$30 off During Our Annual Pro Sale. View Details »

プロキシサーバ自作から学ぶ、HTTP通信

 プロキシサーバ自作から学ぶ、HTTP通信

kobatako

July 15, 2019
Tweet

More Decks by kobatako

Other Decks in Technology

Transcript

  1. ϓϩΩγαʔόࣗ࡞͔ΒֶͿɺ
    HTTP௨৴
    PHPΧϯϑΝϨϯε෱Ԭ2019
    খݪɹਸ׮
    2019/06/29 (౔)

    View Slide

  2. ࣗݾ঺հ
    • ໊લ : খݪ ਸ׮ʢ͜͹Δ ͔ͨͻΖʣ
    • ॴଐ : גࣜձࣾFusic
    • ࢓ࣄ : PHPɺGolangɺAWS
    • झຯ : ElixirɺErlangɺΠϯϑϥ͍Ζ͍Ζ
    • Twitter : kobatako_

    View Slide

  3. ΞδΣϯμ
    • ϓϩΩγαʔόʹ͍ͭͯ
    • ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ
    • ·ͱΊ

    View Slide

  4. ϓϩΩγαʔόʹ͍ͭͯ

    View Slide

  5. ϓϩΩγαʔόͷ
    ϨΠϠʔ

    View Slide

  6. ϓϩΩγαʔόͷϨΠϠʔ
    • L3/L4
    • TCP/IPϨϕϧͰͷϓϩΩγ
    • L7
    •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ

    View Slide

  7. ϓϩΩγαʔόͷϨΠϠʔ
    • L3/L4
    • TCP/IPϨϕϧͰͷϓϩΩγ
    • L7
    •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ
    <- ͜͜ʹ͍ͭͯ

    View Slide

  8. L7 ϓϩΩγ
    HTTPϦΫΤετ
    • ΫϥΠΞϯτͱϓϩΩγαʔόɺϓϩΩγαʔόͱόοΫΤϯυͷ
    αʔόͦΕͧΕͰTCP઀ଓΛߦ͏
    • ΞϓϦέʔγϣϯϨϕϧͰͷ੍ޚʢHTTPͳͲʣ
    HTTPϦΫΤετ
    TCP
    TCP
    ΫϥΠΞϯτ ϓϩΩγ όοΫΤϯυ

    View Slide

  9. ϓϩΩγαʔόΛڬΉͱ
    Ͳ͏ͳΔ ???

    View Slide

  10. ϓϩΩγαʔόͷ໾ׂ
    •௨৴಺༰ͷվม
    •ෛՙ෼ࢄ
    •ηΩϡΞͳ௨৴ɺೝূ

    View Slide

  11. ϚΠΫϩαʔϏεͰ΋ར༻

    View Slide

  12. ϓϩΩγαʔό
    •Envoy
    • L3/L4 filter architecture
    • L7 filter architecture
    • HTTP2 / gRPCΛαϙʔτ
    • αʔΩοτϒϨʔΧʔ
    • Etc…

    View Slide

  13. ࣗ࡞͢Δ͜ͱͰਂ͘ཧղ


    ϓϩΩγαʔόͷ
    ར༻ൣғ͕޿͕͖͍ͬͯͯΔ

    View Slide

  14. ࣗ࡞ͨ͠
    HTTPϓϩΩγͷॲཧ

    View Slide

  15. ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ
    • X-Forwarded
    • ෛՙ෼ࢄ
    • Upgrade-Insecure-Requests
    • αʔΩοτϒϨʔΧʔ

    View Slide

  16. X-Forwarded

    View Slide

  17. X-Forwarded
    • RFC 7239
    • HTTP Headerͷ֦ு
    • ϓϩΩγΛதܧ͢Δࡍʹૹ৴ݩʢΫϥΠΞϯτʣͷ

    IP΍ProtocolͳͲHeaderʹ෇͚Ճ͑Δ

    ˞ ͚ͭͳ͍ͱૹ৴ݩIPͳͲͰ੍ޚ͕Ͱ͖ͳ͘ͳΔ

    ʢX-Forwarded-Forʣ

    View Slide

  18. X-Forwarded
    • X-Forwarded-For
    • ΫϥΠΞϯτͷIP
    • X-Forwarded-Host
    • ΫϥΠΞϯτ͔ΒૹΒΕ͖ͯͨHost Header
    • X-Forwarded-Proto
    • ΫϥΠΞϯτ͔ΒͷϦΫΤετ: HTTPɺHTTPSͱ͔
    • X-Forwarded-By
    • ΫϥΠΞϯτ͔ΒϦΫΤετΛड͚औͬͨϓϩΩγଆͷIP

