TakumaKume_kixs_vol002

22522e2bc35255ab75308c399ff782f6?s=47 Takuma Kume
December 02, 2016

 TakumaKume_kixs_vol002

九州インフラ交流勉強会(Kixs) Vol.002
https://kixs.connpass.com/
ホスティングにおける柔軟かつ軽量なアクセス制御の必要性とその実装
@takumakume

22522e2bc35255ab75308c399ff782f6?s=128

Takuma Kume

December 02, 2016
Tweet

Transcript

  1. ٱถ୓അ(.01FQBCP *OD ۝भΠϯϑϥަྲྀษڧձ,*94WPM!(.0ϖύϘ෱Ԭࢧࣾ ϗεςΟϯάʹ͓͚Δॊೈ͔ͭܰྔͳΞΫηε੍ޚͷ ඞཁੑͱͦͷ࣮૷ 

  2. ࣗݾ঺հ ٱถ ୓അ (@takumakume) ߴߍଔۀʙ6೥ؒ ΠϯλʔωοταʔϏεϓϩόΠμͰۈ຿ ωοτϫʔΫʙϛυϧ΢ΣΞͷߏங ϓϦηʔϧεΤϯδχΞ 2016೥4݄͔ΒϖύϘʹೖࣾ ϩϦϙοϓʂͷΠϯϑϥΤϯδχΞ

    
  3. ໨࣍ ϗεςΟϯάʹ͓͚Δॊೈ͔ͭܰྔͳΞΫηε੍ޚͱ͸ mrubyΛ༻͍ͨ࣍ੈ୅ΞΫηε੍ޚͷ࣮૷ ·ͱΊ 

  4. ϗεςΟϯάʹ͓͚Δॊೈ͔ͭܰྔͳΞΫηε੍ޚ ͱ͸ 

  5. ॊೈ͔ͭܰྔͳΞΫηε੍ޚ 

  6. ϗεςΟϯάʹ͓͚ΔΞΫηε੍ޚ ϗεςΟϯά͸ͦͷಛੑ্ɺ͓٬༷ͷ༷ʑͳίϯςϯπΛ͓ ༬͔Γ͍ͯ͠Δɻ தʹ͸ҟৗʹߴෛՙʹͳΔ΋ͷ΍ɺDDoSͷର৅ʹͳΔίϯς ϯπͳͲ༷ʑͰ͋Δɻ ͔͠͠ɺ͜ͷΑ͏ͳҰ෦ͷίϯςϯπʹΑΓɺͦͷαʔόΛ ͝ར༻௖͍͍ͯΔେଟ਺ͷଞͷ͓٬༷͕շదʹ8&#Λར༻Ͱ͖ͳ͘ ͳͬͯ͠·͏͜ͱ͸ɺ͋ͬͯ͸ͳΒͳ͍ͱզʑ͸ߟ͍͑ͯ·͢ɻ 

  7. ຊηογϣϯͰ͸ͦͷղܾखஈͷ̍ͭͱͯ͠ɺ ϩϦϙοϓʂͰߦ͍ͬͯΔ ଟ͘ͷ͓٬༷ʹ8&#Λշదʹ͝ར༻͍ͨͩͨ͘Ίͷ ࣍ੈ୅ΞΫηε੍ޚʹ͍ͭͯ͝঺հ͠·͢ɻ 

  8. ॊೈ͔ͭܰྔͳΞΫηε੍ޚ 

  9. ݱঢ়ͷΞΫηε੍ޚͷ՝୊ 

  10. ͜Ε·Ͱʹར༻ͨ͠ΞΫηε੍ޚखஈ  mod_cbandΛར༻ͨ͠ΞΧ΢ϯτ୯ҐͰͷτϥϑΟοΫ ੍ޚͱಉ࣌ΞΫηε਺੍ޚ mod_vhost_maxclientsΛར༻ͨ͠υϝΠϯ୯ҐͰͷ ಉ࣌ΞΫηε਺੍ޚ ͦΕͧΕ՝୊͕͋ͬͨ

