TakumaKume_kixs_vol002

Transcript

1. ٱถ
   ୓അ
   
   (.0
   1FQBCP
   *OD
   
   ۝भΠϯϑϥަྲྀษڧձ
   ,*94
   WPM
   !(.0ϖύϘ෱Ԭࢧࣾ ϗεςΟϯάʹ͓͚Δॊೈ͔ͭܰྔͳΞΫηε੍ޚͷ
   ඞཁੑͱͦͷ࣮૷ 

2. ࣗݾ঺հ ٱถ ୓അ (@takumakume) ߴߍଔۀʙ6೥ؒ ΠϯλʔωοταʔϏεϓϩόΠμͰۈ຿ ωοτϫʔΫʙϛυϧ΢ΣΞͷߏங ϓϦηʔϧεΤϯδχΞ 2016೥4݄͔ΒϖύϘʹೖࣾ ϩϦϙοϓʂͷΠϯϑϥΤϯδχΞ

   

3. ໨࣍ ϗεςΟϯάʹ͓͚Δॊೈ͔ͭܰྔͳΞΫηε੍ޚͱ͸ mrubyΛ༻͍ͨ࣍ੈ୅ΞΫηε੍ޚͷ࣮૷ ·ͱΊ 

4. ϗεςΟϯάʹ͓͚Δॊೈ͔ͭܰྔͳΞΫηε੍ޚ
   ͱ͸ 

5. ॊೈ͔ͭܰྔͳΞΫηε੍ޚ 

6. ϗεςΟϯάʹ͓͚ΔΞΫηε੍ޚ ϗεςΟϯά͸ͦͷಛੑ্ɺ͓٬༷ͷ༷ʑͳίϯςϯπΛ͓ ༬͔Γ͍ͯ͠Δɻ தʹ͸ҟৗʹߴෛՙʹͳΔ΋ͷ΍ɺDDoSͷର৅ʹͳΔίϯς ϯπͳͲ༷ʑͰ͋Δɻ ͔͠͠ɺ͜ͷΑ͏ͳҰ෦ͷίϯςϯπʹΑΓɺͦͷαʔόΛ
   ͝ར༻௖͍͍ͯΔେଟ਺ͷଞͷ͓٬༷͕շదʹ8&#Λར༻Ͱ͖ͳ͘
   ͳͬͯ͠·͏͜ͱ͸ɺ͋ͬͯ͸ͳΒͳ͍ͱզʑ͸ߟ͍͑ͯ·͢ɻ 

7. ຊηογϣϯͰ͸ͦͷղܾखஈͷ̍ͭͱͯ͠ɺ
   ϩϦϙοϓʂͰߦ͍ͬͯΔ
   ଟ͘ͷ͓٬༷ʹ8&#Λշదʹ͝ར༻͍ͨͩͨ͘Ίͷ
   ࣍ੈ୅ΞΫηε੍ޚʹ͍ͭͯ͝঺հ͠·͢ɻ 

8. ॊೈ͔ͭܰྔͳΞΫηε੍ޚ 

9. ݱঢ়ͷΞΫηε੍ޚͷ՝୊ 

10. ͜Ε·Ͱʹར༻ͨ͠ΞΫηε੍ޚखஈ  mod_cbandΛར༻ͨ͠ΞΧ΢ϯτ୯ҐͰͷτϥϑΟοΫ ੍ޚͱಉ࣌ΞΫηε਺੍ޚ mod_vhost_maxclientsΛར༻ͨ͠υϝΠϯ୯ҐͰͷ ಉ࣌ΞΫηε਺੍ޚ ͦΕͧΕ՝୊͕͋ͬͨ

11. NPE@DCBOEΛར༻੍ͨ͠ޚʹΑΔ՝୊  ΞΧ΢ϯτ୯ҐͷτϥϑΟοΫͱಉ࣌ΞΫηε਺੍ݶΛ͍ͯͨ͠ɻ CBandSpeed 10Mb/s 30 30 mod_cbandΛ༗ޮʹ͢Δ͜ͱͰ໿70%ఔ౓ͷύϑΥʔϚϯε ྼԽ͕ੜ͡ɺ੍ޚػߏࣗମ͕ϘτϧωοΫͱͳͬͨɻ

