Upgrade to Pro — share decks privately, control downloads, hide ads and more …

プロキシサーバ自作から学ぶ、HTTP通信

kobatako
July 15, 2019
Technology
0
100

 プロキシサーバ自作から学ぶ、HTTP通信

kobatako

July 15, 2019
Tweet

More Decks by kobatako

See All by kobatako
ネットワークのことを知るため ソフトウェアルータを 自作した話
kobatako
0
2.9k
enginnerday.pdf
kobatako
0
39

Other Decks in Technology

See All in Technology
ハイパーパラメータチューニングって何をしているの
toridori_dev
0
140
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
220
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.6k
Amazon Personalizeの レコメンドシステム構築、実際何するの? 〜大体10分で具体的なイメージをつかむ〜
kniino
1
100
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
0
110
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
Application Development WG Intro at AppDeveloperCon
salaboy
0
180
SSMRunbook作成の勘所_20241120
koichiotomo
2
130
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210

Featured

See All Featured
Statistics for Hackers
jakevdp
796
220k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
KATA
mclloyd
29
14k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Happy Clients
brianwarren
98
6.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Become a Pro
speakerdeck
PRO
25
5k
A designer walks into a library…
pauljervisheath
203
24k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Docker and Python
trallard
40
3.1k

Transcript

  1. ϓϩΩγαʔόࣗ࡞͔ΒֶͿɺ HTTP௨৴ PHPΧϯϑΝϨϯε෱Ԭ2019 খݪɹਸ׮ 2019/06/29 (౔)

  2. ࣗݾ঺հ • ໊લ : খݪ ਸ׮ʢ͜͹Δ ͔ͨͻΖʣ • ॴଐ :

    גࣜձࣾFusic • ࢓ࣄ : PHPɺGolangɺAWS • झຯ : ElixirɺErlangɺΠϯϑϥ͍Ζ͍Ζ • Twitter : kobatako_

  3. ΞδΣϯμ • ϓϩΩγαʔόʹ͍ͭͯ • ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • ·ͱΊ

  4. ϓϩΩγαʔόʹ͍ͭͯ

  5. ϓϩΩγαʔόͷ ϨΠϠʔ

  6. ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ

  7. ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ <- ͜͜ʹ͍ͭͯ

  8. L7 ϓϩΩγ HTTPϦΫΤετ • ΫϥΠΞϯτͱϓϩΩγαʔόɺϓϩΩγαʔόͱόοΫΤϯυͷ αʔόͦΕͧΕͰTCP઀ଓΛߦ͏ • ΞϓϦέʔγϣϯϨϕϧͰͷ੍ޚʢHTTPͳͲʣ HTTPϦΫΤετ TCP

    TCP ΫϥΠΞϯτ ϓϩΩγ όοΫΤϯυ

  9. ϓϩΩγαʔόΛڬΉͱ Ͳ͏ͳΔ ???

  10. ϓϩΩγαʔόͷ໾ׂ •௨৴಺༰ͷվม •ෛՙ෼ࢄ •ηΩϡΞͳ௨৴ɺೝূ

  11. ϚΠΫϩαʔϏεͰ΋ར༻

  12. ϓϩΩγαʔό •Envoy • L3/L4 filter architecture • L7 filter architecture

    • HTTP2 / gRPCΛαϙʔτ • αʔΩοτϒϨʔΧʔ • Etc…

  13. ࣗ࡞͢Δ͜ͱͰਂ͘ཧղ
 ϓϩΩγαʔόͷ ར༻ൣғ͕޿͕͖͍ͬͯͯΔ

  14. ࣗ࡞ͨ͠ HTTPϓϩΩγͷॲཧ

  15. ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • X-Forwarded • ෛՙ෼ࢄ • Upgrade-Insecure-Requests • αʔΩοτϒϨʔΧʔ

