Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Microservices on Fastly
Ryo yasuda
October 17, 2017
40
18k
Microservices on Fastly
Ryo yasuda
October 17, 2017
Tweet
Share
More Decks by Ryo yasuda
See All by Ryo yasuda
ryysd
1
870
ryysd
1
510
ryysd
0
170
Featured
See All Featured
notwaldorf
16
1.8k
lara
172
9.6k
lara
15
2.7k
davidbonilla
70
3.6k
jcasabona
8
550
brianwarren
82
4.7k
jensimmons
207
10k
jakevdp
775
200k
sferik
610
55k
bryan
31
3.4k
thoeni
3
610
hursman
106
9.3k
Transcript
Microservices on Fastly ຊܦࡁ৽ฉࣾ ҆ా ཽ 'BTUMZ :BNBHPZB .FFUVQ
ࣗݾհ ҆ా ཽ (ͩ͢ Γΐ͏) 2015: NTTݚڀॴ ೖࣾ - ίϯςφܕԾԽٕज़ؔ࿈ͷݚڀΛ͢Δ༧ఆͩͬͨ
2016: ຊܦࡁ৽ฉࣾ ೖࣾ - ܦిࢠ൛ϦχϡʔΞϧ൛ ։ൃϝϯόʔ - ϑϩϯτΤϯυɾόοΫΤϯυɾAWSɾFastlyͷઃఆॾʑ୲
ܦిࢠ൛ ຖ900ຊͷهࣄΛ৴ ༗ྉձһ54ສਓҎ্ɾແྉձһ300ສਓҎ্ ݄ؒ3ԯΞΫηε
ܦిࢠ൛ ϦχϡʔΞϧ ϓϩδΣΫτ (Next Nikkei) UI/UXվળ (PWAԽɾϨεϙϯγϒԽ) Խ FastlyɾMicroservicesΞʔΩςΫνϟͷར༻
Microservicesͱ Auth Service DB Service Ranking Service Search Service web
iOS App γεςϜΛෳͷখ͞ͳαʔϏεͷू߹Ͱߏ͢ΔΞʔΩςΫνϟ API
Microservicesͱ ServiceA ServiceB ServiceC ServiceD Service Registry ֤αʔϏεͷใཧϔϧενΣοΫ ϦΫΤετઌαʔϏεͷใऔಘ ϦΫΤετͷૹ৴
αʔϏεؒΛܨ͙ͨΊʹɺService RegistryͳͲΛ༻͍Δ
FastlyΛͬͨMicroservices ServiceB ServiceC ɾFastlyͰService RegistryΛ༻ ɾશϦΫΤετ͕Fastlyܦ༝ ɾFastly͕ϦΫΤετΛϧʔςΟϯά ServiceA ServiceC
Ωϟογϡͷू ServiceB ServiceC ServiceD ɾΩϟογϡ͕'BTUMZʹूͰ͖Δ Ωϟογϡ ServiceA
Ωϟογϡͷू ServiceB ServiceC ServiceD ɾΩϟογϡ͕'BTUMZʹूͰ͖Δ ෳͷαʔϏεɾϨΠϠʹࢄ͠ͳ͍ Ωϟογϡ ServiceA
Ωϟογϡͷू ServiceB ServiceC ServiceD ɾΩϟογϡ͕'BTUMZʹूͰ͖Δ ෳͷαʔϏεɾϨΠϠʹࢄ͠ͳ͍ QVSHF͢Δ͚ͩͰ*OWBMJEBUJPOՄೳ Ωϟογϡ ServiceA
Ωϟογϡͷू ServiceB ServiceC Ωϟογϡ ServiceD ServiceA ɾΩϟογϡ͕'BTUMZʹूͰ͖Δ ෳͷαʔϏεɾϨΠϠʹࢄ͠ͳ͍ QVSHF͢Δ͚ͩͰ*OWBMJEBUJPOՄೳ োൃੜ࣌ʹٴΛ͛Δ
ServiceB͕ࢮΜͰΩϟογϡΛͬͯՔಇ
Ωϟογϡͷू ServiceB ServiceC Ωϟογϡ ServiceD ServiceA ɾΩϟογϡ͕'BTUMZʹूͰ͖Δ ෳͷαʔϏεɾϨΠϠʹࢄ͠ͳ͍ QVSHF͢Δ͚ͩͰ*OWBMJEBUJPOՄೳ োൃੜ࣌ʹٴΛ͛Δ
Next NikkeiͰ·ͩαʔϏε͝ͱʹΩϟογϡΛͬͯ ͠·͍ͬͯΔ࣮͕ଟʑ͋Δ͕…
ϩΪϯάɾϞχλϦϯά ServiceB ServiceC ServiceD ɾϩΪϯά શϦΫΤετͷϞχλϦϯάͰ͖Δ Ωϟογϡ ServiceA ϩΪϯά
ϩΪϯάɾϞχλϦϯά Real Time Log Streaming request url status code response
