Upgrade to Pro — share decks privately, control downloads, hide ads and more …

プロキシサーバ自作から学ぶ、HTTP通信

kobatako
July 15, 2019
Technology
0
100

 プロキシサーバ自作から学ぶ、HTTP通信

kobatako

July 15, 2019
Tweet

More Decks by kobatako

See All by kobatako
ネットワークのことを知るため ソフトウェアルータを 自作した話
kobatako
0
2.9k
enginnerday.pdf
kobatako
0
39

Other Decks in Technology

See All in Technology
Amazon VPC Lattice 最新アップデート紹介 - PrivateLink も似たようなアップデートあったけど違いとは
bigmuramura
0
190
watsonx.ai Dojo #5 ファインチューニングとInstructLAB
oniak3ibm
PRO
0
160
どちらを使う?GitHub or Azure DevOps Ver. 24H2
kkamegawa
0
680
コンテナセキュリティのためのLandlock入門
nullpo_head
2
320
AWS re:Invent 2024 ふりかえり
kongmingstrap
0
130
社内イベント管理システムを1週間でAKSからACAに移行した話し
shingo_kawahara
0
180
DevOps視点でAWS re:invent2024の新サービス・アプデを振り返ってみた
oshanqq
0
180
2024年にチャレンジしたことを振り返るぞ
mitchan
0
130
サーバレスアプリ開発者向けアップデートをキャッチアップしてきた #AWSreInvent #regrowth_fuk
drumnistnakano
0
190
サイボウズフロントエンドエキスパートチームについて / FrontendExpert Team
cybozuinsideout
PRO
5
38k
私なりのAIのご紹介 [2024年版]
qt_luigi
1
120
プロダクト開発を加速させるためのQA文化の築き方 / How to build QA culture to accelerate product development
mii3king
1
260

Featured

See All Featured
Faster Mobile Websites
deanohume
305
30k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Agile that works and the tools we love
rasmusluckow
328
21k
BBQ
matthewcrist
85
9.4k
VelocityConf: Rendering Performance Case Studies
addyosmani
326
24k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
66k
Why Our Code Smells
bkeepers
PRO
335
57k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
2
170
Typedesign – Prime Four
hannesfritz
40
2.4k
Facilitating Awesome Meetings
lara
50
6.1k
The Pragmatic Product Professional
lauravandoore
32
6.3k
Making Projects Easy
brettharned
116
5.9k

Transcript

  1. ϓϩΩγαʔόࣗ࡞͔ΒֶͿɺ HTTP௨৴ PHPΧϯϑΝϨϯε෱Ԭ2019 খݪɹਸ׮ 2019/06/29 (౔)

  2. ࣗݾ঺հ • ໊લ : খݪ ਸ׮ʢ͜͹Δ ͔ͨͻΖʣ • ॴଐ :

    גࣜձࣾFusic • ࢓ࣄ : PHPɺGolangɺAWS • झຯ : ElixirɺErlangɺΠϯϑϥ͍Ζ͍Ζ • Twitter : kobatako_

  3. ΞδΣϯμ • ϓϩΩγαʔόʹ͍ͭͯ • ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • ·ͱΊ

  4. ϓϩΩγαʔόʹ͍ͭͯ

  5. ϓϩΩγαʔόͷ ϨΠϠʔ

  6. ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ

  7. ϓϩΩγαʔόͷϨΠϠʔ • L3/L4 • TCP/IPϨϕϧͰͷϓϩΩγ • L7 •ΞϓϦέʔγϣϯϨϕϧͰͷϓϩΩγ <- ͜͜ʹ͍ͭͯ

  8. L7 ϓϩΩγ HTTPϦΫΤετ • ΫϥΠΞϯτͱϓϩΩγαʔόɺϓϩΩγαʔόͱόοΫΤϯυͷ αʔόͦΕͧΕͰTCP઀ଓΛߦ͏ • ΞϓϦέʔγϣϯϨϕϧͰͷ੍ޚʢHTTPͳͲʣ HTTPϦΫΤετ TCP

    TCP ΫϥΠΞϯτ ϓϩΩγ όοΫΤϯυ

  9. ϓϩΩγαʔόΛڬΉͱ Ͳ͏ͳΔ ???

