Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
プロキシサーバ自作から学ぶ、HTTP通信
Search
kobatako
July 15, 2019
Technology
0
110
プロキシサーバ自作から学ぶ、HTTP通信
kobatako
July 15, 2019
Tweet
Share
More Decks by kobatako
See All by kobatako
ネットワークのことを知るため ソフトウェアルータを 自作した話
kobatako
0
3.2k
enginnerday.pdf
kobatako
0
41
Other Decks in Technology
See All in Technology
Witchcraft for Memory
pocke
1
410
Yamla: Rustでつくるリアルタイム性を追求した機械学習基盤 / Yamla: A Rust-Based Machine Learning Platform Pursuing Real-Time Capabilities
lycorptech_jp
PRO
3
120
MySQL5.6から8.4へ 戦いの記録
kyoshidaxx
1
260
Observability infrastructure behind the trillion-messages scale Kafka platform
lycorptech_jp
PRO
0
140
~宇宙最速~2025年AWS Summit レポート
satodesu
1
1.9k
Javaで作る RAGを活用した Q&Aアプリケーション
recruitengineers
PRO
1
110
Oracle Cloud Infrastructure:2025年6月度サービス・アップデート
oracle4engineer
PRO
2
260
本が全く読めなかった過去の自分へ
genshun9
0
540
Oracle Audit Vault and Database Firewall 20 概要
oracle4engineer
PRO
3
1.7k
製造業からパッケージ製品まで、あらゆる領域をカバー!生成AIを利用したテストシナリオ生成 / 20250627 Suguru Ishii
shift_evolve
PRO
1
140
20250625 Snowflake Summit 2025活用事例 レポート / Nowcast Snowflake Summit 2025 Case Study Report
kkuv
1
310
変化する開発、進化する体系時代に適応するソフトウェアエンジニアの知識と考え方(JaSST'25 Kansai)
mizunori
1
230
Featured
See All Featured
Thoughts on Productivity
jonyablonski
69
4.7k
Agile that works and the tools we love
rasmusluckow
329
21k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.3k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Designing Experiences People Love
moore
142
24k
Making the Leap to Tech Lead
cromwellryan
134
9.3k
The Straight Up "How To Draw Better" Workshop
denniskardys
234
140k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
48
2.8k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Transcript
ϓϩΩγαʔόࣗ࡞͔ΒֶͿɺ HTTP௨৴ PHPΧϯϑΝϨϯεԬ2019 খݪɹਸ 2019/06/29 ()
ࣗݾհ • ໊લ : খݪ ਸʢ͜Δ ͔ͨͻΖʣ • ॴଐ :
גࣜձࣾFusic • ࣄ : PHPɺGolangɺAWS • झຯ : ElixirɺErlangɺΠϯϑϥ͍Ζ͍Ζ • Twitter : kobatako_
ΞδΣϯμ • ϓϩΩγαʔόʹ͍ͭͯ • ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • ·ͱΊ
ϓϩΩγαʔόʹ͍ͭͯ
ϓϩΩγαʔόͷ ϨΠϠʔ
ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ
ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ <- ͜͜ʹ͍ͭͯ
L7 ϓϩΩγ HTTPϦΫΤετ • ΫϥΠΞϯτͱϓϩΩγαʔόɺϓϩΩγαʔόͱόοΫΤϯυͷ αʔόͦΕͧΕͰTCPଓΛߦ͏ • ΞϓϦέʔγϣϯϨϕϧͰͷ੍ޚʢHTTPͳͲʣ HTTPϦΫΤετ TCP
TCP ΫϥΠΞϯτ ϓϩΩγ όοΫΤϯυ
ϓϩΩγαʔόΛڬΉͱ Ͳ͏ͳΔ ???
