NGINX Plusͷ͝঺հ ϚΠΫϩαʔϏεͷߴՄ༻ੑ Ingress, αʔϏεϝογϡͷੈքʹ͓͚Δ ϩʔυόϥϯγϯά NGINX ςΫχΧϧ ιϦϡʔγϣϯζ ΞʔΩςΫτ ాล ໜ໵ @stanabe 2018/12/5 

NGINXͷ͝঺հ NGINX Plus ϚΠΫϩαʔϏεͱαʔϏεϝογϡ΁ͷऔΓ૊Έ 1 2 3 ຊ೔ͷ಺༰ NGINX Ingress Controller 4 2 

NGINXͷ͝঺հ 1 

NGINXࣾ • ೥ʹઃཱɺ೥ʹNGINX 1MVTͷॳظϦϦʔε ೥044൛ॳظϦϦʔε • ສҎ্ͷ΢ΣϒαΠτ • ΤϯλʔϓϥΠζιϑτ΢ΣΞۀքͷϦʔμʔͷϕϯνϟʔΩϟϐλϧͷࢧԉ • αϯϑϥϯγείɺϩϯυϯɺίʔΫɺγϯΨϙʔϧɺγυχʔɺϞεΫϫɺ౦ژͷΦϑΟε • ࣾҎ্ͷސ٬ • ਓҎ্ͷैۀһ 4 

NGINX Unit NGINX ͔Βͷ৽͍͠ಈతͳWebͱΞϓϦ έʔγϣϯɾαʔόʔɻΦʔϓϯιʔεɺ ෳ਺ͷݴޠͷαϙʔτɺ͓Αͼಈతͳ REST API ओಋͷߏ੒ɻ NGINX Plus ϩʔυόϥϯαʔɺWebαʔόʔɺίϯςϯ πΩϟογϡΛؚΉ།ҰͷΦʔϧΠϯϫϯι ϦϡʔγϣϯɻίετΛ࡟ݮ͠ͳ͕ΒɺΞʔ ΩςΫνϟΛ؆ૉԽ͠·͢ɻ ੡඼ NGINX Controller NGINX PlusͷͨΊͷूத؂ࢹ͓Αͼ؅ཧɻ ୯Ұͷඒ͍͠ΠϯλʔϑΣΠεΛ࢖༻ͯ͠ɺ Ծ૝ϩʔυόϥϯαʔΛల։͠·͢ɻ NGINX WAF Φʔϓϯιʔεͷ WebΞϓϦέʔγϣϯϑΝ ΠΞ΢Υʔϧ (WAF)SQL ΠϯδΣΫγϣϯɺ LFI
RFI
͓ΑͼͦͷଞͷϨΠϠ7߈ܸΛ๷ ޚ͠·͢ɻ Powered by ModSecurity. 5 

ݱࡏͷΞϓϦͷΠϯϑϥ͸ෳࡶ 6 

NGINXʹΑΓ10ഒ؆ૉԽɾ 80%ίετ࡟ݮ 7 

μΠφϛοΫ ΞϓϦέʔγϣϯ ήʔτ΢ΣΠ 8 

NGINX ΞϓϦέʔγϣϯ ϓϥοτϑΥʔϜ ϨΨγʔͳϞϊϦγοΫ ΞϓϦ͔ΒϞμϯͳϚΠ ΫϩαʔϏε·Ͱ෯޿͘ ରԠ͠ɺσδλϧମݧΛ ։ൃఏڙ͢ΔͨΊͷςΫ ϊϩδʔεΠʔτ ϩʔυόϥϯαʔ API 
αʔϏεϝογϡ 9 

NGINX Plus 2 

ߴੑೳͳΞϓϦέʔγϣϯͷ഑৴ • ৄࡉͰ๛෋ͳϝτϦοΫ • ڧྗͳෛՙ෼ࢄ • ϔϧενΣοΫ • αʔϏεϨδετϦͷ౷߹ • HTTP/HTTPS/H2/gRPC/TCP/UDP ΤϯλʔϓϥΠζαϙʔτ HTTP HTTPS HTTP/2 gRPC TCP UDP consul etcd 12 

NGINX PlusͷμογϡϘʔυ 13 શମ αʔόʔͷঢ়گʢκʔϯʹ෼͚ͯදࣔʣ Ωϟογϡ ڞ༗ϝϞϦʔ NGINX Plusͷ Πϯελϯεຖͷ৘ใ 

NGINX Plus: Upstreamͷಈతมߋ ϩʔυόϥϯεઌ (Upstream) ΛಈతʹมߋՄೳ μογϡϘʔυͷGUIͰ APIͰ 

ϚΠΫϩαʔϏεͱ αʔϏεϝογϡ΁ͷऔΓ૊Έ 3 

NGINX͸ɺ͞·͟·ͳϚΠΫϩ αʔϏεΞʔΩςΫνϟΛαϙʔτ 3. Fabric Model 2. Router Mesh Model 1. Proxy Model 17 