  11. NPE@DCBOEΛར༻੍ͨ͠ޚʹΑΔ՝୊  ΞΧ΢ϯτ୯ҐͷτϥϑΟοΫͱಉ࣌ΞΫηε਺੍ݶΛ͍ͯͨ͠ɻ CBandSpeed 10Mb/s 30 30 mod_cbandΛ༗ޮʹ͢Δ͜ͱͰ໿70%ఔ౓ͷύϑΥʔϚϯε ྼԽ͕ੜ͡ɺ੍ޚػߏࣗମ͕ϘτϧωοΫͱͳͬͨɻ

  12. NPE@WIPTU@NBYDMJFOUTΛར༻੍ͨ͠ޚ  mod_cbandͷύϑΥʔϚϯεྼԽ͕େ͖͍ͨΊͪ͜ΒΛ࠾༻ɻ ಋೖʹΑΔύϑΥʔϚϯεྼԽ͸2%ͱߴ଎ͳιϑτ΢ΣΞɻ ҎԼͷΑ͏ʹυϝΠϯ୯Ґͷಉ࣌ΞΫηε਺੍ݶΛߦ͏ɻ <VirtualHost *> DocumentRoot /path/to/web ServerName

    hoge.example.jp VhostMaxClients 30 </VirtualHost> ͔͠͠ɺ࣍ͷΑ͏ͳύλʔϯͰ՝୊͕ੜͨ͡ɻ
  13. NPE@WIPTU@NBYDMJFOUTΛͲ͏࢖͍ͬͯΔ͔  ڞ༻8&#αʔό IPHFDPN mod_vhost_maxclientsͷ੍ݶ ZDPN YDPN ஶ͘͠Ϧιʔε࢖༻ྔ͕ภΒͳ͍Α͏ʹେ࿮ͷϦιʔε෼ׂͱ ͯ͠ɺ֤υϝΠϯʹಉ࣌઀ଓ਺ͷ੍ݶΛ͔͚͍ͯ·͢ɻ

  14.  ڞ༻8&#αʔό IPHFDPN ॲཧͷॏ͍ϓϩάϥϜʹΞΫηε͕ूத͠αʔό͕ߴෛՙͱͳͬͨ mod_vhost_maxclientsͷ੍ݶ ZDPN YDPN

  15.  ڞ༻8&#αʔό IPHFDPN mod_vhost_maxclientsͷ੍ݶ ZDPN YDPN NPE@WIPTU@NBYDMJFOUTͷ੍ݶΛڧΊΔඞཁ͕͋Δ

  16.  ڞ༻8&#αʔό IPHFDPN ZDPN YDPN ੍ݶΛڧΊͨ ܰྔͳίϯςϯπʹ΋ΞΫηεͰ͖ͳ͘ͳΔ

  17.  ڞ༻8&#αʔό IPHFDPN ZDPN YDPN ຊདྷ੍ޚ͞ΕΔඞཁ͕ͳ͍ϑΝΠϧ·Ͱ ΞΫηεͰ͖ͳ͘ͳͬͯ͠·͏ɻ

  18. ղܾํ๏  ڞ༻8&#αʔό IPHFDPN ZDPN YDPN ϑΝΠϧ୯ҐͰ੍ޚ mod_vhost_maxclients

  19. ղܾํ๏  ڞ༻8&#αʔό IPHFDPN ZDPN YDPN ϑΝΠϧ୯ҐͰ੍ޚ mod_vhost_maxclients αʔόͷෛՙΛԼ͛ͭͭɺ੍ޚʹΑΔӨڹΛۃখԽͰ͖Δɻ

  20.     ࣌ ࣌ ࣌ ࣌ ࣌ ࣌

    ࣌ ࣌ ࣌ ͋ΔαʔόͷϦιʔεফඅྔ <> 
  21.     ࣌ ࣌ ࣌ ࣌ ࣌ ࣌

    ࣌ ࣌ ࣌ શମ ͋ΔαʔόͷϦιʔεফඅྔ <>  ಛఆͷϑΝΠϧ ಛఆͷ࣌ؒʹେྔʹΞΫηε͕͋Δ
  22.     ࣌ ࣌ ࣌ ࣌ ࣌ ࣌

    ࣌ ࣌ ࣌ શମ ͋ΔαʔόͷϦιʔεফඅྔ <>  ಛఆͷϑΝΠϧ ಛఆͷϑΝΠϧͷॲཧͰϦιʔεͷ΄ͱΜͲΛফඅ͠ ఆظతʹଞͷ͓٬༷΁ͷαʔϏεఏڙʹࢧোΛ͖͍ͨͯͨ͠ɻ
  23.     ࣌ ࣌ ࣌ ࣌ ࣌ ࣌