    View Slide

  19. X-Forwarded-For͚ͩͰͳ͘
    શ෦ೖΕΔΑ͏ʹ͢Δ

    View Slide

  20. • X-Forwarded-For
    • Laravel(Symfony)΍CakePHPͰ͸ૹ৴ݩIPͷ஋ͱͯ͠ར༻
    • X-Forwarded-Proto
    • Laravel(Symfony)ͰηΩϡΞͳ௨৴͔Ͳ͏͔ͷࢀরͱͯ͠ར༻

    https://github.com/symfony/http-foundation/blob/master/Request.php#L1113
    ϑϨʔϜϫʔΫ಺Ͱར༻͞Ε͍ͯΔ

    View Slide

  21. ෛՙ෼ࢄ

    View Slide

  22. ෛՙ෼ࢄ
    • ෛՙʹԠͯ͡όοΫΤϯυͷαʔόʹϦΫΤετΛ

    ৼΓ෼͚Δ
    • ϦΫΤετͷछྨ΍ύεʹΑͬͯϦΫΤετઌΛܾΊΔ
    • .jsɺ.cssɺ.png΁ͷϦΫΤετ
    • /admin/ ΁ͷϦΫΤετ

    View Slide

  23. ෛՙ෼ࢄ
    HTTP ϦΫΤετ
    /index
    HTTP ϦΫΤετ
    js, css
    HTTP ϦΫΤετ
    /index
    GET /index HTTP/1.1

    View Slide

  24. ࣮૷ͨ࣌͠ͷߏ੒

    View Slide

  25. ෛՙ෼ࢄ
    1. Proxyʢϓϩηεʣ͕HTTP RequestΛड͚औΓɺύε͔ΒClusterΛબ୒
    2. Cluster͕LoadBalancerʹϦΫΤετΛ͠ɺIndex൪߸Λฦ͢
    3. ฦ͞ΕͨIndex൪߸ΛݩʹCluster͕NodeΛฦ͠ɺϦΫΤετΛૹ৴
    $MVTUFS
    /PEF
    /PEF
    /PEF
    -PBE#BMBODFS
    1SPYZ
    )5513FRVFTU

    View Slide

  26. Upgrade-Insecure-Requests

    View Slide

  27. Upgrade-Insecure-Requests
    • HTTPSԽΛଅਐ͢Δ
    • ηΩϡΞͰอޢ͞ΕͨURLͰஔ͖׵͑ΒΕ͔ͨͷΑ͏ʹॲ
    ཧ͢ΔΑ͏ࢦࣔΛ͢Δ

    View Slide

  28. Upgrade-Insecure-Requests
    • ΫϥΠΞϯτ
    • Upgrade-Insecure-Requests: 1
    • ChromeͰ͸Headerʹ͍ͭͯΔ
    • αʔό
    • Content-Security-Policy: upgrade-insecure-requests
    • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱ΋Մೳ

    View Slide

  29. Upgrade-Insecure-Requests
    • ΫϥΠΞϯτ
    • Upgrade-Insecure-Requests: 1
    • ChromeͰ͸Headerʹ͍ͭͯΔ
    • αʔό
    • Content-Security-Policy: upgrade-insecure-requests
    • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱ΋Մೳ
    <- ͜͜ʹ͍ͭͯ

    View Slide

  30. Upgrade-Insecure-Requests
    • αʔό
    1. HTTPϦΫΤετ
    2. όοΫάϥϯυ΁ϦΫΤετ
    3. HTTPϨεϙϯε
    4. Ϩεϙϯεϔομʔʹ `upgrade-insecure-requests` Λ͚ͭΔ
    ᶃ ᶄ


    View Slide

  31. ࣮ࡍͷಈ࡞

    View Slide

  32. Upgrade-Insecure-Requests

    IUUQTFYBNQMFDPN
    ը૾ͷϦΫΤετ͸A)551Aͱͯ͠ϦΫΤετ͢Δ
    6QHSBEF*OTFDVSF3FRVFTUT͕ͳ͍৔߹

    View Slide

  33. Upgrade-Insecure-Requests
    IUUQTFYBNQMFDPN
    6QHSBEF*OTFDVSF3FRVFTUT͕͋Δ৔߹

    ը૾ͷϦΫΤετ͸A)5514Aͱͯ͠ϦΫΤετ͢Δ
    ˞JNHλάͷTSD͸AIUUQAͷ··

    View Slide

  34. Consoleʹܯࠂ͕ग़ͳ͘ͳΔ
    Mixed Content: The page at ‘https://example.com' was
    loaded over HTTPS, but requested an insecure image
    ‘http://example.com/img.png'. This content should also
    be served over HTTPS.