12. NPE@WIPTU@NBYDMJFOUTΛར༻੍ͨ͠ޚ  mod_cbandͷύϑΥʔϚϯεྼԽ͕େ͖͍ͨΊͪ͜ΒΛ࠾༻ɻ ಋೖʹΑΔύϑΥʔϚϯεྼԽ͸2%ͱߴ଎ͳιϑτ΢ΣΞɻ ҎԼͷΑ͏ʹυϝΠϯ୯Ґͷಉ࣌ΞΫηε਺੍ݶΛߦ͏ɻ <VirtualHost *> DocumentRoot /path/to/web ServerName

    hoge.example.jp VhostMaxClients 30 </VirtualHost> ͔͠͠ɺ࣍ͷΑ͏ͳύλʔϯͰ՝୊͕ੜͨ͡ɻ

13. NPE@WIPTU@NBYDMJFOUTΛͲ͏࢖͍ͬͯΔ͔  ڞ༻8&#αʔό IPHFDPN mod_vhost_maxclientsͷ੍ݶ ZDPN YDPN ஶ͘͠Ϧιʔε࢖༻ྔ͕ภΒͳ͍Α͏ʹେ࿮ͷϦιʔε෼ׂͱ ͯ͠ɺ֤υϝΠϯʹಉ࣌઀ଓ਺ͷ੍ݶΛ͔͚͍ͯ·͢ɻ

14.  ڞ༻8&#αʔό IPHFDPN ॲཧͷॏ͍ϓϩάϥϜʹΞΫηε͕ूத͠αʔό͕ߴෛՙͱͳͬͨ mod_vhost_maxclientsͷ੍ݶ ZDPN YDPN

15.  ڞ༻8&#αʔό IPHFDPN mod_vhost_maxclientsͷ੍ݶ ZDPN YDPN NPE@WIPTU@NBYDMJFOUTͷ੍ݶΛڧΊΔඞཁ͕͋Δ

16.  ڞ༻8&#αʔό IPHFDPN ZDPN YDPN ੍ݶΛڧΊͨ ܰྔͳίϯςϯπʹ΋ΞΫηεͰ͖ͳ͘ͳΔ

17.  ڞ༻8&#αʔό IPHFDPN ZDPN YDPN ຊདྷ੍ޚ͞ΕΔඞཁ͕ͳ͍ϑΝΠϧ·Ͱ
    ΞΫηεͰ͖ͳ͘ͳͬͯ͠·͏ɻ

18. ղܾํ๏  ڞ༻8&#αʔό IPHFDPN ZDPN YDPN ϑΝΠϧ୯ҐͰ੍ޚ mod_vhost_maxclients

19. ղܾํ๏  ڞ༻8&#αʔό IPHFDPN ZDPN YDPN ϑΝΠϧ୯ҐͰ੍ޚ mod_vhost_maxclients αʔόͷෛՙΛԼ͛ͭͭɺ੍ޚʹΑΔӨڹΛۃখԽͰ͖Δɻ

20.     ࣌ ࣌ ࣌ ࣌ ࣌ ࣌

    ࣌ ࣌ ࣌ ͋ΔαʔόͷϦιʔεফඅྔ <> 

21.     ࣌ ࣌ ࣌ ࣌ ࣌ ࣌

    ࣌ ࣌ ࣌ શମ ͋ΔαʔόͷϦιʔεফඅྔ <>  ಛఆͷϑΝΠϧ ಛఆͷ࣌ؒʹେྔʹΞΫηε͕͋Δ

22.     ࣌ ࣌ ࣌ ࣌ ࣌ ࣌

    ࣌ ࣌ ࣌ શମ ͋ΔαʔόͷϦιʔεফඅྔ <>  ಛఆͷϑΝΠϧ ಛఆͷϑΝΠϧͷॲཧͰϦιʔεͷ΄ͱΜͲΛফඅ͠
    ఆظతʹଞͷ͓٬༷΁ͷαʔϏεఏڙʹࢧোΛ͖͍ͨͯͨ͠ɻ

