Tweet
Tweet

Slide 1

Slide 1 text

AMEBA OWND DE HTTP/2 த઒ ෢ݑ

Slide 2

Slide 2 text

ࣗݾ঺հ ➤ 16 ৽ଔΤϯδχΞ ➤ 6݄͔Β Ameba Ownd ➤ αʔόαΠυΛ୲౰ ➤ Go ݴޠͰ։ൃ ➤ Πϯϑϥ, ো֐ରԠ ➤ HN: τϚτ ➤ TDD: τϚτۦಈ։ൃ

Slide 3

Slide 3 text

৬৔

Slide 4

Slide 4 text

࿩͢͜ͱ ➤ HTTP/2 ͷ؆୯ͳઆ໌ ➤ ELB ͱ Proxy Protocol ➤ ALPN ରԠ (Chrome 51+) nginx 1.10.1 + openssl 1.0.2h

Slide 5

Slide 5 text

HTTP/2

Slide 6

Slide 6 text

HTTP/2 ➤ HTTP/1.1 ͸ςΩετ(ASCII)ϕʔεͷϓϩτίϧ ➤ ਓؒʹ͸༏͍͕͠ίϯϐϡʔλʹͱͬͯ͸൥ࡶ ➤ όΠφϦΛૹΔࡍ͸ Base64 encoding ౳ͰςΩετʹ͢Δ ➤ HTTP/2 ͸όΠφϦϓϩτίϧ ➤ ղੳ͠΍͘͢ίϯϐϡʔλʹ༏͍͠(ਓؒ͸ͭΒ͍) ➤ ϔομѹॖ͕ޮ͘ (HPACK)

Slide 7

Slide 7 text

HTTP/2 ➤ HTTP/1.1 ·Ͱ͸ TCP ίωΫγϣϯΛ૿΍͢͜ͱͰฒྻʹ
 ϦΫΤετΛૹΓɺμ΢ϯϩʔυ͍ͯͨ͠ ➤ HTTP/2 ͔Β͸1ͭͷ TCP ίωΫγϣϯͰϦΫΤετଟॏԽ HTTP1.1 / TCP TCP HTTP/2 HTTP/2 HTTP/2 HTTP1.1 / TCP HTTP1.1 / TCP

Slide 8

Slide 8 text

HTTP/2 ରԠ཰ http://caniuse.com/#search=http2

Slide 9

Slide 9 text

AWS Ͱ HTTP/2 ରԠ

Slide 10

Slide 10 text

͔ͭͯ ELB ͸ HTTP/2 ʹରԠ͍ͯ͠ͳ͔ͬͨ ➤ AWS ͷ Elastic Load Balancing ➤ (چདྷͷ) Classic Load Balancer ͸ HTTP/2 ඇରԠ ➤ Application Load Balancer ͸ HTTP/2 ରԠʂ
 →ࠓޙݕ౼͍ͨ͠

Slide 11

Slide 11 text

CLASSIC LOAD BALANCER ➤ HTTP/2 ରԠ͢Δʹ͸ EC2 ্ͷ Web αʔόͰऴ୺ॲཧΛ͢ Δඞཁ͕༗ΔͨΊɺ ELB Ͱ͸ TCP Ͱϩʔυόϥϯγϯά͢Δ ͔͠ํ๏͸ͳ͍ ➤ IP ΑΓ্ͷϨΠϠͷ TCP Ͱॲཧ͢ΔͨΊ઀ଓݩͷ IP ΞυϨ ε͕ ELB ͷ΋ͷʹॻ͖׵Θͬͯ͠·͏

Slide 12

Slide 12 text

PROTOCOL STACK ➤ HTTP/2 Ͱ઀ଓ͢Δͱ͖ͷ ϓϩτίϧελοΫ Ethernet IP TCP TLS HTTP/2 (h2)