size taken time cache HIT/MISS ... αʔϏε
ϩΪϯάɾϞχλϦϯά – kibanaͰՄࢹԽ ֤αʔϏεͷΞΫηεྔ Τϥʔ ֤ϦΫΤετͷstatus code ֤αʔϏεͷฏۉϨεϙϯελΠϜ
ϩΪϯάɾϞχλϦϯά - ΩϟογϡώοτՄࢹԽ ֤αʔϏεɾ֤ύεʹର͢ΔΩϟογϡώοτ Ϣʔβछผ͝ͱͷΩϟογϡώοτ (هࣄϖʔδ) ༗ྉձһ ແྉձһ ඇձһ
ϩΪϯάɾϞχλϦϯά – ಠࣗdashboards ֤αʔϏεͷΩϟογϡώοτͳͲΛνΣοΫ
ೝՄ ServiceB ServiceC ServiceD ɾ'BTUMZ্ͰೝՄΛ࣮ ֤αʔϏεʹ࣮͠ͳͯ͘ྑ͍ Ωϟογϡώοτ্͕Δ Ωϟογϡ ೝՄ ServiceA
ϩΪϯά
ೝՄͷඞཁͳίϯςϯπͷΩϟογϡ هࣄϖʔδ /article/123 Cookie: Auth=a124b5... OAuth2ೝূͰಘΒΕͨ JWTτʔΫϯ ϢʔβͷݖݶʹΑͬͯ ίϯςϯπมΘΔ
ೝՄͷඞཁͳίϯςϯπͷΩϟογϡ هࣄϖʔδ /article/123 Cookie: Auth=a124b5… Cache-control: no-cache, no-store Cookie: Auth=a124b5...
OAuth2ೝূͰಘΒΕͨ JWTτʔΫϯ
ೝՄͷඞཁͳίϯςϯπͷΩϟογϡ هࣄϖʔδ /article/123 ϦΫΤετϔομ User-ID: 98765 User-Rank: paid Ϩεϙϯεϔομ Vary:
User-Rank Cookie: Auth=a124b5... ೝূΫοΩʔͷ decodeɾvalidate OAuth2ೝূͰಘΒΕͨ JWTτʔΫϯ
ೝՄͷඞཁͳίϯςϯπͷΩϟογϡ هࣄϖʔδ /article/123 ϦΫΤετϔομ User-ID: 98765 User-Rank: paid Ϩεϙϯεϔομ Vary:
User-Rank Cookie: Auth=a124b5... ೝূΫοΩʔͷ decodeɾvalidate OAuth2ೝূͰಘΒΕͨ JWTτʔΫϯ User-Rank͝ͱʹΩϟογϡ͚ ΔΑ͏CDNʹ໋ྩ
ೝՄͷඞཁͳίϯςϯπͷΩϟογϡώοτ Ϣʔβछผ͝ͱͷهࣄϖʔδΩϟογϡώοτ ϩάΠϯϢʔβʹରͯ͠ΩϟογϡͰ͖ͯΔ ඇձһ ༗ྉձһ ແྉձһ
VCL ࣮ྫ
ϧʔςΟϯά Top Article API Assets /article/123 Path Based Routing
backends.vcl routing.vcl ϧʔςΟϯά - VCL backend article { .host: "article.xx.jp";
.port: 443 .ssl: true } ... if (req.url ~ "/article/.+") { req.backend = article; } ... vclͰαʔϏεΛఆٛ ϧʔςΟϯά༻ͷvcl
[ { "name": "article", "path": "/article/.+", "host": "article.xx.jp", "ssl": true
} … ] services.json backends.vcl routing.vcl શαʔϏεͷఆٛϑΝΠϧ ͲΜͳαʔϏεɺϧʔτ͕͋Δ ͔ͻͱͰΘ͔Δ ϧʔςΟϯά - VCLࣗಈੜ backend article { .host: "article.xx.jp"; .port: 443 .ssl: true } ... if (req.url ~ "/article/.+") { req.backend = article; } ... vclͰαʔϏεΛఆٛ ϧʔςΟϯά༻ͷvcl
μΠφϛοΫϧʔςΟϯά Top Article API Routing-Override: API-> API-dev ϦΫΤετϔομ API-dev ϦΫΤετϔομͰϧʔςΟϯάΛ
ಈతʹมߋ Ұ෦ͷαʔϏεΛ։ൃதͷͷʹ ࠩ͠ସ͑ΒΕΔ
োͷٴΛ͙ if (beresp.http.Cache-Control !~ "(stale-if-error|immutable|private)") { set beresp.stale_if_error = 86400s;