23.     ࣌ ࣌ ࣌ ࣌ ࣌ ࣌

    ࣌ ࣌ ࣌ શମ ಛఆͷϑΝΠϧ ղܾํ๏ <>  ෛՙͷߴ͍ϑΝΠϧʹରͯ͠ ࣌ؒࢦఆͰ੍ޚ͢Δ

24. ॊೈͳΞΫηε੍ޚͷ·ͱΊ ݱঢ়ΑΓ΋ࡉ͔͍ɺϑΝΠϧ୯ҐͰΞΫηε੍ޚͰ͖ΔΑ͏ ʹͯ͠ɺ੍ޚʹΑΔӨڹΛۃখԽ͢Δ͜ͱɻ ಛఆͷ࣌ؒͷΈΞΫηε੍ޚΛ༗ޮԽͰ͖Δ͜ͱɻ 

25. ॊೈ͔ͭܰྔͳΞΫηε੍ޚ 

26. ϗεςΟϯάͰ͸1୆ͷαʔόΛଟ͘ͷ͓٬༷ʹ͝ར༻͍ͨͩ͘͜ ͱͰ҆Ձʹఏڙ͍ͯ͠Δɻ ࠓޙ΋Ͱ͖Δ͚ͩ҆ՁʹշదͳαʔϏεΛఏڙ͍ͨ͠ɻ ΞΫηε੍ޚͷػߏ͕ϘτϧωοΫʹͳͬͯ͸ɺͦΕΛୡ੒Ͱ͖ ͳ͘ͳΔɻ ܰྔͳΞΫηε੍ޚͷඞཁੑ 

27. ॊೈ͔ͭܰྔͳΞΫηε੍ޚ
    ͱ͸ 

28. ϑΝΠϧ୯ҐͰΞΫηε੍ޚͰ͖Δ͜ͱɻ ಛఆͷ࣌ؒଳͷΈΞΫηε੍ޚΛ༗ޮԽͰ͖Δ͜ͱɻ ύϑΥʔϚϯεྼԽΛۃྗى͜͞ͳ͍͜ͱɻ ॊೈ͔ͭܰྔͳΞΫηε੍ޚͱ͸  ͲͷΑ͏ʹ࣮ݱ͢Δ͔ʁ

29. ϑΝΠϧ୯ҐͷΞΫηε੍ޚ͸
    طʹ"QBDIFͷϞδϡʔϧ͕ଘࡏ͢Δɻ 

30. NPE@WMJNJU mod_vlimit https://github.com/matsumoto-r/mod_vlimit ϑΝΠϧ΍σΟϨΫτϦ୯ҐͰಉ࣌ΞΫηε੍ޚΛ͢Δ͜ͱ͕Ͱ͖Δɻ <Files "hoge.php"> VlimitIP 30 /path/to/hoge.php </Files>

     ϑΝΠϧ୯ҐͰͷΞΫηε੍ޚΛߦ͏ػೳ͸͋Δ͕ ࠓճ͸ಋೖʹ͸ࢸΒͳ͔ͬͨɻ

31. NPE@WMJNJUΛ࠾༻͠ͳ͔ͬͨཧ༝ ࣌ؒࢦఆͰ੍ݶΛ༗ޮԽͰ͖Δػೳ͕ͳ͍ɻ ApacheͷϞδϡʔϧͳͷͰCݴޠͰ࣮૷͞Ε͍ͯΔɻ ӡ༻ܥͷπʔϧ͸࣌ؒͷܦաʹରͯ͠ॊೈͳมߋ͕ཁ ٻ͞ΕΔɻ CݴޠͰͷ։ൃͱͳΔͱ։ൃ޻਺্͕͕Δɺ։ൃऀ͕ݶ ΒΕΔɻ 

