Slide 1
Slide 1 text
GMO Pepabo, Inc.
SOGO Haraguchi
2015/07/11 ؔRubyձٞ06
ສ8FCαΠτΛࢧ͑Δ
ϩϦϙοϓʂͱNSVCZ
Slide 2
Slide 2 text
ࣗݾհ
!IBSBTPV
ΠϯϑϥΤϯδχΞ
4*FSΛ΄Ͳసʑ
(.0ϖύϘגࣜձࣾ
ϗεςΟϯάࣄۀ෦ΠϯϑϥνʔϜ
Ԭ
Slide 3
Slide 3 text
ϗεςΟϯάαʔϏε
Ϣʔβͷ8ϝʔϧΛ༬͔ͬͯӡ༻͢Δɻ͍ΘΏ
ΔʮϨϯλϧαʔόʔʯͳͲɻ
(.0ϖύϘגࣜձࣾɹ
Slide 4
Slide 4 text
!ITCU
Slide 5
Slide 5 text
!NBUTVNPUPSZ
Slide 6
Slide 6 text
ΞδΣϯμ
8FCϗεςΟϯάͷΈ
NSVCZNPE@NSVCZͷհ
NSVCZΛར༻ͨ͠ରࡦ
·ͱΊ
Slide 7
Slide 7 text
8FCϗεςΟϯά
ͷΈ
Slide 8
Slide 8 text
ͦͷ̍
Slide 9
Slide 9 text
େྔΞΫηε %P4
XFC
αʔό
߈ܸऀ
Slide 10
Slide 10 text
ͦͷ̎
Slide 11
Slide 11 text
$16Λ৯͏ΞΫηε
XFC
αʔό
ˋ
ˋ
Slide 12
Slide 12 text
!NBUTVNPUPSZ
Slide 13
Slide 13 text
ͦΕNSVCZͳΒ
Ͱ͖ΔΑͶ
Slide 14
Slide 14 text
"QBDIF
NPE@NSVCZ
NSCHFNTʢϦιʔε੍ޚ༻ʣ
Slide 15
Slide 15 text
NSVCZ
লϝϞϦͷ3VCZ࣮ɻΈࠐΈ͚ɻ
ΞϓϦέʔγϣϯ$
$Ͱ։ൃɻ
ॊೈੑɺੜ࢈ੑ͕ඞཁͳ෦͚ͩ3VCZ
Ͱ࣮ɻ
MJCNSVCZB
ΞϓϦࠐΈ༻ϥΠϒϥϦ
Slide 16
Slide 16 text
NPE@NSVCZ
"QBDIFͷϞδϡʔϧ
NSVCZͷεΫϦϓτͰ༷ʑͳ"QBDIFͷ
੍ޚ͕Մೳ
NPE@NSVCZ
NSVCZεΫϦϓτ
NPE@TTM
DPSF
"QBDIF
MJCNSVCZB
IUUQEPTEFUFDUPS NSVCZεΫϦϓτ
Slide 17
Slide 17 text
ઃఆNPE@NSVCZ
NPE@NSVCZ͕ఏڙ͍ͯ͠ΔIPPLʹ࣮ߦͨ͠
͍NSVCZεΫϦϓτΛઃఆ
ʮDBDIFʯΛ͚ͭΔͱࣄલʹόΠτίʔυ
1
2 mrubyFixupsMiddle start.rb cache
3 mrubyLogTransactionMiddle end.rb cache
4
Slide 18
Slide 18 text
Ϧιʔε੍ޚຊͷ
NPE@NSVCZͰར༻͢ΔNSCHFNT
IUUQEPTEFUFDUPS
IUUQBDDFTTMJNJUUFS
NSVCZDHSPVQ
Slide 19
Slide 19 text
1.http-dos-detector
େྔʢ%PTతͳʣΞΫηεͷରࡦ
ʮҰఆظؒʯͷΞΫηεঢ়گΛͱʹ
͞·͟·ͳ੍ޚ͕Մೳ
ྫʣ͋ΔυϝΠϯʹɺSFRT
དྷͨΒɺͦͷޙ̍ඵؒΛฦ
͢ɻ
Slide 20
Slide 20 text
$16Λ৯͏ΞΫηεͷରࡦ
ʮݱ࣌ʯͷΞΫηεঢ়گΛͱʹɺ
͞·͟·ͳ੍ޚ͕Մೳ
ྫʣ͋Δ$(*ͷಉ࣌ΞΫηε͕
̑Λ͑ͨͱ͖Λฦ͢ɻ
2.http-access-limitter
Slide 21
Slide 21 text
ུ֓ਤᶃ
IUUQEPTEFUFDUPSIUUQBDDFTTMJNJUUFS
"QBDIF
ϓϩηε NSVCZ
XPSLFS NSVCZ
XPSLFS NSVCZ
XPSLFS NSVCZ
XPSLFS NSVCZ
ڞ༗ϝϞϦ
HMPCBMMPDL
ᶄΧϯλ
ΠϯΫˠॲཧˠσΫϦ
MPDBMNFNDBDIF
,74
ᶃUSZ@MPDL
ᶅVOMPDL
Slide 22
Slide 22 text
ઃఆᶃIUUQBDDFTTMJNJUUFS
1 LoadModule mruby_module modules/mod_mruby.so
2
3
4 mrubyPostConfigMiddle access_limitter_init.rb cache
5 mrubyChildInitMiddle access_limitter_worker_init.rb cache
6
7
8 mrubyAccessCheckerMiddle access_limitter_start.rb cache
9 mrubyLogTransactionMiddle access_limitter_end.rb cache
10
11
access_limitter_apache.conf
Slide 23
Slide 23 text
ઃఆᶃIUUQBDDFTTMJNJUUFS
access_limitter_start.rb
1 threshold = 2
2
3 Server = get_server_class
4 r = Server::Request.new
5 cache = Userdata.new.shared_cache
6 global_mutex = Userdata.new.shared_mutex
7
8 limit = AccessLimitter.new r, cache, { :target => r.filename }
9
10 timeout = global_mutex.try_lock_loop(50000) do
11 begin
12 limit.increment
13 if limit.current > threshold
14 Server.return Server::HTTP_SERVICE_UNAVAILABLE
15 end
16 rescue => e