} ϦΫΤετʹࣦഊͯ͠ɺࢦఆ͞ΕͨظؒΩϟογϡΛར༻͢Δ Next NikkeiͰɺstale-if-errorΛࣗಈͰ༩ αʔϏε͕ࢮΜͰɺΩϟογϡ͕͋Ε͠Β͘ίϯςϯπΛฦͤΔ stale-if-error
Fastly্ͰͷೝՄ - VCL ೝূΫοΩʔ(JWTܗࣜ): eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4 gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ ɾΫοΩʔऔಘ: req.http.Cookie:Auth ɾJWTτʔΫϯղ: regsub(req.http.Cookie.Auth,
" (^[^.]+).[^.]+.[^.]+$ ", "$1") ɾBase64σίʔυ: digest.base64_decode ɾJWTγάωνϟݕূ: digest.hmac_sha256_base64() ɾreq.http.Nikkei-Auth-UserID = regsub(var.payload, {"^.*?"uid"¥s*:¥s*"(¥w+)".*?$"}, "¥1");
Fastly্ͰͷೝՄ – VCL if (req.http.Cookie:Auth !~ "(^[^¥.]+)¥.([^¥.]+)¥.([^¥.]+)$") { set req.http.Auth-Valid
= "false"; } set var.base64Header = re.group.1; set var.base64Payload = re.group.2; set var.signature = digest.base64url_decode(re.group.3); set var.validSignature = digest.base64_decode(digest.hmac_sha256_base64(var.jwtSecret, var.base64Header "." var.base64Payload)); set var.payload = digest.base64_decode(var.base64Payload); set var.expires = regsub(var.payload, {"^.*?"exp"¥s*:¥s*(¥d+).*?$"}, "¥1"); # γάωνϟͷਖ਼ੑͱ༗ޮظݶͷ֬ೝ if (var.signature != var.validSignature || time.is_after(now, std.integer2time(std.atoi(var.expires)))) { set req.http.Auth-Valid = "false"; } # payload͔ΒݖݶใͳͲΛநग़ req.http. UserID = regsub(var.payload, {"^.*?"uid"¥s*:¥s*"(¥w+)".*?$"}, "¥1");
ϩΪϯάɾϞχλϦϯά - VCL sub vcl_log { log {"syslog "} req.service_id
{" fastly-log :: "} {" timestamp_us:"} time.start.usec {" host:"} regsuball(req.http.X-Forwarded-Host, {" "}, "") {" upstream_host:"} regsuball(req.http.Host, {" "}, "") {" remote_addr:"} client.ip {" method:"} req.request {" fastly_x_cache:"} req.http.X-Cache {" fastly_x_cache_hits:"} req.http.X-Cache-Hits {" user_id:"} req.http.User-ID {" user_rank:"} req.http.User-Rank; … } LTSVܗࣜͰͷϩάग़ྗྫ
FastlyΛͬͨMicroservices ·ͱΊ ✔ Service Registry͕ෆཁ ✔ Cache͕Fastlyʹू͞ΕInvalidation؆୯ ✔ োൃੜ࣌ʹٴΛ͛Δ ✔
؆୯ͳϞχλϦϯάೝՄ࣮ݱͰ͖Δ ✔ μΠφϛοΫϧʔςΟϯάͰ։ൃָ͕ʹͳΔ
͋Γ͕ͱ͏͍͟͝·ͨ͠