32. Ͱ͸ɺͲͷΑ͏ʹ࣮ݱ͢Δ͔ʁ 

33.  “mruby” ͳΒղܾͰ͖Δɻ

34. NSVCZ Rubyͷύύ͜ͱ “Matz” ͞Μ͕։ൃ͍ͯ͠Δɻ লϝϞϦͷ૊ΈࠐΈ޲͚ͷRuby࣮૷ɻ Cݴޠ͕ۤखͳͻͱͰ΋ɺmrubyΛ࢖͑͹RubyͰ૊ΈࠐΈ ։ൃΛߦ͏ࣄ͕Ͱ͖Δɻ 

35. Apache΍NginxͰmrubyΛ༻͍ͨ૊ΈࠐΈ ։ൃΛ࣮ݱͨ͠ιϑτ΢ΣΞ͕ଘࡏ͢Δ 

36. NPE@NSVCZOHY@NSVCZ ฐࣾͷ@matsumotory͕։ൃ͍ͯ͠Δɻ mod_mruby ApacheͰmrubyΛར༻͢ΔͨΊͷϞδϡʔϧ ngx_mruby nginxͰmrubyΛར༻͢ΔͨΊͷ֦ு࣮૷  CݴޠͰϞδϡʔϧΛ࣮૷͠ͳ͚Ε͹࣮ݱͰ͖ͳ͔ͬͨڍಈΛmruby Λ࢖͙ͬͯ͢ʹ࣮૷Ͱ͖ͯɺ࠷খݶͷύϑΥʔϚϯεྼԽʹཹΊΔ͜ ͱ͕Ͱ͖Διϑτ΢ΣΞɻ

37.  IUUQTHJUIVCDPNNBUTVNPUPSNPE@NSVCZ mod_mruby -1.5% ngx_mruby +17.5% ੩తίϯςϯπʹର͢ΔύϑΥʔϚϯεܭଌ݁Ռ

38. mrubyΛ༻͍Ε͹֦ுੑɺอकੑΛଛͳΘͣ ࠷খݶͷύϑΥʔϚϯεྼԽʹཹΊͯ ιϑτ΢ΣΞΛ։ൃ͢Δ͜ͱ͕Ͱ͖Δɻ 

39. NSVCZΛ༻͍ͨ࣍ੈ୅ΞΫηε੍ޚͷ࣮૷ 

40.  ࣮૷ʹ͋ͨͬͯར༻ͨ͠ιϑτ΢ΣΞ

41. IUUQBDDFTTMJNJUFS ฐࣾͷ @matsumotory ͕։ൃ͍ͯ͠Δɻ https://github.com/matsumoto-r/http-access-limiter mod_mruby΋͘͠͸ngx_mrubyͰऔಘͨ͠೚ҙͷϦΫΤετύϥ ϝʔλΛ༻͍ͯಉ࣌઀ଓ਺ΛΧ΢ϯτ͢Δmruby੡ϛυϧ΢ΣΞ औಘͰ͖ΔϦΫΤετύϥϝʔλʹ͸ΞΫηεઌͷϑΝΠϧͷϑϧ ύεΛ࢝Ίɺ઀ଓݩͷIPΞυϨε΍ɺURLͳͲΛऔಘͰ͖ΔͨΊ ༷ʑͳ༻్Ͱ࢖༻Ͱ͖Δɻ

    

42. ಈ࡞֓ཁ
      ਌ NSVCZ 8PSLFS NSVCZ 8PSLFS NSVCZ IUUQE

    ڞ༗ϝϞϦ global mutex ಉ࣌઀ଓ਺ Χ΢ϯλʔ KVS ಉ࣌઀ଓ਺Χ΢ϯλʔ localmemcacheΛ༻͍ͨ Key-Value-Store Ωʔͱͨ͠ϦΫΤετύϥϝʔ λΛݩʹಉ࣌ΞΫηε਺ΛΧ ΢ϯτ͢Δɻ global mutex ֤Worker͔Βಉ࣌઀ଓ਺Χ ΢ϯλʔΛૢ࡞͢ΔͨΊෆ੔ ߹͕ൃੜ͠ͳ͍Α͏ʹ౎౓ϩο ΫΛߦ͏ɻ KEY /path/to/hoge.php VALUE 1

43. ಈ࡞֓ཁ
      ਌ NSVCZ 8PSLFS NSVCZ 8PSLFS NSVCZ IUUQE

    ڞ༗ϝϞϦ global mutex ಉ࣌઀ଓ਺ Χ΢ϯλʔ KVS 
    ϦΫΤετ 
    ϦΫΤετ 
    NVUFYΛϩοΫ 
    MPDL 
    ϦΫΤετύϥϝʔλΛΩʔ ʹΠϯΫϦϝϯτ 
    ΠϯΫϦϝϯτ KEY /path/to/hoge.php VALUE 1 
    VOMPDL 
    NVUFYΛΞϯϩοΫ