  16. X-Forwarded

  17. X-Forwarded • RFC 7239 • HTTP Headerͷ֦ு • ϓϩΩγΛதܧ͢Δࡍʹૹ৴ݩʢΫϥΠΞϯτʣͷ
 IP΍ProtocolͳͲHeaderʹ෇͚Ճ͑Δ


    ˞ ͚ͭͳ͍ͱૹ৴ݩIPͳͲͰ੍ޚ͕Ͱ͖ͳ͘ͳΔ
 ʢX-Forwarded-Forʣ

  18. X-Forwarded • X-Forwarded-For • ΫϥΠΞϯτͷIP • X-Forwarded-Host • ΫϥΠΞϯτ͔ΒૹΒΕ͖ͯͨHost Header

    • X-Forwarded-Proto • ΫϥΠΞϯτ͔ΒͷϦΫΤετ: HTTPɺHTTPSͱ͔ • X-Forwarded-By • ΫϥΠΞϯτ͔ΒϦΫΤετΛड͚औͬͨϓϩΩγଆͷIP

  19. X-Forwarded-For͚ͩͰͳ͘ શ෦ೖΕΔΑ͏ʹ͢Δ

  20. • X-Forwarded-For • Laravel(Symfony)΍CakePHPͰ͸ૹ৴ݩIPͷ஋ͱͯ͠ར༻ • X-Forwarded-Proto • Laravel(Symfony)ͰηΩϡΞͳ௨৴͔Ͳ͏͔ͷࢀরͱͯ͠ར༻
 https://github.com/symfony/http-foundation/blob/master/Request.php#L1113 ϑϨʔϜϫʔΫ಺Ͱར༻͞Ε͍ͯΔ

  21. ෛՙ෼ࢄ

  22. ෛՙ෼ࢄ • ෛՙʹԠͯ͡όοΫΤϯυͷαʔόʹϦΫΤετΛ
 ৼΓ෼͚Δ • ϦΫΤετͷछྨ΍ύεʹΑͬͯϦΫΤετઌΛܾΊΔ • .jsɺ.cssɺ.png΁ͷϦΫΤετ • /admin/

    ΁ͷϦΫΤετ

  23. ෛՙ෼ࢄ HTTP ϦΫΤετ /index HTTP ϦΫΤετ js, css HTTP ϦΫΤετ

    /index GET /index HTTP/1.1

  24. ࣮૷ͨ࣌͠ͷߏ੒

  25. ෛՙ෼ࢄ 1. Proxyʢϓϩηεʣ͕HTTP RequestΛड͚औΓɺύε͔ΒClusterΛબ୒ 2. Cluster͕LoadBalancerʹϦΫΤετΛ͠ɺIndex൪߸Λฦ͢ 3. ฦ͞ΕͨIndex൪߸ΛݩʹCluster͕NodeΛฦ͠ɺϦΫΤετΛૹ৴ $MVTUFS /PEF

    /PEF /PEF -PBE#BMBODFS 1SPYZ )5513FRVFTU

  26. Upgrade-Insecure-Requests

  27. Upgrade-Insecure-Requests • HTTPSԽΛଅਐ͢Δ • ηΩϡΞͰอޢ͞ΕͨURLͰஔ͖׵͑ΒΕ͔ͨͷΑ͏ʹॲ ཧ͢ΔΑ͏ࢦࣔΛ͢Δ

  28. Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰ͸Headerʹ͍ͭͯΔ • αʔό

    • Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱ΋Մೳ

  29. Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰ͸Headerʹ͍ͭͯΔ • αʔό

    • Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱ΋Մೳ <- ͜͜ʹ͍ͭͯ

  30. Upgrade-Insecure-Requests • αʔό 1. HTTPϦΫΤετ 2. όοΫάϥϯυ΁ϦΫΤετ 3. HTTPϨεϙϯε 4.

    Ϩεϙϯεϔομʔʹ `upgrade-insecure-requests` Λ͚ͭΔ ᶃ ᶄ ᶅ ᶆ

  31. ࣮ࡍͷಈ࡞

  32. Upgrade-Insecure-Requests <img src=“http://example.com/img.png"> IUUQTFYBNQMFDPN ը૾ͷϦΫΤετ͸A)551Aͱͯ͠ϦΫΤετ͢Δ 6QHSBEF*OTFDVSF3FRVFTUT͕ͳ͍৔߹

