AMEBA OWND DE HTTP/2

Transcript

1. AMEBA OWND DE HTTP/2 த઒ ෢ݑ

2. ࣗݾ঺հ ➤ 16 ৽ଔΤϯδχΞ ➤ 6݄͔Β Ameba Ownd ➤ αʔόαΠυΛ୲౰

   ➤ Go ݴޠͰ։ൃ ➤ Πϯϑϥ, ো֐ରԠ ➤ HN: τϚτ ➤ TDD: τϚτۦಈ։ൃ

3. ৬৔

4. ࿩͢͜ͱ ➤ HTTP/2 ͷ؆୯ͳઆ໌ ➤ ELB ͱ Proxy Protocol ➤

   ALPN ରԠ (Chrome 51+) nginx 1.10.1 + openssl 1.0.2h

5. HTTP/2

6. HTTP/2 ➤ HTTP/1.1 ͸ςΩετ(ASCII)ϕʔεͷϓϩτίϧ ➤ ਓؒʹ͸༏͍͕͠ίϯϐϡʔλʹͱͬͯ͸൥ࡶ ➤ όΠφϦΛૹΔࡍ͸ Base64 encoding

   ౳ͰςΩετʹ͢Δ ➤ HTTP/2 ͸όΠφϦϓϩτίϧ ➤ ղੳ͠΍͘͢ίϯϐϡʔλʹ༏͍͠(ਓؒ͸ͭΒ͍) ➤ ϔομѹॖ͕ޮ͘ (HPACK)

7. HTTP/2 ➤ HTTP/1.1 ·Ͱ͸ TCP ίωΫγϣϯΛ૿΍͢͜ͱͰฒྻʹ
 ϦΫΤετΛૹΓɺμ΢ϯϩʔυ͍ͯͨ͠ ➤ HTTP/2 ͔Β͸1ͭͷ

   TCP ίωΫγϣϯͰϦΫΤετଟॏԽ HTTP1.1 / TCP TCP HTTP/2 HTTP/2 HTTP/2 HTTP1.1 / TCP HTTP1.1 / TCP

8. HTTP/2 ରԠ཰ http://caniuse.com/#search=http2

9. AWS Ͱ HTTP/2 ରԠ

10. ͔ͭͯ ELB ͸ HTTP/2 ʹରԠ͍ͯ͠ͳ͔ͬͨ ➤ AWS ͷ Elastic Load

    Balancing ➤ (چདྷͷ) Classic Load Balancer ͸ HTTP/2 ඇରԠ ➤ Application Load Balancer ͸ HTTP/2 ରԠʂ
 →ࠓޙݕ౼͍ͨ͠

11. CLASSIC LOAD BALANCER ➤ HTTP/2 ରԠ͢Δʹ͸ EC2 ্ͷ Web αʔόͰऴ୺ॲཧΛ͢

    Δඞཁ͕༗ΔͨΊɺ ELB Ͱ͸ TCP Ͱϩʔυόϥϯγϯά͢Δ ͔͠ํ๏͸ͳ͍ ➤ IP ΑΓ্ͷϨΠϠͷ TCP Ͱॲཧ͢ΔͨΊ઀ଓݩͷ IP ΞυϨ ε͕ ELB ͷ΋ͷʹॻ͖׵Θͬͯ͠·͏

12. PROTOCOL STACK ➤ HTTP/2 Ͱ઀ଓ͢Δͱ͖ͷ ϓϩτίϧελοΫ Ethernet IP TCP TLS

    HTTP/2 (h2)

13. PROTOCOL STACK ➤ ELB Ͱ TCP ϩʔυόϥϯγ ϯά͢Δͱ TCP ҎԼͷ಺༰

    ͸όοΫΤϯυ΁ಧ͔ͳ͍ ➤ ઀ଓݩͷ IP ΞυϨε͸ IP ύέοτͷϔομʹॻ͔Ε ͍ͯΔͷͰࣦΘΕΔ Ethernet IP TCP TLS HTTP/2 (h2)