44. ಈ࡞֓ཁ
      ਌ NSVCZ 8PSLFS NSVCZ 8PSLFS NSVCZ IUUQE

    ڞ༗ϝϞϦ global mutex ಉ࣌઀ଓ਺ Χ΢ϯλʔ KVS 
    ίϯςϯπͷॲཧΛߦ͏ 
    NVUFYΛϩοΫ 
    MPDL 
    σΫϦϝϯτ 
    σΫϦϝϯτ 
    VOMPDL 
    NVUFYΛΞϯϩοΫ KEY /path/to/hoge.php VALUE 0 
    ίϯςϯπͷॲཧ

45. ಈ࡞֓ཁͷ·ͱΊ  ϦΫΤετ͕͋ͬͨ࣌ʹɺϦΫΤετύϥϝʔλΛmod_mruby΍ ngx_mrubyΛ༻͍ͯऔಘ͢Δɻ ΞΫηε੍ޚΛ͍ͨ͠୯ҐΛΩʔͱͯ͠ɺಉ࣌઀ଓ਺ΛΧ΢ϯτ͢Δɻ ෳ਺ͷWorker͔ΒΧ΢ϯλʔૢ࡞͢ΔͨΊɺglobal mutexΛ࢖ͬͯ ෆ੔߹͕ى͖ͳ͍Α͏ʹ੍ޚ͢Δɻ

46. ػೳ௥ՃΛ͢Δ http-access-limiterʹϑΝΠϧຖͷ࠷େಉ࣌઀ଓ਺ͷઃఆ ػೳ΍ɺ੍ޚΛ༗ޮԽ͢Δ࣌ؒଳΛઃఆ͢ΔػೳΛ௥Ճͨ͠ ͍ɻ  mrubyͰॻ͔Ε͍ͯΔͨΊ؆୯ʹػೳ௥Ճ͕Ͱ͖Δʂ

47. ػೳ௥ՃΠϝʔδ  ਌ NSVCZ 8PSLFS NSVCZ 8PSLFS NSVCZ IUUQE ڞ༗ϝϞϦ

    global mutex ಉ࣌઀ଓ਺ Χ΢ϯλʔ KVS ੍ޚ৚݅ localmemcacheΛ༻͍ͨ Key-Value-Store ϑΝΠϧͷϑϧύε͕Ωʔ ࠷େಉ࣌઀ଓ਺ ੍ݶΛ༗ޮԽ͢Δ࣌ؒଳ KVS ੍ޚ৚݅

48. ੍ݶ৚݅ͷσʔλ /path/to/hoge.php { "max_clients" : 30, # ࠷େಉ࣌઀ଓ਺ "time_slots" :

    [ # ༗ޮʹ͢Δ࣌ؒଳ { "begin" : 1200, "end" : 1800 }, { "begin" : 2100, "end" : 2200 } ] } KEY VALUE A
    A
    ͷؒ͸
    AQBUIUPIPHFQIQA
    ΁ͷ
    ࠷େ઀ଓ਺Λ
    AA
    ·Ͱʹ੍ݶ͢Δɻ 

49. ػೳ௥Ճޙͷಈ࡞֓ཁ  ਌ NSVCZ 8PSLFS NSVCZ 8PSLFS NSVCZ IUUQE ڞ༗ϝϞϦ

    global mutex ಉ࣌઀ଓ਺ Χ΢ϯλʔ KVS KVS ੍ޚ৚݅ 
    ϦΫΤετ 
    ϦΫΤετ 
    ੍ޚ৚݅
    Λࢀর 
    ੍ޚ৚݅Λࢀর
    ɹɹଘࡏ͠ͳ͚Ε͹ॲཧऴྃ 
    NVUFYΛϩοΫ 
    MPDL 
    ϑΝΠϧͷϑϧύεΛΩʔʹ ΠϯΫϦϝϯτ 
    ΠϯΫϦϝϯτ 
    ΋੍͠ݶ͕༗ޮͳ࣌ؒଳͰಉ ࣌઀ଓ਺੍ݶΛ௒ա͍ͯ͠Ε͹ ΤϥʔΛฦ͢