    View Slide

  35. αʔΩοτϒϨʔΧʔ

    View Slide

  36. αʔΩοτϒϨʔΧʔ
    Failͨ͠αʔόʹରͯ͠େྔͷϦΫΤετ͕
    ߦ͔ͳ͍Α͏ʹ੍ޚ͢Δ

    View Slide

  37. αʔΩοτϒϨʔΧʔ
    Fail = 5xxͷ
    εςʔλείʔυ

    View Slide

  38. αʔΩοτϒϨʔΧʔ
    )551ϦΫΤετ
    εςʔλείʔυ

    •εςʔλείʔυΛ؂ࢹ͢Δ

    View Slide

  39. αʔΩοτϒϨʔΧʔ
    )551ϦΫΤετ
    εςʔλείʔυ
    ʢ'BJMʣ
    )551ϦΫΤετ
    εςʔλείʔυ
    ʢ'BJMʣ

    View Slide

  40. αʔΩοτϒϨʔΧʔ
    •όοΫΤϯυͷαʔό΁ϦΫΤετΛߦΘͣ

    circuit breaker͔ΒϦΫΤετΛฦ͢
    )551ϦΫΤετ
    εςʔλείʔυ
    ʢ'BJMʣ

    View Slide

  41. ඵܦաʜ

    View Slide

  42. αʔΩοτϒϨʔΧʔ
    •Ұఆ࣌ؒա͗ΔͱϒϨʔΧʔΛ໭͢
    )551ϦΫΤετ
    εςʔλείʔυ

    View Slide

  43. ࣮૷ͨ࣌͠ͷߏ੒

    View Slide

  44. • CircuitBreakerʹϦΫΤετͷύεΛૹΓON͔Λ֬ೝ
    • ONʹͳ͍ͬͯΔ৔߹͸όοΫΤϯυ΁ϦΫΤετ
    • OFFʹͳ͍ͬͯΔ৔߹͸ΤϥʔΛϓϩΩγαʔό͔ΒϨεϙϯε
    1SPYZ
    )5513FRVFTU $JSDVJU#SFBLFS
    αʔΩοτϒϨʔΧʔ

    View Slide

  45. αʔΩοτϒϨʔΧʔ
    • ࣮૷ͷํࣜ
    • ϦΫΤετ࣌ʹߦͬͨPathʹରͯ͠3ճ5xxܥͷεςʔλείʔυ͕

    ฦ͖ͬͯͨ৔߹͸ͦΕҎ߱ͷϦΫΤετ͸αʔΩοτϒϨʔΧʔΛ

    ONʹ͢Δ
    • ఀࢭ͔ͯ͠Β30ඵܦա͔ͯ͠ΒαʔΩοτϒϨʔΧʔΛOFFʹ͢Δ


    -> ଞʹ΋ϔϧενΣοΫͳͲͷ΍Γํ͕͋Δʢະ࣮૷ʣ

    View Slide

  46. ·ͱΊ

    View Slide

  47. ·ͱΊ
    • HTTP͸γϯϓϧ͕ͩɺগ͠ෳࡶͳ͜ͱΛ͢Δͱ೉͘͠ͳΔ
    • ϦΫΤετ͝ͱʹϓϩηεΛ෼͚͍ͯΔͷͰɺϩʔυόϥϯαʔͱ

    αʔΩοτϒϨʔΧʔͷ࣮૷ʹ޻෉͕ඞཁͩͬͨ
    ʢHTTPϓϩΩγͱ͸ผ͕ͩ…
    • ϒϥ΢β͝ͱʹTCPίωΫγϣϯͷ࣋ͪํ͕ҧͬͨ
    • ߴෛՙ࣌ͷϓϩηε੍ޚͰۤઓͨ͠ʢݱࡏਐߦܗʣ

    View Slide

  48. ͝੩ௌ͋Γ͕ͱ͏
    ͍͟͝·ͨ͠

    View Slide