  33. Upgrade-Insecure-Requests IUUQTFYBNQMFDPN 6QHSBEF*OTFDVSF3FRVFTUT͕͋Δ৔߹ <img src=“http://example.com/img.png"> ը૾ͷϦΫΤετ͸A)5514Aͱͯ͠ϦΫΤετ͢Δ ˞JNHλάͷTSD͸AIUUQAͷ··

  34. Consoleʹܯࠂ͕ग़ͳ͘ͳΔ Mixed Content: The page at ‘https://example.com' was loaded over

    HTTPS, but requested an insecure image ‘http://example.com/img.png'. This content should also be served over HTTPS.

  35. αʔΩοτϒϨʔΧʔ

  36. αʔΩοτϒϨʔΧʔ Failͨ͠αʔόʹରͯ͠େྔͷϦΫΤετ͕ ߦ͔ͳ͍Α͏ʹ੍ޚ͢Δ

  37. αʔΩοτϒϨʔΧʔ Fail = 5xxͷ εςʔλείʔυ

  38. αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ  •εςʔλείʔυΛ؂ࢹ͢Δ

  39. αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ

  40. αʔΩοτϒϨʔΧʔ •όοΫΤϯυͷαʔό΁ϦΫΤετΛߦΘͣ
 circuit breaker͔ΒϦΫΤετΛฦ͢ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ

  41. ඵܦաʜ

  42. αʔΩοτϒϨʔΧʔ •Ұఆ࣌ؒա͗ΔͱϒϨʔΧʔΛ໭͢ )551ϦΫΤετ εςʔλείʔυ 

  43. ࣮૷ͨ࣌͠ͷߏ੒

  44. • CircuitBreakerʹϦΫΤετͷύεΛૹΓON͔Λ֬ೝ • ONʹͳ͍ͬͯΔ৔߹͸όοΫΤϯυ΁ϦΫΤετ • OFFʹͳ͍ͬͯΔ৔߹͸ΤϥʔΛϓϩΩγαʔό͔ΒϨεϙϯε 1SPYZ )5513FRVFTU $JSDVJU#SFBLFS αʔΩοτϒϨʔΧʔ

  45. αʔΩοτϒϨʔΧʔ • ࣮૷ͷํࣜ • ϦΫΤετ࣌ʹߦͬͨPathʹରͯ͠3ճ5xxܥͷεςʔλείʔυ͕
 ฦ͖ͬͯͨ৔߹͸ͦΕҎ߱ͷϦΫΤετ͸αʔΩοτϒϨʔΧʔΛ
 ONʹ͢Δ • ఀࢭ͔ͯ͠Β30ඵܦա͔ͯ͠ΒαʔΩοτϒϨʔΧʔΛOFFʹ͢Δ
 


    -> ଞʹ΋ϔϧενΣοΫͳͲͷ΍Γํ͕͋Δʢະ࣮૷ʣ

  46. ·ͱΊ

  47. ·ͱΊ • HTTP͸γϯϓϧ͕ͩɺগ͠ෳࡶͳ͜ͱΛ͢Δͱ೉͘͠ͳΔ • ϦΫΤετ͝ͱʹϓϩηεΛ෼͚͍ͯΔͷͰɺϩʔυόϥϯαʔͱ
 αʔΩοτϒϨʔΧʔͷ࣮૷ʹ޻෉͕ඞཁͩͬͨ ʢHTTPϓϩΩγͱ͸ผ͕ͩ… • ϒϥ΢β͝ͱʹTCPίωΫγϣϯͷ࣋ͪํ͕ҧͬͨ •

    ߴෛՙ࣌ͷϓϩηε੍ޚͰۤઓͨ͠ʢݱࡏਐߦܗʣ

  48. ͝੩ௌ͋Γ͕ͱ͏ ͍͟͝·ͨ͠