ϓϩΩγαʔόͷׂ •௨৴༰ͷվม •ෛՙࢄ •ηΩϡΞͳ௨৴ɺೝূ
ϚΠΫϩαʔϏεͰར༻
ϓϩΩγαʔό •Envoy • L3/L4 filter architecture • L7 filter architecture
• HTTP2 / gRPCΛαϙʔτ • αʔΩοτϒϨʔΧʔ • Etc…
ࣗ࡞͢Δ͜ͱͰਂ͘ཧղ ϓϩΩγαʔόͷ ར༻ൣғ͕͕͖͍ͬͯͯΔ
ࣗ࡞ͨ͠ HTTPϓϩΩγͷॲཧ
ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • X-Forwarded • ෛՙࢄ • Upgrade-Insecure-Requests • αʔΩοτϒϨʔΧʔ
X-Forwarded
X-Forwarded • RFC 7239 • HTTP Headerͷ֦ு • ϓϩΩγΛதܧ͢Δࡍʹૹ৴ݩʢΫϥΠΞϯτʣͷ IPProtocolͳͲHeaderʹ͚Ճ͑Δ
˞ ͚ͭͳ͍ͱૹ৴ݩIPͳͲͰ੍ޚ͕Ͱ͖ͳ͘ͳΔ ʢX-Forwarded-Forʣ
X-Forwarded • X-Forwarded-For • ΫϥΠΞϯτͷIP • X-Forwarded-Host • ΫϥΠΞϯτ͔ΒૹΒΕ͖ͯͨHost Header
• X-Forwarded-Proto • ΫϥΠΞϯτ͔ΒͷϦΫΤετ: HTTPɺHTTPSͱ͔ • X-Forwarded-By • ΫϥΠΞϯτ͔ΒϦΫΤετΛड͚औͬͨϓϩΩγଆͷIP
X-Forwarded-For͚ͩͰͳ͘ શ෦ೖΕΔΑ͏ʹ͢Δ
• X-Forwarded-For • Laravel(Symfony)CakePHPͰૹ৴ݩIPͷͱͯ͠ར༻ • X-Forwarded-Proto • Laravel(Symfony)ͰηΩϡΞͳ௨৴͔Ͳ͏͔ͷࢀরͱͯ͠ར༻ https://github.com/symfony/http-foundation/blob/master/Request.php#L1113 ϑϨʔϜϫʔΫͰར༻͞Ε͍ͯΔ
ෛՙࢄ
ෛՙࢄ • ෛՙʹԠͯ͡όοΫΤϯυͷαʔόʹϦΫΤετΛ ৼΓ͚Δ • ϦΫΤετͷछྨύεʹΑͬͯϦΫΤετઌΛܾΊΔ • .jsɺ.cssɺ.pngͷϦΫΤετ • /admin/
ͷϦΫΤετ
ෛՙࢄ HTTP ϦΫΤετ /index HTTP ϦΫΤετ js, css HTTP ϦΫΤετ
/index GET /index HTTP/1.1
࣮ͨ࣌͠ͷߏ
ෛՙࢄ 1. Proxyʢϓϩηεʣ͕HTTP RequestΛड͚औΓɺύε͔ΒClusterΛબ 2. Cluster͕LoadBalancerʹϦΫΤετΛ͠ɺIndex൪߸Λฦ͢ 3. ฦ͞ΕͨIndex൪߸ΛݩʹCluster͕NodeΛฦ͠ɺϦΫΤετΛૹ৴ $MVTUFS /PEF
/PEF /PEF -PBE#BMBODFS 1SPYZ )5513FRVFTU
Upgrade-Insecure-Requests
Upgrade-Insecure-Requests • HTTPSԽΛଅਐ͢Δ • ηΩϡΞͰอޢ͞ΕͨURLͰஔ͖͑ΒΕ͔ͨͷΑ͏ʹॲ ཧ͢ΔΑ͏ࢦࣔΛ͢Δ
Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰHeaderʹ͍ͭͯΔ • αʔό
• Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱՄೳ
Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰHeaderʹ͍ͭͯΔ • αʔό
• Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱՄೳ <- ͜͜ʹ͍ͭͯ
Upgrade-Insecure-Requests • αʔό 1. HTTPϦΫΤετ 2. όοΫάϥϯυϦΫΤετ 3. HTTPϨεϙϯε 4.
