Share
Embed
Slide 1
Slide 1 text
AWSͰͯͳϒϩάͷ
ৗ࣌HTTPS৴Λ
όʔϯͱΔ
Hatena Engineer Seminar #10 @ Tokyo
גࣜձࣾͯͳ id:aereal
Slide 2
Slide 2 text
ࣗݾհ
• id:aereal
• GitHub: aereal
• Twitter: aereal
• ϒϩάϢʔβʔνʔϜ
ΞϓϦέʔγϣϯΤϯδχΞ
ςοΫϦʔυ
Slide 3
Slide 3 text
͢͜ͱ
• ͯͳϒϩάͷৗ࣌HTTPS৴ͷٕज़తͳৄࡉ
• ূ໌ॻͷಈతಡΈࠐΈ
• ূ໌ॻͷࣗಈߋ৽
• ͓ΑͼϓϩδΣΫτͷਐΊํ
Slide 4
Slide 4 text
എܠ
• ͯͳϒϩάͰɺͯͳఏڙυϝΠϯͷ
͍ͣΕ͔͔Βબ·͢
• *.hatenablog.com, *.hatenadiary.jp, etc.
• ͞ΒʹɺͯͳϒϩάPro (༗ྉΦϓγϣϯ) ʹਃ͠ࠐΉͱ
ಠࣗυϝΠϯ͕͑·͢
• ಠࣗυϝΠϯͰৗ࣌HTTPS৴Λ࣮ݱ͍ͨ͠
Slide 5
Slide 5 text
Let's Encrypt
• https://letsencrypt.org/
• ISRG = Internet Security Research Group͕ఏڙ͢Δ
ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA)
• ෆಛఆଟͷυϝΠϯʹର͢Δ
ূ໌ॻൃߦͷࣗಈԽ͕Մೳʹͳͬͨ
Slide 6
Slide 6 text
Let's Encrypt
• ಠࣗυϝΠϯͷৗ࣌HTTPS৴ʹ͔ܽͤͳ͍ଘࡏɺવ
ར༻͠·͢
• Let's EncryptΛར༻͢Δاۀͱͯ͠ɺ
·ͨܝ͛Δࢥʹڞײ͢ΔWebαʔϏεࣄۀऀͱͯ͠ɺ
ͯͳLet's EncryptʹدΛ͠·͢
Slide 7
Slide 7 text
ಠࣗυϝΠϯͱূ໌ॻ
• DONE: ͯͳఏڙυϝΠϯ (*.hatenablog.com, etc.)
• ͕Ε͍ͯΔͷͰূ໌ॻ1ͭͷஔͰࡁΉ
• SAN (= Subject Alternative Names) Λ͏
• ϫΠϧυΧʔυূ໌ॻΛ͏
Slide 8
Slide 8 text
ಠࣗυϝΠϯͱূ໌ॻ
• ಠࣗυϝΠϯ
• ͕ଟ͍ͷͰূ໌ॻͷൃߦಡΈࠐΈେม
• LE = Let's Encryptূ໌ॻ͋ͨΓ
100υϝΠϯͷ੍͕͋Δ
• ҰʹಡΈࠐΉͱproxyͷϝϞϦ༻ྔ͕ਹΉ
Slide 9
Slide 9 text
ΰʔϧ(1): ূ໌ॻͷಡΈࠐΈ
• ؆୯ͷͨΊূ໌ॻ1υϝΠϯ1ͭɺSANΘͳ͍
• ΦϯσϚϯυͰಡΈࠐΜͰϝϞϦઅ
• ϘτϧωοΫʹͳΓ͏ΔͷͰ
ϥϯυτϦοϓɺϨΠςϯγΛ͍͑ͨ
Slide 10
Slide 10 text
ΰʔϧ (2): ఆظߋ৽
• ϦΞϧλΠϜੑ͍
• ظݶΛܴ͑Δ·ͰͷҙͷλΠϛϯάͰ
࣮ߦ͢ΕΑ͍
• ҰํɺσʔλҰ؏ੑʹର͢Δཁٻ͕ߴ͍
• ࣦഊ͢ΔͳͲߋ৽࿙Ε͕͋Δͱ·͍ͣ
• ֎෦API (LE) Λར༻͢ΔͨΊࣦഊՄೳੑ͕ߴ͍
→దͳϦτϥΠॲཧ͕ඞཁ
Slide 11
Slide 11 text
γεςϜͷߏ
Slide 12
Slide 12 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTP
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 13
Slide 13 text
ূ໌ॻͷಡΈࠐΈ
Slide 14
Slide 14 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTPS
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 15
Slide 15 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTP
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 16
Slide 16 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTP
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 17
Slide 17 text
ূ໌ॻͷಈతಡΈࠐΈ
• cert-dispatcher: ngx_mruby
• TLS handshake࣌ʹϋϯυϥ͕ݺΕΔ
• cert-cache-gwʹHTTP GETͯ͠ূ໌ॻΛऔಘ͢Δ
• cert-cache-gw: GoͰॻ͍ͨHTTP API
• υϝΠϯʹରԠ͢Δূ໌ॻΛcert-store (DynamoDB) ͔
Βऔಘͯ͠ฦ͢
• cert-cache (memcached) ʹอଘ͢Δ
Slide 18
Slide 18 text
ূ໌ॻͷऔಘ
Slide 19
Slide 19 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTP
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 20
Slide 20 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTP
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 21
