NGINX Plusのご紹介 - Red Hat Forum Tokyo 2018

Transcript

1. NGINX Plusͷ͝঺հ ϚΠΫϩαʔϏεͷߴՄ༻ੑ NGINX ςΫχΧϧ ιϦϡʔγϣϯζ ΞʔΩςΫτ ాลໜ໵ 2018/11/8

2. None

3. NGINXͷ͝঺հ NGINX Plus αʔϏεϝογϡͱAPI ήʔτ΢ΣΠ 1 2 3 ຊ೔ͷ಺༰

4. NGINXͷ͝঺հ 1

5. NGINXࣾ • ೥ʹઃཱɺ೥ʹNGINX 1MVTͷॳظϦϦʔε ೥044൛ॳظϦϦʔε • ສҎ্ͷ΢ΣϒαΠτ • ΤϯλʔϓϥΠζιϑτ΢ΣΞۀքͷϦʔμʔͷϕϯνϟʔΩϟϐλϧͷࢧԉ •

   αϯϑϥϯγείɺϩϯυϯɺίʔΫɺγϯΨϙʔϧɺγυχʔɺϞεΫϫɺ౦ژͷΦϑΟε • ࣾҎ্ͷސ٬ • ਓҎ্ͷैۀһ

6. NGINX Unit NGINX ͔Βͷ৽͍͠ಈతͳWebͱΞϓϦ έʔγϣϯɾαʔόʔɻΦʔϓϯιʔεɺ ෳ਺ͷݴޠͷαϙʔτɺ͓Αͼಈతͳ REST API ओಋͷߏ੒ɻ NGINX

   Plus ϩʔυόϥϯαʔɺWebαʔόʔɺίϯςϯ πΩϟογϡΛؚΉ།ҰͷΦʔϧΠϯϫϯι ϦϡʔγϣϯɻίετΛ࡟ݮ͠ͳ͕ΒɺΞʔ ΩςΫνϟΛ؆ૉԽ͠·͢ɻ ੡඼ NGINX Controller NGINX PlusͷͨΊͷूத؂ࢹ͓Αͼ؅ཧɻ ୯Ұͷඒ͍͠ΠϯλʔϑΣΠεΛ࢖༻ͯ͠ɺ Ծ૝ϩʔυόϥϯαʔΛల։͠·͢ɻ NGINX WAF Φʔϓϯιʔεͷ WebΞϓϦέʔγϣϯϑΝ ΠΞ΢Υʔϧ (WAF)SQL ΠϯδΣΫγϣϯɺ LFI
   RFI
   ͓ΑͼͦͷଞͷϨΠϠ7߈ܸΛ๷ ޚ͠·͢ɻ Powered by ModSecurity.

7. ݱࡏͷΞϓϦͷΠϯϑϥ͸ෳࡶ 7

8. NGINXʹΑΓ10ഒ؆ૉԽɾ 80%ίετ࡟ݮ 8

9. NGINX ΞϓϦέʔγϣϯ ϓϥοτϑΥʔϜ ϩʔυόϥϯαɺAPI ήʔτ΢ΣΠɺ͓Αͼ αʔϏεϝογϡΛ୯Ұ ͷϞδϡϥʔԽϓϥοτ ϑΥʔϜʹ౷߹͢Δ͜ͱ ʹΑΓɺഒͷ؆ૉԽ ͱ

   
   ͷίετ࡟ݮΛ ࣮ݱ͢Δۀք།Ұͷι Ϧϡʔγϣϯ ύϑΥʔϚϯε ஄ྗੑ ηΩϡϦςΟ ϩʔυόϥϯαʔ API 
   αʔϏεϝογϡ

10. ΞϓϦͷ࠷৽Խͷ3ͭͷεςοϓ ϋʔυ΢ΣΞͷ ஔ͖׵͑ Ϋϥ΢υ΁ͷ Ҡߦ ϚΠΫϩαʔϏε ΁ͷҠߦ σδλϧτϥϯεϑΥʔϝʔγϣϯ

11. ࠷৽Խ ϨΨγʔΞϓϦͱϚΠΫϩαʔ ϏεΛαϙʔτ͠ͳ͕Βɺ ࣗ෼ͷϖʔεͰΞϓϦΛ ࠷৽ԽͰ͖·͢ ؆ૉԽ ϞμϯͳΞϓϦΛ؆ૉԽ͠ɺ ϚϧνΫϥ΢υͷҠ২ੑΛ ఏڙ͠·͢ NGINX:

    ύϑΥʔϚϯε޲্͚ͩͰ͸ͳ͘ɺ ෳࡶ͞Λܰݮ͠·͢ɻ 12 ੜ࢈ੑ ΠϯϑϥετϥΫνϟ͓Αͼ ΞϓϦέʔγϣϯνʔϜؒͰ γʔϜϨεʹಈ࡞͠·͢

12. NGINX Plus 2

13. ΋͠NGINX͕޷͖ͳΒ NGINX Plus͕ େ޷͖ʹͳΔͰ͠ΐ͏

14. NGINX Plusͱ͸ • ΞϓϦέʔγϣϯͷఏڙʹؔ͢ΔશͯΛΧόʔ ◦ ϩʔυόϥϯαʔ ◦ ίϯςϯπΩϟογϡ ◦ Web

    αʔόʔ ◦ ηΩϡϦςΟίϯτϩʔϧ ◦ ಈతϞδϡʔϧ ◦ ؂ࢹ ◦ ߴՄ༻ੑ (HA) ◦ Kubernetes Ingress controller ◦ ϓϩάϥϚϏϦςΟ

15. NGINX Plus Runs Anywhere… Bare metal Multi-cloud Containers Linux/BSD CPUs

16. ߴੑೳͳΞϓϦέʔγϣϯͷ഑৴ • ৄࡉͰ๛෋ͳϝτϦοΫ • ڧྗͳෛՙ෼ࢄ • ϔϧενΣοΫ • αʔϏεϨδετϦͷ౷߹ •

    HTTP/HTTPS/H2/gRPC/TCP/UDP HTTP HTTPS HTTP/2 gRPC TCP UDP consul etcd

17. ౷߹ͱ؆ૉԽ Web ΞϓϦέʔγϣϯ ϑΝΠΞ΢Υʔϧ Web Ωϟογϡ ωοτϫʔΫ ϑΝΠΞ΢Υʔϧ ϩʔυόϥϯαʔ SSL

    ϦόʔεϓϩΩγ ೝূ ήʔτ΢ΣΠ API ήʔτ΢ΣΠ ΞϓϦέʔγϣϯ <··> <··>

18. NGINX OSS vs NGINX Plus 19

19. Demo: NGINX PlusͷμογϡϘʔυ 20 શମ αʔόʔͷঢ়گʢκʔϯʹ෼͚ͯදࣔʣ Ωϟογϡ ڞ༗ϝϞϦʔ NGINX Plusͷ

    Πϯελϯεຖͷ৘ใ

20. Demo: Upstreamͷಈతมߋ ϩʔυόϥϯεઌ (Upstream) ΛಈతʹมߋՄೳ μογϡϘʔυͷGUIͰ APIͰ

21. Demo: NGINX Controller 22 ଟ਺ͷNGINX Plus͔Β౷ܭ৘ใΛू໿

22. Demo: NGINX Controller 23 nginx.conf ͷ֬ೝ nginx.conf ͷมߋ ઃఆͷݕূ

23. αʔϏεϝογϡͱ APIήʔτ΢ΣΠ 3

24. NGINX Plus ͱϚΠΫϩαʔϏε • NGINX ͸ϚΠΫϩαʔϏεʹ ର͠ҎԼΛఏڙ ◦ ઀ଓ ◦

    αʔϏεఏڙ ◦ ೝূ ◦ ηΩϡϦςΟ ◦ Ωϟογϡ ◦ ෛՙ෼ࢄ ◦ εέʔϦϯά

25. NGINX͸ɺ͋ΒΏΔϚΠΫϩ αʔϏεΞʔΩςΫνϟΛαϙʔτ Fabric Model Router Mesh Model Proxy Model

26. ͳͥ NGINX? NGINX ͸ϚΠΫϩαʔϏεΛݱ࣮ʹ ݱࡏར༻͞Ε͍ͯΔσʔλϓϨʔϯιϦϡʔγϣϯ • 400ສɿNGINXΠϯελϯε͕ϓϩμΫγϣϯͷϚΠΫϩαʔϏεͰՔಇதɻ* • 10ԯճɿNGINX ެࣜ

    DockerHub Πϝʔδͷϓϧ • ߴՄ༻ੑίϯςφτϥϑΟοΫ؅ཧͷͨΊͷ NGINX Plus Dockerfile • ඦສճɿNGINX Kubernetes Ingress Controllerͷϓϧ • 250ࣾɿNGINXΛϓϩμΫγϣϯͷϚΠΫϩαʔϏεͰ࢖༻த* • NGINX Plus: ίϯςφ಺ͰωΠςΟϒʹΞϓϦέʔγϣϯαʔϏεΛఏڙ • NGINX Controller: ׬શͳ؂ࢹ͓Αͼ؅ཧίϯςφϓϥοτϑΥʔϜ * Source: Internal customer data and surveys

27. East-West τϥϑΟοΫ: API ήʔτ΢ΣΠͱ αʔϏεؒͷτϥϑΟοΫ

28. ಈతͳ E-W ϧʔςΟϯά: αʔϏεͷݕग़ • ͜Μͳͱ͖ʹඞཁ: ◦ ৽͍͠αʔϏε͕௥Ճ͞Εͨ ◦ طଘͷαʔϏεͷΠϯελϯε͕௥Ճ͞Εͨ

    • ϓϩΩγ͕ߏ੒͞ΕΔτϦΨʔ: ◦ Ansible Roles ◦ Consul templates ◦ DNS A, SRV Ϩίʔυ ◦ AWS Autoscaling άϧʔϓ ◦ Kubernetes (kube-dns) Ingress and Service-to- Service