  10. ϓϩΩγαʔόͷ໾ׂ •௨৴಺༰ͷվม •ෛՙ෼ࢄ •ηΩϡΞͳ௨৴ɺೝূ

  11. ϚΠΫϩαʔϏεͰ΋ར༻

  12. ϓϩΩγαʔό •Envoy • L3/L4 filter architecture • L7 filter architecture

    • HTTP2 / gRPCΛαϙʔτ • αʔΩοτϒϨʔΧʔ • Etc…

  13. ࣗ࡞͢Δ͜ͱͰਂ͘ཧղ
 ϓϩΩγαʔόͷ ར༻ൣғ͕޿͕͖͍ͬͯͯΔ

  14. ࣗ࡞ͨ͠ HTTPϓϩΩγͷॲཧ

  15. ࣗ࡞ͨ͠HTTPϓϩΩγͷॲཧ • X-Forwarded • ෛՙ෼ࢄ • Upgrade-Insecure-Requests • αʔΩοτϒϨʔΧʔ

  16. X-Forwarded

  17. X-Forwarded • RFC 7239 • HTTP Headerͷ֦ு • ϓϩΩγΛதܧ͢Δࡍʹૹ৴ݩʢΫϥΠΞϯτʣͷ
 IP΍ProtocolͳͲHeaderʹ෇͚Ճ͑Δ


    ˞ ͚ͭͳ͍ͱૹ৴ݩIPͳͲͰ੍ޚ͕Ͱ͖ͳ͘ͳΔ
 ʢX-Forwarded-Forʣ

  18. X-Forwarded • X-Forwarded-For • ΫϥΠΞϯτͷIP • X-Forwarded-Host • ΫϥΠΞϯτ͔ΒૹΒΕ͖ͯͨHost Header

    • X-Forwarded-Proto • ΫϥΠΞϯτ͔ΒͷϦΫΤετ: HTTPɺHTTPSͱ͔ • X-Forwarded-By • ΫϥΠΞϯτ͔ΒϦΫΤετΛड͚औͬͨϓϩΩγଆͷIP

  19. X-Forwarded-For͚ͩͰͳ͘ શ෦ೖΕΔΑ͏ʹ͢Δ

  20. • X-Forwarded-For • Laravel(Symfony)΍CakePHPͰ͸ૹ৴ݩIPͷ஋ͱͯ͠ར༻ • X-Forwarded-Proto • Laravel(Symfony)ͰηΩϡΞͳ௨৴͔Ͳ͏͔ͷࢀরͱͯ͠ར༻
 https://github.com/symfony/http-foundation/blob/master/Request.php#L1113 ϑϨʔϜϫʔΫ಺Ͱར༻͞Ε͍ͯΔ

  21. ෛՙ෼ࢄ

  22. ෛՙ෼ࢄ • ෛՙʹԠͯ͡όοΫΤϯυͷαʔόʹϦΫΤετΛ
 ৼΓ෼͚Δ • ϦΫΤετͷछྨ΍ύεʹΑͬͯϦΫΤετઌΛܾΊΔ • .jsɺ.cssɺ.png΁ͷϦΫΤετ • /admin/

    ΁ͷϦΫΤετ

  23. ෛՙ෼ࢄ HTTP ϦΫΤετ /index HTTP ϦΫΤετ js, css HTTP ϦΫΤετ

    /index GET /index HTTP/1.1

  24. ࣮૷ͨ࣌͠ͷߏ੒

  25. ෛՙ෼ࢄ 1. Proxyʢϓϩηεʣ͕HTTP RequestΛड͚औΓɺύε͔ΒClusterΛબ୒ 2. Cluster͕LoadBalancerʹϦΫΤετΛ͠ɺIndex൪߸Λฦ͢ 3. ฦ͞ΕͨIndex൪߸ΛݩʹCluster͕NodeΛฦ͠ɺϦΫΤετΛૹ৴ $MVTUFS /PEF

    /PEF /PEF -PBE#BMBODFS 1SPYZ )5513FRVFTU

  26. Upgrade-Insecure-Requests

  27. Upgrade-Insecure-Requests • HTTPSԽΛଅਐ͢Δ • ηΩϡΞͰอޢ͞ΕͨURLͰஔ͖׵͑ΒΕ͔ͨͷΑ͏ʹॲ ཧ͢ΔΑ͏ࢦࣔΛ͢Δ

  28. Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰ͸Headerʹ͍ͭͯΔ • αʔό

    • Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱ΋Մೳ

  29. Upgrade-Insecure-Requests • ΫϥΠΞϯτ • Upgrade-Insecure-Requests: 1 • ChromeͰ͸Headerʹ͍ͭͯΔ • αʔό

    • Content-Security-Policy: upgrade-insecure-requests • ApacheɺNginxͳͲͰઃఆ͢Δ͜ͱ΋Մೳ <- ͜͜ʹ͍ͭͯ