Slide 21 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTP
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 22
Slide 22 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTP
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 23
Slide 23 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTP
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 24
Slide 24 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTP
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 25
Slide 25 text
ূ໌ॻͷൃߦ
• cert-updater-state: AWS Step Functions
• JSONͰεςʔτϚγϯΛ࣮ߦͯ͘͠ΕΔαʔϏε
• ॊೈͳϦτϥΠॲཧঢ়ଶભҠΛཧͰ͖Δ
• cert-updater-function: AWS Lambda
• LEͱ௨৴͠ূ໌ॻΛऔಘ͢Δ
• ൃߦͨ͠ূ໌ॻDynamoDBʹॻ͖ࠐΉ
• cert-update-notifier: AWS Lambda
• ূ໌ॻͷൃߦঢ়گΛͯͳϒϩάຊମʹ͑Δ
Slide 26
Slide 26 text
ূ໌ॻͷఆظߋ৽
Slide 27
Slide 27 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTP
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 28
Slide 28 text
cert-dispatcher
cert-cache-gw
cert-updater-state
cert-updater-function
cert-update-notifier
cert-update-trigger
Let's Encrypt
cert-store
cert-cache cert-lifecycle-store
User
Blog
HTTP
ssl_handshake_handler
HTTP
Get/Set
Get
HTTP
HTTP
࣮ߦ
࣮ߦ ࣮ߦ
UpdateItem
UpdateItem
TTL trigger
࣮ߦ
ূ໌ॻൃߦ
Slide 29
Slide 29 text
ূ໌ॻͷఆظߋ৽
• cert-lifecycle-store: DynamoDB
• ূ໌ॻͷऔಘ࣌ʹ͜ͷςʔϒϧʹॻ͖ࠐΉ
• TTL triggerΛൃߦ͠ɺcert-update-triggerΛىಈ͢Δ
• cert-update-trigger: AWS Lambda
• TTL͕Εͯআ͞ΕͨΞΠςϜΛड͚औΔ
• cert-updater-stateΛ࣮ߦ͠ɺূ໌ॻऔಘϑϩʔΛ։࢝
Slide 30
Slide 30 text
DynamoDB TTL
Slide 31
Slide 31 text
cert-lifecycle-store
(DynamoDB)
Domain: ex1.example.com
ExpiresAt: 2018-05-23T02:00:00
Domain: ex2.example.com
ExpiresAt: 2018-05-23T03:00:00
Domain: ex2.example.com
ExpiresAt: 2018-05-23T04:00:00
Domain: ex2.example.com
ExpiresAt: 2018-05-23T05:00:00
Slide 32
Slide 32 text
cert-lifecycle-store
(DynamoDB)
Domain: ex2.example.com
ExpiresAt: 2018-05-23T03:00:00
Domain: ex2.example.com
ExpiresAt: 2018-05-23T04:00:00
Domain: ex2.example.com
ExpiresAt: 2018-05-23T05:00:00
Slide 33
Slide 33 text
cert-lifecycle-store
(DynamoDB)
Domain: ex2.example.com
ExpiresAt: 2018-05-23T04:00:00
Domain: ex2.example.com
ExpiresAt: 2018-05-23T05:00:00
Slide 34
Slide 34 text
cert-lifecycle-store
(DynamoDB)
Domain: ex2.example.com
ExpiresAt: 2018-05-23T05:00:00
Slide 35
Slide 35 text
ͳͥAWS͔
• ෳࡶ͔ͭߴͳόονΛߏஙʹඞཁͳαʔϏε͕
ἧ͍ͬͯΔ͔Β
• ෳࡶ: ূ໌ॻͷऔಘɾ݁Ռͷ௨ͳͲෳεςοϓ͔Β
ͳΔ
• ߴ: ࢄΞϓϦέʔγϣϯʹؔΘΒͣ
σʔλͷҰ؏ੑ͕ߴ͍ϨϕϧͰٻΊΒΕΔ
• = Lambda, Step Functions, etc.