Ҡߦεςοϓ 18 

NGINX Unit 19 • μΠφϛοΫWebɾ ΞϓϦέʔγϣϯαʔόʔ ◦ γϯϓϧɾܰྔ ◦ ଟݴޠʹରԠ: Python, PHP, Go, Perl, Ruby, JavaScript (Node.js), Java(༧ఆ)
ηοτΞοϓɾઃఆͳͲɺಉ༷ͷ؀ڥΛར༻Մೳ ◦ RESTful JSON APIͰͷಈతͳઃఆ ◦ Φʔϓϯιʔε ◦ NGINX PlusϢʔβʔ͸ αϙʔτར༻Մ ◦ NGINXΛαΠυΧʔʹ • Πϯετʔϧ ◦ DockerΠϝʔδɺLinuxύοέʔδɺ ιʔε͔ΒϏϧυ • ઃఆ ◦ APIͰ
# curl -X PUT -d @/path/to/start.json --unix-socket /path/to/control.unit.sock http://localhost/config/ ◦ Dockerfileͷྫ
FROM nginx/unit:1.3-php7.0 RUN mkdir /www COPY index.php /www/index.php COPY conf.json /var/lib/unit/conf.json CMD ["unitd", "--no-daemon", "--control", "unix:/var/run/control.unit.sock"] 

ಈతͳϧʔςΟϯά: αʔϏεͷݕग़ • ͜Μͳͱ͖ʹඞཁ: ◦ ৽͍͠αʔϏε͕௥Ճ͞Εͨ ◦ طଘͷαʔϏεͷΠϯελϯε͕௥Ճ͞Εͨ • ϓϩΩγ͕ߏ੒͞ΕΔτϦΨʔ: ◦ Ansible Roles ◦ Consul templates ◦ DNS A, SRV Ϩίʔυ ◦ AWS Autoscaling άϧʔϓ ◦ Kubernetes (kube-dns) Ingress and Service-to- Service 20 

DNSαʔϏεσΟεΧόϦ ༏ઌ౓ɾ΢ΣΠτ ϙʔτ൪߸ɾϗετ໊ NGINX಺ͷDNSΩϟογϡ༗ޮ࣌ؒ αʔόʔϦετΛDNSͰղܾ UpstreamΛࢀর 21 खಈͰDNSϨίʔυઃఆɺKubernetesͰ͸Headless Service 

࣍ͷεςοϓ: αʔϏεϝογϡͷΦʔέετϨʔγϣϯ • ෼ࢄαʔϏεؒͷ௨৴Λߴ଎ɺߴ৴ པɺ͓ΑͼηΩϡΞʹ͢Δωοτ ϫʔΫ૚ • සൟͳαʔϏεมߋʹରͯ͠΋ɺ ωοτϫʔΫ௨৴ͷ৴པੑΛ֬อ • αʔϏε͸ϝογϡΛҙࣝ͢Δඞཁ ͸ͳ͘ɺσʔλͱίϯτϩʔϧϓ Ϩʔϯͷ੍ޚΛ෼཭ αʔϏεϝογϡ ίϯτϩʔϧϓϨʔϯ ΦʔέετϨʔγϣϯ ϓϥοτϑΥʔϜͷ αʔϏεϝογϡ σʔλϓϨʔϯ 24 

NGINX Controller: ϞχλϦϯά 25 ଟ਺ͷNGINX Plus͔Β౷ܭ৘ใΛू໿ 

NGINX Controller: ઃఆ 26 nginx.conf ͷ֬ೝ nginx.conf ͷมߋ ઃఆͷݕূ NGINXͷίϯτϩʔϧϓϨʔϯͱͯ͠ ·ͣ͸API Gateway͔Β 

NGINX Ingress Controller 4 

NGINX Plus - Kubernetes Ingress Controller NGINX PlusΛೖΓޱͱͯ͠ KubernetesΞϓϦέʔγϣϯΛ࡞੒ : • ߴ౓ͳෛՙ෼ࢄͱSSL/TLS ऴ୺ • WebSocket ͱ HTTP/2 ͷαϙʔτ • ϦΫΤετ͕ΞϓϦέʔγϣϯʹసૹ͞ΕΔ લʹURI ॻ͖׵͑ • ಈతͳ࠶ߏ੒ • Session persistence • JWT authentication • Prometheusͷαϙʔτ • 24x7 αϙʔτ https://github.com/nginxinc/kubernetes-ingress 28 

NGINX Ingress Controller 29 ػೳͳͲ kubernetes/ingress-nginx nginxinc/kubernetes-ingress with NGINX Plus ࡞ऀ Kubernetes ίϛϡχςΟ NGINX Inc ͱίϛϡχςΟ NGINX όʔδϣϯ αʔυύʔςΟϞδϡʔϧΛ ؚΉɺΧελϜNGINXϏϧυ NGINX Plus ঎༻αϙʔτ No ؚΉ ඪ४ Ingress Yes Yes Annotation Yes Yes ConfigMap Yes Yes TCP/UDP ֦ு Yes Yes JWT ݕূ No Yes ֦ுεςʔλε Yes, αʔυύʔςΟϞδϡʔϧ Yes Prometheus Yes Yes ಈతͳઃఆมߋ Yes (Lua֦ுܦ༝) Yes 