    ࣌ ࣌ ࣌ શମ ಛఆͷϑΝΠϧ ղܾํ๏ <>  ෛՙͷߴ͍ϑΝΠϧʹରͯ͠ ࣌ؒࢦఆͰ੍ޚ͢Δ
  24. ॊೈͳΞΫηε੍ޚͷ·ͱΊ ݱঢ়ΑΓ΋ࡉ͔͍ɺϑΝΠϧ୯ҐͰΞΫηε੍ޚͰ͖ΔΑ͏ ʹͯ͠ɺ੍ޚʹΑΔӨڹΛۃখԽ͢Δ͜ͱɻ ಛఆͷ࣌ؒͷΈΞΫηε੍ޚΛ༗ޮԽͰ͖Δ͜ͱɻ 

  25. ॊೈ͔ͭܰྔͳΞΫηε੍ޚ 

  26. ϗεςΟϯάͰ͸1୆ͷαʔόΛଟ͘ͷ͓٬༷ʹ͝ར༻͍ͨͩ͘͜ ͱͰ҆Ձʹఏڙ͍ͯ͠Δɻ ࠓޙ΋Ͱ͖Δ͚ͩ҆ՁʹշదͳαʔϏεΛఏڙ͍ͨ͠ɻ ΞΫηε੍ޚͷػߏ͕ϘτϧωοΫʹͳͬͯ͸ɺͦΕΛୡ੒Ͱ͖ ͳ͘ͳΔɻ ܰྔͳΞΫηε੍ޚͷඞཁੑ 

  27. ॊೈ͔ͭܰྔͳΞΫηε੍ޚ ͱ͸ 

  28. ϑΝΠϧ୯ҐͰΞΫηε੍ޚͰ͖Δ͜ͱɻ ಛఆͷ࣌ؒଳͷΈΞΫηε੍ޚΛ༗ޮԽͰ͖Δ͜ͱɻ ύϑΥʔϚϯεྼԽΛۃྗى͜͞ͳ͍͜ͱɻ ॊೈ͔ͭܰྔͳΞΫηε੍ޚͱ͸  ͲͷΑ͏ʹ࣮ݱ͢Δ͔ʁ

  29. ϑΝΠϧ୯ҐͷΞΫηε੍ޚ͸ طʹ"QBDIFͷϞδϡʔϧ͕ଘࡏ͢Δɻ 

  30. NPE@WMJNJU mod_vlimit https://github.com/matsumoto-r/mod_vlimit ϑΝΠϧ΍σΟϨΫτϦ୯ҐͰಉ࣌ΞΫηε੍ޚΛ͢Δ͜ͱ͕Ͱ͖Δɻ <Files "hoge.php"> VlimitIP 30 /path/to/hoge.php </Files>

     ϑΝΠϧ୯ҐͰͷΞΫηε੍ޚΛߦ͏ػೳ͸͋Δ͕ ࠓճ͸ಋೖʹ͸ࢸΒͳ͔ͬͨɻ
  31. NPE@WMJNJUΛ࠾༻͠ͳ͔ͬͨཧ༝ ࣌ؒࢦఆͰ੍ݶΛ༗ޮԽͰ͖Δػೳ͕ͳ͍ɻ ApacheͷϞδϡʔϧͳͷͰCݴޠͰ࣮૷͞Ε͍ͯΔɻ ӡ༻ܥͷπʔϧ͸࣌ؒͷܦաʹରͯ͠ॊೈͳมߋ͕ཁ ٻ͞ΕΔɻ CݴޠͰͷ։ൃͱͳΔͱ։ൃ޻਺্͕͕Δɺ։ൃऀ͕ݶ ΒΕΔɻ 