17 raise "AccessLimitter failed: #{e}"
18 ensure
19 global_mutex.unlock
20 end
21 end
Slide 24
Slide 24 text
ઃఆᶃIUUQBDDFTTMJNJUUFS
access_limitter_end.rb
1
2
3 Server = get_server_class
4 r = Server::Request.new
5 cache = Userdata.new.shared_cache
6 global_mutex = Userdata.new.shared_mutex
7
8 limit = AccessLimitter.new r, cache, { :target => f.filename }
9
10 timeout = global_mutex.try_lock_loop(50000) do
11 begin
12 limit.decrement
13 rescue => e
14 raise "AccessLimitter failed: #{e}"
15 ensure
16 global_mutex.unlock
17 end
18 end
Slide 25
Slide 25 text
$16Λ৯͏ΞΫηεͷରࡦ
lDHSPVQzͱݺΕΔ-JOVYΧʔωϧͷ
ػೳΛૢ࡞͠ɺ$16ɺϝϞϦɺωοτ
ϫʔΫଳҬͳͲΛ੍ޚɻ
ྫʣϗεςΟϯά͞Ε͍ͯΔΞΧϯτ
୯ҐͰɺར༻Ͱ͖Δ$16ΛฏۉԽ͢Δɻ
3.mruby-cgroup
Slide 26
Slide 26 text
ུ֓ਤᶄ
DHSPVQlDQVTIBSFTz$16࣌ؒͷׂ߹Λࢦఆ
ϧʔτάϧʔϓɿDQVTIBSFT
Ϣʔβ"άϧʔϓɿDQVTIBSFT
$16͏ϓϩηε#
$16͏ϓϩηε"
Ϣʔβ#άϧʔϓɿDQVTIBSFT
$16͏ϓϩηε$
^
^
߹ܭͰˋ
̍ͭͰˋ
Slide 27
Slide 27 text
ઃఆᶄNSVCZDHSPVQ
1
2 mrubyFixupsMiddle resouce_manage_start.rb cache
3 mrubyLogTransactionMiddle resouce_manage_end.rb cache
4
1 r = Apache::Request.new
2 u = r.finfo.user
3
4 c = Cgroup::CPU.new u
5 if c.exist?
6 c.modify
7 else
8 c.create
9 end
10 c.attach
resource_manage_start.rb
mod_mruby.conf
Slide 28
Slide 28 text
Ϧιʔε੍ޚຊͷ
IUUQEPTEFUFDUPS
IUUQBDDFTTMJNJUUFS
NSVCZDHSPVQ
Slide 29
Slide 29 text
OHY@NSVCZ
IUUQEPTEFUFDUPS
Slide 30
Slide 30 text
ੑೳݕূ!TBXBOPCPMZ
ඵͰ
ϦΫΤετͷϧʔϧͰϒϩοΫͯ͠Έͨɻ
1 config = {
2 :counter_key => r.hostname,
3 :magic_str => "....",
4
5 :behind_counter => -500,
6
7 :threshold_counter => 1000,
8 :threshold_time => 5,
9
10 :expire_time => 60,
11 }
http://qiita.com/sawanoboly/items/74368e002631bed3afb7
Slide 31
Slide 31 text
BC OD
ͷ݁Ռ
EPTEFUFDUPSͳ͠
Concurrency Level: 30
Time taken for tests: 2.756 seconds
Complete requests: 6000
Failed requests: 0
Requests per second: 2177.34 [#/sec] (mean)
Time per request: 13.778 [ms] (mean)
Time per request: 0.459 [ms] (mean, across all concurrent requests)
Transfer rate: 493.30 [Kbytes/sec] received
EPTEFUFDUPS͋ΓˍϒϩοΫͳ͠
Concurrency Level: 30
Time taken for tests: 3.940 seconds
Complete requests: 6000
Failed requests: 0
Total transferred: 1392000 bytes
HTML transferred: 24000 bytes
Requests per second: 1522.99 [#/sec] (mean)
Time per request: 19.698 [ms] (mean)
Time per request: 0.657 [ms] (mean, across all concurrent requests)
Transfer rate: 345.05 [Kbytes/sec] received
Slide 32
Slide 32 text
ੑೳ·ͱΊ
ׂ̏͘Β͍͋ͬͨͶɻ
Slide 33
Slide 33 text
·ͱΊ
Slide 34
Slide 34 text
·ͱΊ
NPE@NSVCZ͔ͭ͏ͱ"QBDIFͷ
੍ޚ͕Ͱ͖Δ OHY@NSVCZ/HJOYʣ
$ͩͱߦͷ࣮͕ɺNSVCZͩͱ
Θ͔ͣेߦɻظؒͰ։ൃՄೳɻ
CZNBUTVNPUPSZ
Slide 35
Slide 35 text
ϗεςΟϯάӡ༻
Λ
NSVCZͰίϯτϩʔϧ
Ͱ͖Δɺศར͞ʂ