Slide 13

Slide 13 text

PROTOCOL STACK ➤ ELB Ͱ TCP ϩʔυόϥϯγ ϯά͢Δͱ TCP ҎԼͷ಺༰ ͸όοΫΤϯυ΁ಧ͔ͳ͍ ➤ ઀ଓݩͷ IP ΞυϨε͸ IP ύέοτͷϔομʹॻ͔Ε ͍ͯΔͷͰࣦΘΕΔ Ethernet IP TCP TLS HTTP/2 (h2)

Slide 14

Slide 14 text

X-FORWARDED-FOR ͕࢖͑ͳ͍ཧ༝ ➤ X-Forwarded-For ͸ HTTP ϔομͳͷͰɺHTTP (L7) ·Ͱ
 ղऍͰ͖Δ LB Ͱͳ͍ͱѻ͑ͳ͍ ➤ TCP Ͱϩʔυόϥϯγϯάͯ͠ TLS ͷऴ୺ॲཧΛόοΫΤϯ υͰߦ͏৔߹ɺ TLS ͷ payload ͸҉߸Խ͞Ε͍ͯΔͷͰಡΈ ॻ͖Ͱ͖ͳ͍

Slide 15

Slide 15 text

PROXY PROTOCOL ➤ όοΫΤϯυʹ IP ΞυϨε౳ͷ઀ଓݩ৘ใΛ఻ୡͰ͖Δ http://www.haproxy.org/download/1.7/doc/proxy-protocol.txt

Slide 16

Slide 16 text

PROXY PROTOCOL ઃఆྫ (NGINX) listen 443 ssl http2; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; listen 443 ssl http2 proxy_protocol; proxy_set_header X-Forwarded-For $proxy_protocol_addr; proxy_set_header X-Real-IP $proxy_protocol_addr; ELB: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html

Slide 17

Slide 17 text

͜͜·Ͱ4݄ͷ࿩

Slide 18

Slide 18 text

6݄
 ഑ଐ

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

Google Chrome ͔Β HTTP/2 Ͱܨ͕Βͳ͍

Slide 22

Slide 22 text

ࠔͬͨͱ͖͸ Wireshark

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

ݪҼ ➤ Google Chrome ͸ ALPN ͰϓϩτίϧωΰγΤʔγϣϯΛ
 ࢼΈΔ ➤ αʔό (nginx 1.9) ͸ NPN ͰωΰγΤʔγϣϯΛࢼΈΔ ➤ ૒ํͰ HTTP/2 ͷωΰγΤʔγϣϯํ͕ࣜҟͳΔҝɺ
 ωΰγΤʔγϣϯʹࣦഊͯ͠ HTTP/1.1 Ͱܨ͕Δ

Slide 28

Slide 28 text

લఏ஌ࣝ ➤ HTTP/2 Ͱ઀ଓ͢ΔͨΊʹ͸ɺΫϥΠΞϯτͱαʔόͷ྆ํ ͕ HTTP/2 ʹରԠ͍ͯ͠Δඞཁ͕͋Δ
 ˠͦ͜ͰϓϩτίϧͷωΰγΤʔγϣϯ͕ߦΘΕΔ ➤ NPN ΋ ALPN ΋ TLS Handshake ύέοτΛ֦ுͯ͠
 ωΰγΤʔγϣϯΛߦ͏ํࣜ

Slide 29

Slide 29 text

http://www.slideshare.net/shigeki_ohtsu/tls-http2

Slide 30

Slide 30 text

NPN ͱ ALPN ➤ SPDY Ͱ࢖ΘΕ͍ͯͨ NPN
 HTTP/2 ੍͕ఆ͞Εͯ ALPN Ͱஔ͖׵ΘΔ ➤ Chrome 51 Ͱ SPDY ͷαϙʔτऴྃɻHTTP/2 ׬શҠߦɻ
 http://blog.chromium.org/2016/02/transitioning-from-spdy- to-http2.html

Slide 31

Slide 31 text

OWND ͰͷରԠ ➤ nginx 1.9 + openssl 1.0.1: NPN ʹͷΈରԠ
 ˠ Google Chrome 51 Ͱܨ͕Βͳ͘ͳͬͨݪҼ ➤ nginx 1.10 + openssl 1.0.2: ALPN ʹରԠ
 ˠ PPA Λ࢖͏ or Ubuntu Λ 16.04 LTS ΁ΞοϓάϨʔυ ➤ PPA (Personal Package Archive) Λ࢖͏͜ͱʹͳΓ·ͨ͠