Slide 36
Slide 36 text
Step Functions࠷ߴ
• ग़ྗ༰ʹԠͯ͡ঢ়ଶભҠΛذͰ͖Δ
• άϥϑΟΧϧʹग़ྗͯ͘͠ΕΔ (͍͢͝!)
• Τϥʔग़ྗ༰ʹԠ্ͨ͡ݶ͖ϦτϥΠॲཧ
• ΊͪΌͪ͘Ό͔ͬ͜Α͘ͳ͍Ͱ͔͢?
Slide 37
Slide 37 text
No content
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
Go
• Lambda functionͯ͢Go, cert-cache-gwGo
• ίϯύΠϥʹΑΔܕݕࠪͰ҆৺
• ೖग़ྗͷܕΛLambda functionؒͰڞ༗Ͱ͖ɺ
ᴥᴪ͕ੜͨ͡ΒίϯύΠϧΤϥʔʹͳΔ
• ΤίγεςϜ͕ख़͍ͯ͠Δ
• ΫϩείϯύΠϧ
• ςετϥϯφʔɺςετϑϨʔϜϫʔΫ
Slide 40
Slide 40 text
ϓϩδΣΫτͷਐΊํ
• ΞʔΩςΫνϟΛݕ౼
• AWSΛۦͨ࣍͠ੈTSDBͷઃܭʹؔΘͬͨ
id:y_uukiʹڠྗͯ͠Βͬͨ
• http://blog.yuuk.io/entry/the-rebuild-of-tsdb-on-cloud
• ϓϩτλΠϐϯά (1िؒ)
• ࣮ࡍʹखΛಈ͔͢͜ͱͰෆ໌ྎͩͬͨͷݟੵΓ͕ਖ਼֬ʹͳͬͨ
• (LambdaͷσϓϩΠͳͲ)
• GoॳֶऀͩͬͨϝϯόʔצΛ௫Ίͯɺຊ࣮ͰఆҎ্ʹ
ϕϩγςΟ͕҆ఆͨ͠
Slide 41
Slide 41 text
ϓϩδΣΫτͷਐΊํ
• ·ͣূ໌ॻಡΈࠐΈ෦ (cert-loader) Λ։ൃ
• ͜ͷ࣌Ͱ·ͩূ໌ॻΛऔಘ͠ͳ͍ͷͰɺӨڹͳ
͍
• ࣍ʹূ໌ॻऔಘ෦ (cert-updater) Λ։ൃ
• ͜ͷ෦ΛϦϦʔε͢Δ͜ͱͰ͡Ίͯ
ಠࣗυϝΠϯͰHTTPS৴͕ར༻ՄೳʹͳΔ
Slide 42
Slide 42 text
ϓϩδΣΫτͷਐΊํ
• ϦϦʔε୯ҐͷCQS = ίϚϯυΫΤϦׂ͕ͳ͞Εͨ
• command: cert-updater
• query: cert-loader
• CQS = Command-query Separation:
• มߋܥ (command) ͱಡऔܥ (query) Λ
ׂ͢ΔΞʔΩςΫνϟ
• େ͖ͳϦϦʔεͰ͋Δ͕ɺগͣͭ͠ग़͍ͯ͘͠ͱ͍͏
ීஈͷελΠϧΛऔΓೖΕΒΕ͍ͯΔ
Slide 43
Slide 43 text
·ͱΊ
• ͯͳϒϩάͷৗ࣌HTTPS৴ͷཪଆΛ͝հ͠·ͨ͠
• ։ൃॱௐͰɺࠂ௨ΓͷεέδϡʔϧͰ
ఏڙ։࢝Ͱ͖ΔݟࠐΈͰ͢
• ࣮Perl͚ͩ͡Όͳ͍͠ɺAWS׆༻͍ͯ͠·͢!
Slide 44
Slide 44 text
એ: αϚʔΠϯλʔϯ2018
• http://developer.hatenastaff.com/entry/intern-
preentry-2018
• ࠓΓ·͢
• લߨٛͷݴޠGoͰ͢
Slide 45
Slide 45 text