  32. Ͱ͸ɺͲͷΑ͏ʹ࣮ݱ͢Δ͔ʁ 

  33.  “mruby” ͳΒղܾͰ͖Δɻ

  34. NSVCZ Rubyͷύύ͜ͱ “Matz” ͞Μ͕։ൃ͍ͯ͠Δɻ লϝϞϦͷ૊ΈࠐΈ޲͚ͷRuby࣮૷ɻ Cݴޠ͕ۤखͳͻͱͰ΋ɺmrubyΛ࢖͑͹RubyͰ૊ΈࠐΈ ։ൃΛߦ͏ࣄ͕Ͱ͖Δɻ 

  35. Apache΍NginxͰmrubyΛ༻͍ͨ૊ΈࠐΈ ։ൃΛ࣮ݱͨ͠ιϑτ΢ΣΞ͕ଘࡏ͢Δ 

  36. NPE@NSVCZOHY@NSVCZ ฐࣾͷ@matsumotory͕։ൃ͍ͯ͠Δɻ mod_mruby ApacheͰmrubyΛར༻͢ΔͨΊͷϞδϡʔϧ ngx_mruby nginxͰmrubyΛར༻͢ΔͨΊͷ֦ு࣮૷  CݴޠͰϞδϡʔϧΛ࣮૷͠ͳ͚Ε͹࣮ݱͰ͖ͳ͔ͬͨڍಈΛmruby Λ࢖͙ͬͯ͢ʹ࣮૷Ͱ͖ͯɺ࠷খݶͷύϑΥʔϚϯεྼԽʹཹΊΔ͜ ͱ͕Ͱ͖Διϑτ΢ΣΞɻ

  37.  IUUQTHJUIVCDPNNBUTVNPUPSNPE@NSVCZ mod_mruby -1.5% ngx_mruby +17.5% ੩తίϯςϯπʹର͢ΔύϑΥʔϚϯεܭଌ݁Ռ

  38. mrubyΛ༻͍Ε͹֦ுੑɺอकੑΛଛͳΘͣ ࠷খݶͷύϑΥʔϚϯεྼԽʹཹΊͯ ιϑτ΢ΣΞΛ։ൃ͢Δ͜ͱ͕Ͱ͖Δɻ 

  39. NSVCZΛ༻͍ͨ࣍ੈ୅ΞΫηε੍ޚͷ࣮૷ 

  40.  ࣮૷ʹ͋ͨͬͯར༻ͨ͠ιϑτ΢ΣΞ

  41. IUUQBDDFTTMJNJUFS ฐࣾͷ @matsumotory ͕։ൃ͍ͯ͠Δɻ https://github.com/matsumoto-r/http-access-limiter mod_mruby΋͘͠͸ngx_mrubyͰऔಘͨ͠೚ҙͷϦΫΤετύϥ ϝʔλΛ༻͍ͯಉ࣌઀ଓ਺ΛΧ΢ϯτ͢Δmruby੡ϛυϧ΢ΣΞ औಘͰ͖ΔϦΫΤετύϥϝʔλʹ͸ΞΫηεઌͷϑΝΠϧͷϑϧ ύεΛ࢝Ίɺ઀ଓݩͷIPΞυϨε΍ɺURLͳͲΛऔಘͰ͖ΔͨΊ ༷ʑͳ༻్Ͱ࢖༻Ͱ͖Δɻ

    
  42. ಈ࡞֓ཁ   ਌ NSVCZ 8PSLFS NSVCZ 8PSLFS NSVCZ IUUQE

    ڞ༗ϝϞϦ global mutex ಉ࣌઀ଓ਺ Χ΢ϯλʔ KVS ಉ࣌઀ଓ਺Χ΢ϯλʔ localmemcacheΛ༻͍ͨ Key-Value-Store Ωʔͱͨ͠ϦΫΤετύϥϝʔ λΛݩʹಉ࣌ΞΫηε਺ΛΧ ΢ϯτ͢Δɻ global mutex ֤Worker͔Βಉ࣌઀ଓ਺Χ ΢ϯλʔΛૢ࡞͢ΔͨΊෆ੔ ߹͕ൃੜ͠ͳ͍Α͏ʹ౎౓ϩο ΫΛߦ͏ɻ KEY /path/to/hoge.php VALUE 1
  43. ಈ࡞֓ཁ   ਌ NSVCZ 8PSLFS NSVCZ 8PSLFS NSVCZ IUUQE