  30. Upgrade-Insecure-Requests • αʔό 1. HTTPϦΫΤετ 2. όοΫάϥϯυ΁ϦΫΤετ 3. HTTPϨεϙϯε 4.

    Ϩεϙϯεϔομʔʹ `upgrade-insecure-requests` Λ͚ͭΔ ᶃ ᶄ ᶅ ᶆ

  31. ࣮ࡍͷಈ࡞

  32. Upgrade-Insecure-Requests <img src=“http://example.com/img.png"> IUUQTFYBNQMFDPN ը૾ͷϦΫΤετ͸A)551Aͱͯ͠ϦΫΤετ͢Δ 6QHSBEF*OTFDVSF3FRVFTUT͕ͳ͍৔߹

  33. Upgrade-Insecure-Requests IUUQTFYBNQMFDPN 6QHSBEF*OTFDVSF3FRVFTUT͕͋Δ৔߹ <img src=“http://example.com/img.png"> ը૾ͷϦΫΤετ͸A)5514Aͱͯ͠ϦΫΤετ͢Δ ˞JNHλάͷTSD͸AIUUQAͷ··

  34. Consoleʹܯࠂ͕ग़ͳ͘ͳΔ Mixed Content: The page at ‘https://example.com' was loaded over

    HTTPS, but requested an insecure image ‘http://example.com/img.png'. This content should also be served over HTTPS.

  35. αʔΩοτϒϨʔΧʔ

  36. αʔΩοτϒϨʔΧʔ Failͨ͠αʔόʹରͯ͠େྔͷϦΫΤετ͕ ߦ͔ͳ͍Α͏ʹ੍ޚ͢Δ

  37. αʔΩοτϒϨʔΧʔ Fail = 5xxͷ εςʔλείʔυ

  38. αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ  •εςʔλείʔυΛ؂ࢹ͢Δ

  39. αʔΩοτϒϨʔΧʔ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ

  40. αʔΩοτϒϨʔΧʔ •όοΫΤϯυͷαʔό΁ϦΫΤετΛߦΘͣ
 circuit breaker͔ΒϦΫΤετΛฦ͢ )551ϦΫΤετ εςʔλείʔυ ʢ'BJMʣ

  41. ඵܦաʜ

  42. αʔΩοτϒϨʔΧʔ •Ұఆ࣌ؒա͗ΔͱϒϨʔΧʔΛ໭͢ )551ϦΫΤετ εςʔλείʔυ 

  43. ࣮૷ͨ࣌͠ͷߏ੒

  44. • CircuitBreakerʹϦΫΤετͷύεΛૹΓON͔Λ֬ೝ • ONʹͳ͍ͬͯΔ৔߹͸όοΫΤϯυ΁ϦΫΤετ • OFFʹͳ͍ͬͯΔ৔߹͸ΤϥʔΛϓϩΩγαʔό͔ΒϨεϙϯε 1SPYZ )5513FRVFTU $JSDVJU#SFBLFS αʔΩοτϒϨʔΧʔ

  45. αʔΩοτϒϨʔΧʔ • ࣮૷ͷํࣜ • ϦΫΤετ࣌ʹߦͬͨPathʹରͯ͠3ճ5xxܥͷεςʔλείʔυ͕
 ฦ͖ͬͯͨ৔߹͸ͦΕҎ߱ͷϦΫΤετ͸αʔΩοτϒϨʔΧʔΛ
 ONʹ͢Δ • ఀࢭ͔ͯ͠Β30ඵܦա͔ͯ͠ΒαʔΩοτϒϨʔΧʔΛOFFʹ͢Δ
 


    -> ଞʹ΋ϔϧενΣοΫͳͲͷ΍Γํ͕͋Δʢະ࣮૷ʣ

  46. ·ͱΊ

  47. ·ͱΊ • HTTP͸γϯϓϧ͕ͩɺগ͠ෳࡶͳ͜ͱΛ͢Δͱ೉͘͠ͳΔ • ϦΫΤετ͝ͱʹϓϩηεΛ෼͚͍ͯΔͷͰɺϩʔυόϥϯαʔͱ
 αʔΩοτϒϨʔΧʔͷ࣮૷ʹ޻෉͕ඞཁͩͬͨ ʢHTTPϓϩΩγͱ͸ผ͕ͩ… • ϒϥ΢β͝ͱʹTCPίωΫγϣϯͷ࣋ͪํ͕ҧͬͨ •

    ߴෛՙ࣌ͷϓϩηε੍ޚͰۤઓͨ͠ʢݱࡏਐߦܗʣ

  48. ͝੩ௌ͋Γ͕ͱ͏ ͍͟͝·ͨ͠