Godot Engineについて調べてみた
unsoluble_sugar
0
360
自社 200 記事を元に整理した読みやすいテックブログを書くための Tips 集
masakihirose
2
320
FODにおけるホーム画面編成のレコメンド
watarukudo
PRO
2
230
デジタルアイデンティティ人材育成推進ワーキンググループ 翻訳サブワーキンググループ 活動報告 / 20250114-OIDF-J-EduWG-TranslationSWG
oidfj
0
390
あなたの人生も変わるかも?AWS認定2つで始まったウソみたいな話
iwamot
3
820

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
244
12k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
230
52k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.8k
Java REST API Framework Comparison - PWX 2021
mraible
28
8.3k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.2k
Designing for humans not robots
tammielis
250
25k
4 Signs Your Business is Dying
shpigford
182
22k
Automating Front-end Workflow
addyosmani
1366
200k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k

Transcript

  1. ϓϩΩγαʔόࣗ࡞͔ΒֶͿɺ HTTP௨৴ PHPΧϯϑΝϨϯε෱Ԭ2019 খݪɹਸ׮ 2019/06/29 (౔)

  2. ࣗݾ঺հ • ໊લ : খݪ ਸ׮ʢ͜͹Δ ͔ͨͻΖʣ • ॴଐ :

    גࣜձࣾFusic • ࢓ࣄ : PHPɺGolangɺAWS • झຯ : ElixirɺErlangɺΠϯϑϥ͍Ζ͍Ζ • Twitter : kobatako_

  3. ΞδΣϯμ • ϓϩΩγαʔόʹ͍ͭͯ • ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • ·ͱΊ

  4. ϓϩΩγαʔόʹ͍ͭͯ

  5. ϓϩΩγαʔόͷ ϨΠϠʔ

  6. ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ

  7. ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ <- ͜͜ʹ͍ͭͯ

  8. L7 ϓϩΩγ HTTPϦΫΤετ • ΫϥΠΞϯτͱϓϩΩγαʔόɺϓϩΩγαʔόͱόοΫΤϯυͷ αʔόͦΕͧΕͰTCP઀ଓΛߦ͏ • ΞϓϦέʔγϣϯϨϕϧͰͷ੍ޚʢHTTPͳͲʣ HTTPϦΫΤετ TCP

    TCP ΫϥΠΞϯτ ϓϩΩγ όοΫΤϯυ

  9. ϓϩΩγαʔόΛڬΉͱ Ͳ͏ͳΔ ???

  10. ϓϩΩγαʔόͷ໾ׂ •௨৴಺༰ͷվม •ෛՙ෼ࢄ •ηΩϡΞͳ௨৴ɺೝূ

  11. ϚΠΫϩαʔϏεͰ΋ར༻

  12. ϓϩΩγαʔό •Envoy • L3/L4 filter architecture • L7 filter architecture

    • HTTP2 / gRPCΛαϙʔτ • αʔΩοτϒϨʔΧʔ • Etc…

  13. ࣗ࡞͢Δ͜ͱͰਂ͘ཧղ
 ϓϩΩγαʔόͷ ར༻ൣғ͕޿͕͖͍ͬͯͯΔ

  14. ࣗ࡞ͨ͠ HTTPϓϩΩγͷॲཧ

  15. ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • X-Forwarded • ෛՙ෼ࢄ • Upgrade-Insecure-Requests • αʔΩοτϒϨʔΧʔ

  16. X-Forwarded

  17. X-Forwarded • RFC 7239 • HTTP Headerͷ֦ு • ϓϩΩγΛதܧ͢Δࡍʹૹ৴ݩʢΫϥΠΞϯτʣͷ
 IP΍ProtocolͳͲHeaderʹ෇͚Ճ͑Δ


    ˞ ͚ͭͳ͍ͱૹ৴ݩIPͳͲͰ੍ޚ͕Ͱ͖ͳ͘ͳΔ
 ʢX-Forwarded-Forʣ

  18. X-Forwarded • X-Forwarded-For • ΫϥΠΞϯτͷIP • X-Forwarded-Host • ΫϥΠΞϯτ͔ΒૹΒΕ͖ͯͨHost Header

    • X-Forwarded-Proto • ΫϥΠΞϯτ͔ΒͷϦΫΤετ: HTTPɺHTTPSͱ͔ • X-Forwarded-By • ΫϥΠΞϯτ͔ΒϦΫΤετΛड͚औͬͨϓϩΩγଆͷIP

  19. X-Forwarded-For͚ͩͰͳ͘ શ෦ೖΕΔΑ͏ʹ͢Δ

  20. • X-Forwarded-For • Laravel(Symfony)΍CakePHPͰ͸ૹ৴ݩIPͷ஋ͱͯ͠ར༻ • X-Forwarded-Proto • Laravel(Symfony)ͰηΩϡΞͳ௨৴͔Ͳ͏͔ͷࢀরͱͯ͠ར༻
 https://github.com/symfony/http-foundation/blob/master/Request.php#L1113 ϑϨʔϜϫʔΫ಺Ͱར༻͞Ε͍ͯΔ

  21. ෛՙ෼ࢄ

  22. ෛՙ෼ࢄ • ෛՙʹԠͯ͡όοΫΤϯυͷαʔόʹϦΫΤετΛ
 ৼΓ෼͚Δ • ϦΫΤετͷछྨ΍ύεʹΑͬͯϦΫΤετઌΛܾΊΔ • .jsɺ.cssɺ.png΁ͷϦΫΤετ • /admin/