    ڞ༗ϝϞϦ global mutex ಉ࣌઀ଓ਺ Χ΢ϯλʔ KVS  ϦΫΤετ  ϦΫΤετ  NVUFYΛϩοΫ  MPDL  ϦΫΤετύϥϝʔλΛΩʔ ʹΠϯΫϦϝϯτ  ΠϯΫϦϝϯτ KEY /path/to/hoge.php VALUE 1  VOMPDL  NVUFYΛΞϯϩοΫ
  44. ಈ࡞֓ཁ   ਌ NSVCZ 8PSLFS NSVCZ 8PSLFS NSVCZ IUUQE

    ڞ༗ϝϞϦ global mutex ಉ࣌઀ଓ਺ Χ΢ϯλʔ KVS  ίϯςϯπͷॲཧΛߦ͏  NVUFYΛϩοΫ  MPDL  σΫϦϝϯτ  σΫϦϝϯτ  VOMPDL  NVUFYΛΞϯϩοΫ KEY /path/to/hoge.php VALUE 0  ίϯςϯπͷॲཧ
  45. ಈ࡞֓ཁͷ·ͱΊ  ϦΫΤετ͕͋ͬͨ࣌ʹɺϦΫΤετύϥϝʔλΛmod_mruby΍ ngx_mrubyΛ༻͍ͯऔಘ͢Δɻ ΞΫηε੍ޚΛ͍ͨ͠୯ҐΛΩʔͱͯ͠ɺಉ࣌઀ଓ਺ΛΧ΢ϯτ͢Δɻ ෳ਺ͷWorker͔ΒΧ΢ϯλʔૢ࡞͢ΔͨΊɺglobal mutexΛ࢖ͬͯ ෆ੔߹͕ى͖ͳ͍Α͏ʹ੍ޚ͢Δɻ

  46. ػೳ௥ՃΛ͢Δ http-access-limiterʹϑΝΠϧຖͷ࠷େಉ࣌઀ଓ਺ͷઃఆ ػೳ΍ɺ੍ޚΛ༗ޮԽ͢Δ࣌ؒଳΛઃఆ͢ΔػೳΛ௥Ճͨ͠ ͍ɻ  mrubyͰॻ͔Ε͍ͯΔͨΊ؆୯ʹػೳ௥Ճ͕Ͱ͖Δʂ

  47. ػೳ௥ՃΠϝʔδ  ਌ NSVCZ 8PSLFS NSVCZ 8PSLFS NSVCZ IUUQE ڞ༗ϝϞϦ

    global mutex ಉ࣌઀ଓ਺ Χ΢ϯλʔ KVS ੍ޚ৚݅ localmemcacheΛ༻͍ͨ Key-Value-Store ϑΝΠϧͷϑϧύε͕Ωʔ ࠷େಉ࣌઀ଓ਺ ੍ݶΛ༗ޮԽ͢Δ࣌ؒଳ KVS ੍ޚ৚݅
  48. ੍ݶ৚݅ͷσʔλ /path/to/hoge.php { "max_clients" : 30, # ࠷େಉ࣌઀ଓ਺ "time_slots" :

    [ # ༗ޮʹ͢Δ࣌ؒଳ { "begin" : 1200, "end" : 1800 }, { "begin" : 2100, "end" : 2200 } ] } KEY VALUE A Aͷؒ͸AQBUIUPIPHFQIQA΁ͷ ࠷େ઀ଓ਺ΛAA·Ͱʹ੍ݶ͢Δɻ 
  49. ػೳ௥Ճޙͷಈ࡞֓ཁ  ਌ NSVCZ 8PSLFS NSVCZ 8PSLFS NSVCZ IUUQE ڞ༗ϝϞϦ

    global mutex ಉ࣌઀ଓ਺ Χ΢ϯλʔ KVS KVS ੍ޚ৚݅  ϦΫΤετ  ϦΫΤετ  ੍ޚ৚݅ Λࢀর  ੍ޚ৚݅Λࢀর ɹɹଘࡏ͠ͳ͚Ε͹ॲཧऴྃ  NVUFYΛϩοΫ  MPDL  ϑΝΠϧͷϑϧύεΛΩʔʹ ΠϯΫϦϝϯτ  ΠϯΫϦϝϯτ  ΋੍͠ݶ͕༗ޮͳ࣌ؒଳͰಉ ࣌઀ଓ਺੍ݶΛ௒ա͍ͯ͠Ε͹ ΤϥʔΛฦ͢
  50. ࢖͍ํ IUUQEDPOG LoadModule mruby_module modules/mod_mruby.so <IfModule mod_mruby.c> # Apacheͷϓϩηε͕ىಈͨ࣌͠ʹϑοΫ͞ΕΔ #