29. NGINX αΠυΧʔ: ηΩϡΞͰߴ଎ͳαʔϏεؒτϥϑΟοΫ • ηΩϡΞ ◦ αʔϏεؒͷSSL/TLS௨৴ ◦ NGINX Λܦ༝͠ͳ͍

    ௚઀ύεͷϧʔςΟϯάͳ͠ ◦ αʔϏεϨδετϦ lsource of truth” ◦ ΞϓϦ͝ͱͷೝূͱΫϨʔϜ੍ޚʹ JWT • ࠷దԽ ◦ SSL keepalive, ηοτΞοϓίετͷ࡟ݮ ◦ αʔϏεؒͷτϥϑΟοΫྔௐ੔ ◦ Many-to-many ίΞͱϦόʔεϓϩΩγͷ ΞʔΩςΫνϟ

30. ࣍ͷεςοϓ: αʔϏεϝογϡͷΦʔέετϨʔγϣϯ • ෼ࢄαʔϏεؒͷ௨৴Λߴ଎ɺߴ৴ པɺ͓ΑͼηΩϡΞʹ͢Δωοτ ϫʔΫ૚ • සൟͳαʔϏεมߋʹରͯ͠΋ɺ ωοτϫʔΫ௨৴ͷ৴པੑΛ֬อ •

    αʔϏε͸ϝογϡΛҙࣝ͢Δඞཁ ͸ͳ͘ɺσʔλͱίϯτϩʔϧϓ Ϩʔϯͷ੍ޚΛ෼཭ αʔϏεϝογϡ ίϯτϩʔϧϓϨʔϯ ϓϥοτϑΥʔϜͷΦʔέετϨʔγϣϯ (K8s, Docker, EKS, etc) αʔϏεϝογϡ σʔλϓϨʔϯ

31. North-South τϥϑΟοΫͱ Ingress Controller

32. NGINX Plus: API ήʔτ΢ΣΠ NGINX Plus
    API  • API ϧʔςΟϯά

    ◦ URL Ϛοϐϯά ◦ աෛՙอޢ • ೝূ ◦ API Ωʔ ◦ JWT/JWK ◦ SSL/MASSL Everywhere • ෼ੳͱ؂ࠪ ◦ ϦΫΤετͷτϨʔε • ࠷దԽ ◦ ΞοϓετϦʔϜ API ΫϥελϦϯά

33. NGINX Plus - Kubernetes Ingress Controller NGINX PlusΛೖΓޱͱͯ͠ KubernetesΞϓϦέʔγϣϯΛ࡞੒ :

    • ߴ౓ͳෛՙ෼ࢄͱSSL/TLS ऴ୺ • WebSocket ͱ HTTP/2 ͷαϙʔτ • ϦΫΤετ͕ΞϓϦέʔγϣϯʹసૹ͞ΕΔ લʹURI ॻ͖׵͑ • ಈతͳ࠶ߏ੒ • Session persistence • JWT authentication • Prometheusͷαϙʔτ • 24x7 αϙʔτ https://github.com/nginxinc/kubernetes-ingress

34. ؆୯Ͱ౷߹͞Εͨߏ੒ 1. apiVersion: extensions/v1beta1 2. kind: Ingress 3. metadata: 4.

    name: cafe-ingress 5. spec: 6. tls: 7. - hosts: 8. - cafe.example.com 9. secretName: cafe-secret 10. rules: 11. - host: cafe.example.com 12. http: 13. paths: 14. - path: /tea 15. backend: 16. serviceName: tea-svc 17. servicePort: 80 18. - path: /coffee 19. backend: 20. serviceName: coffee-svc 21. servicePort: 80

35. OpenShift Router https://github.com/nginxinc/nginx-plus-router NGINXͷੑೳͱ҆ఆੑɾ࠷৽ͷػೳɾ঎༻αϙʔτ͕ಘΒΕ·͢

36. 39 NGINX Solution Diagram

37. ·ͱΊ 40 • ࣗࣾͷWebγεςϜ͕ෳࡶʹͳΓ͍͗ͯ͢Δ ◦ → NGINX Plus! • ϩʔυόϥϯαʔͷϋʔυ΢ΣΞͷߋ৽࣌ظʹདྷ͍ͯΔ

    ◦ → NGINX Plus! • APIήʔτ΢ΣΠ΍αʔϏεϝογϡΛݕ౼த ◦ → NGINX Plus! ϑϦʔτϥΠΞϧ͸ ͪ͜Β͔Β

38. [email protected] ͥͻϒʔεʹཱ͓ͪدΓԼ͍͞ʂ