Ϩεϙϯεϔομʔʹ `upgrade-insecure-requests` Λ͚ͭΔ ᶃ ᶄ ᶅ ᶆ
࣮ࡍͷಈ࡞
Upgrade-Insecure-Requests <img src=“http://example.com/img.png"> IUUQTFYBNQMFDPN ը૾ͷϦΫΤετA)551Aͱͯ͠ϦΫΤετ͢Δ 6QHSBEF*OTFDVSF3FRVFTUT͕ͳ͍߹
Upgrade-Insecure-Requests IUUQTFYBNQMFDPN 6QHSBEF*OTFDVSF3FRVFTUT͕͋Δ߹ <img src=“http://example.com/img.png"> ը૾ͷϦΫΤετA)5514Aͱͯ͠ϦΫΤετ͢Δ ˞JNHλάͷTSDAIUUQAͷ··
Consoleʹܯࠂ͕ग़ͳ͘ͳΔ Mixed Content: The page at ‘https://example.com' was loaded over
HTTPS, but requested an insecure image ‘http://example.com/img.png'. This content should also be served over HTTPS.
αʔΩοτϒϨʔΧʔ
αʔΩοτϒϨʔΧʔ Failͨ͠αʔόʹରͯ͠େྔͷϦΫΤετ͕ ߦ͔ͳ͍Α͏ʹ੍ޚ͢Δ
αʔΩοτϒϨʔΧʔ Fail = 5xxͷ εςʔλείʔυ
αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ •εςʔλείʔυΛࢹ͢Δ
αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ
αʔΩοτϒϨʔΧʔ •όοΫΤϯυͷαʔόϦΫΤετΛߦΘͣ circuit breaker͔ΒϦΫΤετΛฦ͢ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ
ඵܦաʜ
αʔΩοτϒϨʔΧʔ •Ұఆ࣌ؒա͗ΔͱϒϨʔΧʔΛ͢ )551ϦΫΤετ εςʔλείʔυ
࣮ͨ࣌͠ͷߏ
• CircuitBreakerʹϦΫΤετͷύεΛૹΓON͔Λ֬ೝ • ONʹͳ͍ͬͯΔ߹όοΫΤϯυϦΫΤετ • OFFʹͳ͍ͬͯΔ߹ΤϥʔΛϓϩΩγαʔό͔ΒϨεϙϯε 1SPYZ )5513FRVFTU $JSDVJU#SFBLFS αʔΩοτϒϨʔΧʔ
αʔΩοτϒϨʔΧʔ • ࣮ͷํࣜ • ϦΫΤετ࣌ʹߦͬͨPathʹରͯ͠3ճ5xxܥͷεςʔλείʔυ͕ ฦ͖ͬͯͨ߹ͦΕҎ߱ͷϦΫΤεταʔΩοτϒϨʔΧʔΛ ONʹ͢Δ • ఀࢭ͔ͯ͠Β30ඵܦա͔ͯ͠ΒαʔΩοτϒϨʔΧʔΛOFFʹ͢Δ
-> ଞʹϔϧενΣοΫͳͲͷΓํ͕͋Δʢະ࣮ʣ
·ͱΊ
·ͱΊ • HTTPγϯϓϧ͕ͩɺগ͠ෳࡶͳ͜ͱΛ͢Δͱ͘͠ͳΔ • ϦΫΤετ͝ͱʹϓϩηεΛ͚͍ͯΔͷͰɺϩʔυόϥϯαʔͱ αʔΩοτϒϨʔΧʔͷ࣮ʹ͕ඞཁͩͬͨ ʢHTTPϓϩΩγͱผ͕ͩ… • ϒϥβ͝ͱʹTCPίωΫγϣϯͷ࣋ͪํ͕ҧͬͨ •
ߴෛՙ࣌ͷϓϩηε੍ޚͰۤઓͨ͠ʢݱࡏਐߦܗʣ
͝੩ௌ͋Γ͕ͱ͏ ͍͟͝·ͨ͠