    http-access-limiterͷΫϥεΛఆٛɺ࣍ʹىಈ͢ΔWorker͕ࢀরͰ͖ΔΑ͏ʹ͢Δɻ mrubyPostConfigMiddle /etc/httpd/conf.d/access_limiter/access_limiter_init.rb cache <FilesMatch ^.*\.php$> # ΞΫηε͕ൃੜͨ͠ͱ͖ʹϑοΫ͞ΕΔ # ಉ࣌઀ଓ਺Χ΢ϯλΛΠϯΫϦϝϯτ͢Δ # ͞Βʹɺ࠷େಉ࣌઀ଓ਺Λ௒աͨ͠৔߹ʹ503ΤϥʔΛฦ͢ͳͲͷΞΫγϣϯΛهड़͢Δɻ mrubyAccessCheckerMiddle /etc/httpd/conf.d/access_limiter/access_limiter.rb cache # ίϯςϯπͷॲཧ͕ऴΘͬͨͱ͖ʹϑοΫ͞ΕΔ # ಉ࣌઀ଓ਺Χ΢ϯλΛσΫϦϝϯτ͢Δ mrubyLogTransactionMiddle /etc/httpd/conf.d/access_limiter/access_limiter_end.rb cache </FilesMatch> </IfModule> 
  51.  ؾʹͳΔύϑΥʔϚϯε

  52.  ಋೖʹΑΔύϑΥʔϚϯεྼԽ ໿3ˋ

  53. ύϑΥʔϚϯεςετ݁Ռ abΛ࢖ͬͯύϑΥʔϚϯεΛଌఆ͠·ͨ͠ɻ ςετύλʔϯ ྼԽ཰ httpd 0% httpd + http-access-limiter 3%

    httpd + http-access-limiter (੍ݶର৅) 5% WordPress΁ͷΞΫηε 10ສϦΫΤετ100ଟॏ / CPU24ίΞɾRAM32GB ςετύλʔϯ ྼԽ཰ httpd 0% httpd + http-access-limiter 3% httpd + http-access-limiter (੍ݶର৅) 30% phpinfo()΁ͷΞΫηε  ࢀߟࢿྉ
  54. ύϑΥʔϚϯεςετ݁Ռʹର͢Δߟ࡯ access-limiterͷಋೖʹੜ͡ΔύϑΥʔϚϯεྼԽ͸3%ͱߴ ଎Ͱ͋Δ͜ͱ͕෼͔ͬͨɻ DBΛ࢖͏WordPressͰ͸ɺΞϓϦέʔγϣϯͷॲཧ͕Φʔό ϔουͱͳͬͯaccess-limiterΛಋೖ͢Δ͜ͱʹΑΔΦʔό ϔου͸ޡࠩఔ౓ͱͳͬͨɻ phpinfo()ͷΑ͏ͳܰྔͳॲཧͷ৔߹ʹɺ੍ݶର৅ͱͨ͠ͱ͖ ʹ3ׂఔ౓ύϑΥʔϚϯεྼԽ͕ੜͨ͡ɻ  ࢀߟࢿྉ

  55. ·ͱΊ 

  56. ·ͱΊ ϗεςΟϯά͸ڞ༗αʔόͰ͋ΔͷͰɺΑΓଟ͘ͷਓ͕҆Ձ Ͱշదʹ͝ར༻͍ͨͩͨ͘ΊʹΞΫηε੍ޚ͸ඞཁɻ ΞΫηε੍ޚͷ୯ҐΛΑΓࡉ੍͔ͯ͘͠ޚʹΑΔӨڹΛۃখ Խ͠ɺద੾ͳΞΫηε੍ޚΛ࣮ݱͨ͠ɻ ࣮ݱखஈͱͯ͠อकੑɺ֦ுੑɺੑೳͷόϥϯε͕Α͍ mrubyΛ༻͍ͨɻ