    ΁ͷϦΫΤετ

  23. ෛՙ෼ࢄ HTTP ϦΫΤετ /index HTTP ϦΫΤετ js, css HTTP ϦΫΤετ

    /index GET /index HTTP/1.1

  24. ࣮૷ͨ࣌͠ͷߏ੒

  25. ෛՙ෼ࢄ 1. Proxyʢϓϩηεʣ͕HTTP RequestΛड͚औΓɺύε͔ΒClusterΛબ୒ 2. Cluster͕LoadBalancerʹϦΫΤετΛ͠ɺIndex൪߸Λฦ͢ 3. ฦ͞ΕͨIndex൪߸ΛݩʹCluster͕NodeΛฦ͠ɺϦΫΤετΛૹ৴ $MVTUFS /PEF

    /PEF /PEF -PBE#BMBODFS 1SPYZ )5513FRVFTU

  26. Upgrade-Insecure-Requests

  27. Upgrade-Insecure-Requests • HTTPSԽΛଅਐ͢Δ • ηΩϡΞͰอޢ͞ΕͨURLͰஔ͖׵͑ΒΕ͔ͨͷΑ͏ʹॲ ཧ͢ΔΑ͏ࢦࣔΛ͢Δ

  28. Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰ͸Headerʹ͍ͭͯΔ • αʔό

    • Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱ΋Մೳ

  29. Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰ͸Headerʹ͍ͭͯΔ • αʔό

    • Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱ΋Մೳ <- ͜͜ʹ͍ͭͯ

  30. Upgrade-Insecure-Requests • αʔό 1. HTTPϦΫΤετ 2. όοΫάϥϯυ΁ϦΫΤετ 3. HTTPϨεϙϯε 4.

    Ϩεϙϯεϔομʔʹ `upgrade-insecure-requests` Λ͚ͭΔ ᶃ ᶄ ᶅ ᶆ

  31. ࣮ࡍͷಈ࡞

  32. Upgrade-Insecure-Requests <img src=“http://example.com/img.png"> IUUQTFYBNQMFDPN ը૾ͷϦΫΤετ͸A)551Aͱͯ͠ϦΫΤετ͢Δ 6QHSBEF*OTFDVSF3FRVFTUT͕ͳ͍৔߹

  33. Upgrade-Insecure-Requests IUUQTFYBNQMFDPN 6QHSBEF*OTFDVSF3FRVFTUT͕͋Δ৔߹ <img src=“http://example.com/img.png"> ը૾ͷϦΫΤετ͸A)5514Aͱͯ͠ϦΫΤετ͢Δ ˞JNHλάͷTSD͸AIUUQAͷ··

  34. Consoleʹܯࠂ͕ग़ͳ͘ͳΔ Mixed Content: The page at ‘https://example.com' was loaded over

    HTTPS, but requested an insecure image ‘http://example.com/img.png'. This content should also be served over HTTPS.

  35. αʔΩοτϒϨʔΧʔ

  36. αʔΩοτϒϨʔΧʔ Failͨ͠αʔόʹରͯ͠େྔͷϦΫΤετ͕ ߦ͔ͳ͍Α͏ʹ੍ޚ͢Δ

  37. αʔΩοτϒϨʔΧʔ Fail = 5xxͷ εςʔλείʔυ

  38. αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ  •εςʔλείʔυΛ؂ࢹ͢Δ

  39. αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ

  40. αʔΩοτϒϨʔΧʔ •όοΫΤϯυͷαʔό΁ϦΫΤετΛߦΘͣ
 circuit breaker͔ΒϦΫΤετΛฦ͢ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ

  41. ඵܦաʜ

  42. αʔΩοτϒϨʔΧʔ •Ұఆ࣌ؒա͗ΔͱϒϨʔΧʔΛ໭͢ )551ϦΫΤετ εςʔλείʔυ 

  43. ࣮૷ͨ࣌͠ͷߏ੒

  44. • CircuitBreakerʹϦΫΤετͷύεΛૹΓON͔Λ֬ೝ • ONʹͳ͍ͬͯΔ৔߹͸όοΫΤϯυ΁ϦΫΤετ • OFFʹͳ͍ͬͯΔ৔߹͸ΤϥʔΛϓϩΩγαʔό͔ΒϨεϙϯε 1SPYZ )5513FRVFTU $JSDVJU#SFBLFS αʔΩοτϒϨʔΧʔ

  45. αʔΩοτϒϨʔΧʔ • ࣮૷ͷํࣜ • ϦΫΤετ࣌ʹߦͬͨPathʹରͯ͠3ճ5xxܥͷεςʔλείʔυ͕
 ฦ͖ͬͯͨ৔߹͸ͦΕҎ߱ͷϦΫΤετ͸αʔΩοτϒϨʔΧʔΛ
 ONʹ͢Δ • ఀࢭ͔ͯ͠Β30ඵܦա͔ͯ͠ΒαʔΩοτϒϨʔΧʔΛOFFʹ͢Δ
 


    -> ଞʹ΋ϔϧενΣοΫͳͲͷ΍Γํ͕͋Δʢະ࣮૷ʣ

  46. ·ͱΊ

  47. ·ͱΊ • HTTP͸γϯϓϧ͕ͩɺগ͠ෳࡶͳ͜ͱΛ͢Δͱ೉͘͠ͳΔ • ϦΫΤετ͝ͱʹϓϩηεΛ෼͚͍ͯΔͷͰɺϩʔυόϥϯαʔͱ
 αʔΩοτϒϨʔΧʔͷ࣮૷ʹ޻෉͕ඞཁͩͬͨ ʢHTTPϓϩΩγͱ͸ผ͕ͩ… • ϒϥ΢β͝ͱʹTCPίωΫγϣϯͷ࣋ͪํ͕ҧͬͨ •

    ߴෛՙ࣌ͷϓϩηε੍ޚͰۤઓͨ͠ʢݱࡏਐߦܗʣ

  48. ͝੩ௌ͋Γ͕ͱ͏ ͍͟͝·ͨ͠