GithubϨϙδτϦ 30 • https://github.com/nginxinc/kubernetes-ingress • Docker Πϝʔδ ◦ NGINX (OSS) ͷඪ४Πϝʔδ͋Γ or ΧελϚΠζͯ͠Ϗϧυ ◦ NGINX Plus ͸ূ໌ॻؚΉΠϝʔδΛϏϧυͯ͠ϓϥΠϕʔτϦϙδτϦ΁ ◦ Makefile͸Ϗϧυͯ͠Push·Ͱ • Πϯετʔϧ ◦ KubernetesͷϚχϑΣετɺ·ͨ͸HelmͰ (deployments σΟϨΫτϦ) ◦ ΧελϚΠζαϯϓϧ͸ example σΟϨΫτϦʹ͋Γ • υΩϡϝϯτ ◦ ΠϝʔδͷϏϧυํ๏ɾΧελϚΠζํ๏ ◦ Annotation, ConfigMapͷ࢖͍ํ ◦ ΧελϜAnnotationͷ࢖͍ํ 

ઃఆͷରԠ upstream react-ui { server uin-demo:80; } upstream places { server psn-demo:80; } upstream weather { server wsn-demo:80; } server { listen 80 default_server; server_name "weather-demo.nginxps.com"; location /weather/ { proxy_pass http://weather/; } location /places/ { proxy_pass http://places/; } location / { proxy_pass http://react-ui; } } apiVersion: extensions/v1beta1 kind: Ingress metadata: name: weather-ingress namespace: demo spec: tls: - hosts: - weather-demo.nginxps.com secretName: cafe-secret rules: - host: weather-demo.nginxps.com http: paths: - path: /weather backend: serviceName: weather-service servicePort: 8080 - path: /places backend: serviceName: maps-service servicePort: 8080 - path: / backend: serviceName: poc-ui servicePort: 8080 31 NGINXͷconfϑΝΠϧ IngressͷYAMLϑΝΠϧ 

Annotations apiVersion: extensions/v1beta1 kind: Ingress metadata: name: shapes-ingress annotations: kubernetes.io/ingress.class: "nginx" nginx.org/lb-method: "random" spec: rules: - host: shapes.example.com http: paths: - path: /circles backend: serviceName: circles servicePort: 80 - path: /triangles backend: serviceName: triangles servicePort: 80 33 

Snippets apiVersion: extensions/v1beta1 kind: Ingress metadata: name: shapes-ingress annotations: kubernetes.io/ingress.class: "nginx" nginx.org/lb-method: "random" nginx.org/server-snippets: | location / { return 302 /circles; } spec: rules: - host: shapes.example.com http: paths: . . . 35 

ΧελϜ Annotations apiVersion: extensions/v1beta1 kind: Ingress metadata: name: shapes-ingress annotations: kubernetes.io/ingress.class: "nginx" custom.nginx.org/rate-limiting: "on" custom.nginx.org/rate-limiting-rate: "5r/s" custom.nginx.org/rate-limiting-burst: "1" spec: rules: - host: ”shapes.example.com" http: paths: - path: /circles backend: serviceName: circles servicePort: 80 - path: /triangles backend: serviceName: triangles servicePort: 80 37 

Configੜ੒ํ๏ ํ๏ ίϯςΫετ ؅ཧऀʹͱͬͯ Ϣʔβʔʹͱͬͯ ConfigMap main, http, server, location, upstream ؆୯ N/A Annotations server, location, upstream ؆୯ ؆୯ Snippets - ConfigMap main, http, server, location ΍΍೉͍͠ N/A Snippets - Annotations server, location ΍΍೉͍͠ ΍΍೉͍͠ Custom Template - nginx-plus.tmpl main, http ೉͍͠ N/A Custom Template - nginx-plus.ingress.tmpl http, server, location, upstream ೉͍͠ N/A Custom Annotations http, server, location, upstream ೉͍͠ ؆୯ 38 

ϞχλϦϯά NGINX Plusͷ ϦΞϧλΠϜɾμογϡϘʔυ $ kubectl -n nginx-ingress port-forward 8080:8080 39 

·ͱΊ • ࣗࣾͷWebγεςϜ͕ෳࡶʹͳΓ͍͗ͯ͢Δ ◦ → NGINX Plus! • ϩʔυόϥϯαʔͷϋʔυ΢ΣΞͷߋ৽࣌ظʹདྷ͍ͯΔ ◦ → NGINX Plus! • KubernetesͷIngress Controller΍αʔϏεؒ௨৴Λݕূத ◦ → NGINX Plus! ϑϦʔτϥΠΞϧ͸ ͪ͜Β͔Β 40 

Thank you! 41