50. ࢖͍ํ
    IUUQEDPOG LoadModule mruby_module modules/mod_mruby.so <IfModule mod_mruby.c> # Apacheͷϓϩηε͕ىಈͨ࣌͠ʹϑοΫ͞ΕΔ #

    http-access-limiterͷΫϥεΛఆٛɺ࣍ʹىಈ͢ΔWorker͕ࢀরͰ͖ΔΑ͏ʹ͢Δɻ mrubyPostConfigMiddle /etc/httpd/conf.d/access_limiter/access_limiter_init.rb cache <FilesMatch ^.*\.php$> # ΞΫηε͕ൃੜͨ͠ͱ͖ʹϑοΫ͞ΕΔ # ಉ࣌઀ଓ਺Χ΢ϯλΛΠϯΫϦϝϯτ͢Δ # ͞Βʹɺ࠷େಉ࣌઀ଓ਺Λ௒աͨ͠৔߹ʹ503ΤϥʔΛฦ͢ͳͲͷΞΫγϣϯΛهड़͢Δɻ mrubyAccessCheckerMiddle /etc/httpd/conf.d/access_limiter/access_limiter.rb cache # ίϯςϯπͷॲཧ͕ऴΘͬͨͱ͖ʹϑοΫ͞ΕΔ # ಉ࣌઀ଓ਺Χ΢ϯλΛσΫϦϝϯτ͢Δ mrubyLogTransactionMiddle /etc/httpd/conf.d/access_limiter/access_limiter_end.rb cache </FilesMatch> </IfModule> 

51.  ؾʹͳΔύϑΥʔϚϯε

52.  ಋೖʹΑΔύϑΥʔϚϯεྼԽ ໿3ˋ

53. ύϑΥʔϚϯεςετ݁Ռ abΛ࢖ͬͯύϑΥʔϚϯεΛଌఆ͠·ͨ͠ɻ ςετύλʔϯ ྼԽ཰ httpd 0% httpd + http-access-limiter 3%

    httpd + http-access-limiter (੍ݶର৅) 5% WordPress΁ͷΞΫηε 10ສϦΫΤετ100ଟॏ / CPU24ίΞɾRAM32GB ςετύλʔϯ ྼԽ཰ httpd 0% httpd + http-access-limiter 3% httpd + http-access-limiter (੍ݶର৅) 30% phpinfo()΁ͷΞΫηε  ࢀߟࢿྉ

54. ύϑΥʔϚϯεςετ݁Ռʹର͢Δߟ࡯ access-limiterͷಋೖʹੜ͡ΔύϑΥʔϚϯεྼԽ͸3%ͱߴ ଎Ͱ͋Δ͜ͱ͕෼͔ͬͨɻ DBΛ࢖͏WordPressͰ͸ɺΞϓϦέʔγϣϯͷॲཧ͕Φʔό ϔουͱͳͬͯaccess-limiterΛಋೖ͢Δ͜ͱʹΑΔΦʔό ϔου͸ޡࠩఔ౓ͱͳͬͨɻ phpinfo()ͷΑ͏ͳܰྔͳॲཧͷ৔߹ʹɺ੍ݶର৅ͱͨ͠ͱ͖ ʹ3ׂఔ౓ύϑΥʔϚϯεྼԽ͕ੜͨ͡ɻ  ࢀߟࢿྉ

55. ·ͱΊ 

56. ·ͱΊ ϗεςΟϯά͸ڞ༗αʔόͰ͋ΔͷͰɺΑΓଟ͘ͷਓ͕҆Ձ Ͱշదʹ͝ར༻͍ͨͩͨ͘ΊʹΞΫηε੍ޚ͸ඞཁɻ ΞΫηε੍ޚͷ୯ҐΛΑΓࡉ੍͔ͯ͘͠ޚʹΑΔӨڹΛۃখ Խ͠ɺద੾ͳΞΫηε੍ޚΛ࣮ݱͨ͠ɻ ࣮ݱखஈͱͯ͠อकੑɺ֦ுੑɺੑೳͷόϥϯε͕Α͍ mrubyΛ༻͍ͨɻ