Slide 32

Slide 32 text

૝ఆ ➤ ppa ͷϦϙδτϦ௥Ճͯ͠ nginx, openssl Λߋ৽͢Δ ➤ ansible ʹॻ͖ى͜͢ ➤ ֬ೝ & deploy ͜Ε͘Β͍ɺ3೔΋͋Ε͹…(ϑϥά)

Slide 33

Slide 33 text

NGINX ͷΞοϓάϨʔυ͕Ͱ͖ͳ͍ ➤ nginx 1.9 ͷ package ͕ conf ϑΝΠϧΛ௫ΜͰ͍ͯ
 conflict Λىͯ͜͠ nginx 1.10 ͕ೖΒͳ͍ ➤ Ұ౓ uninstall ͕ඞཁ

Slide 34

Slide 34 text

ANSIBLE Λ2ճྲྀ͞ͳ͍ͱ NGINX ͕ىಈ͠ͳ͍ ➤ ansible ͸ python ੡ͷߏ੒؅ཧπʔϧ ➤ ansible Λ࢖ͬͯ΋ɺ
 ਓ͕ؒਖ਼͘͠ॻ͔ͳ͚Ε͹ႈ౳ʹͳͳΒͳ͍

Slide 35

Slide 35 text

NGINX 1.9 Λ UNINSTALL ͢Δͱ LOG ͕ফ͑Δ ➤ nginx 1.10 Ͱ͸࠶ݱ͠ͳ͍ ➤ apt remove ࣌ʹ log, cache ͷσΟϨΫτϦ͕ແ࣊൵ʹফ͑Δ ➤ ansible Ͱ apt remove લޙͰ log ͚ͩ͸όοΫΞοϓΛऔΔ ͜ͱͰରॲ ➤ લड़ͷݪҼ͸ओʹίϨͰͨ͠…

Slide 36

Slide 36 text

NGINX ͷίωΫγϣϯ਺͕ര૿ ➤ HTTP/2 ରԠͷຊ൪ద༻தʹ Gun̋sy ๒Λड͚Δ ➤ HTTP/2 ରԠͨ͠Πϯελϯε͕ಛʹίωΫγϣϯ਺͕૿Ճ ➤ ͱ͋Δཧ༝ʹΑΓ nginx ͕Ұ੪ʹ restart ➤ Ϣʔβ͔Βܨ͕Γʹ͍͘ঢ়ଶʹ…

Slide 37

Slide 37 text

ݪҼ੾Γ෼͚ͷҝʹμ΢ϯάϨʔυ ➤ ݩͷ nginx ͷόʔδϣϯ΁໭͢ ➤ 2ൃ໨ͷ๒஄͕ண஄͠ɺ೔෇͕มΘΔ

Slide 38

Slide 38 text

ؒʹ߹͍·ͤΜ Ͱͨ͠

Slide 39

Slide 39 text

~࠶ݕূத~ photo: https://www.flickr.com/photos/paulk/23784089050/

Slide 40

Slide 40 text

ڭ܇ ➤ ຊ൪؀ڥͰ͸༧ظͤ͵ࣗମ͕ى͜Δ ➤ ӡ༻͍ͯ͠ΔαʔϏεͰ͸৻ॏʹ (ϢʔβӨڹ͸৴༻ʹڹ͘) ➤ ख٧·ΓʹͳͬͨΒ packet Λಡ΋͏ ➤ ϓϩτίϧΛཧղ͠Α͏ ➤ ςετͷແ͍ίʔυ͸(ಛʹ)े෼ಡΜͰཧղ͢Δ
 (ansible playbook ؚΉ)

Slide 41

Slide 41 text

͝ਗ਼ௌ͋Γ͕ͱ͏
 ͍͟͝·ͨ͠