14. X-FORWARDED-FOR ͕࢖͑ͳ͍ཧ༝ ➤ X-Forwarded-For ͸ HTTP ϔομͳͷͰɺHTTP (L7) ·Ͱ
 ղऍͰ͖Δ

    LB Ͱͳ͍ͱѻ͑ͳ͍ ➤ TCP Ͱϩʔυόϥϯγϯάͯ͠ TLS ͷऴ୺ॲཧΛόοΫΤϯ υͰߦ͏৔߹ɺ TLS ͷ payload ͸҉߸Խ͞Ε͍ͯΔͷͰಡΈ ॻ͖Ͱ͖ͳ͍

15. PROXY PROTOCOL ➤ όοΫΤϯυʹ IP ΞυϨε౳ͷ઀ଓݩ৘ใΛ఻ୡͰ͖Δ http://www.haproxy.org/download/1.7/doc/proxy-protocol.txt

16. PROXY PROTOCOL ઃఆྫ (NGINX) listen 443 ssl http2; proxy_set_header X-Forwarded-For

    $remote_addr; proxy_set_header X-Real-IP $remote_addr; listen 443 ssl http2 proxy_protocol; proxy_set_header X-Forwarded-For $proxy_protocol_addr; proxy_set_header X-Real-IP $proxy_protocol_addr; ELB: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html

17. ͜͜·Ͱ4݄ͷ࿩

18. 6݄
 ഑ଐ

19. None
20. None

21. Google Chrome ͔Β HTTP/2 Ͱܨ͕Βͳ͍

22. ࠔͬͨͱ͖͸ Wireshark

23. None
24. None
25. None
26. None

27. ݪҼ ➤ Google Chrome ͸ ALPN ͰϓϩτίϧωΰγΤʔγϣϯΛ
 ࢼΈΔ ➤ αʔό

    (nginx 1.9) ͸ NPN ͰωΰγΤʔγϣϯΛࢼΈΔ ➤ ૒ํͰ HTTP/2 ͷωΰγΤʔγϣϯํ͕ࣜҟͳΔҝɺ
 ωΰγΤʔγϣϯʹࣦഊͯ͠ HTTP/1.1 Ͱܨ͕Δ

28. લఏ஌ࣝ ➤ HTTP/2 Ͱ઀ଓ͢ΔͨΊʹ͸ɺΫϥΠΞϯτͱαʔόͷ྆ํ ͕ HTTP/2 ʹରԠ͍ͯ͠Δඞཁ͕͋Δ
 ˠͦ͜ͰϓϩτίϧͷωΰγΤʔγϣϯ͕ߦΘΕΔ ➤ NPN

    ΋ ALPN ΋ TLS Handshake ύέοτΛ֦ுͯ͠
 ωΰγΤʔγϣϯΛߦ͏ํࣜ

29. http://www.slideshare.net/shigeki_ohtsu/tls-http2

30. NPN ͱ ALPN ➤ SPDY Ͱ࢖ΘΕ͍ͯͨ NPN
 HTTP/2 ੍͕ఆ͞Εͯ ALPN

    Ͱஔ͖׵ΘΔ ➤ Chrome 51 Ͱ SPDY ͷαϙʔτऴྃɻHTTP/2 ׬શҠߦɻ
 http://blog.chromium.org/2016/02/transitioning-from-spdy- to-http2.html

31. OWND ͰͷରԠ ➤ nginx 1.9 + openssl 1.0.1: NPN ʹͷΈରԠ


    ˠ Google Chrome 51 Ͱܨ͕Βͳ͘ͳͬͨݪҼ ➤ nginx 1.10 + openssl 1.0.2: ALPN ʹରԠ
 ˠ PPA Λ࢖͏ or Ubuntu Λ 16.04 LTS ΁ΞοϓάϨʔυ ➤ PPA (Personal Package Archive) Λ࢖͏͜ͱʹͳΓ·ͨ͠

32. ૝ఆ ➤ ppa ͷϦϙδτϦ௥Ճͯ͠ nginx, openssl Λߋ৽͢Δ ➤ ansible ʹॻ͖ى͜͢

    ➤ ֬ೝ & deploy ͜Ε͘Β͍ɺ3೔΋͋Ε͹…(ϑϥά)

33. NGINX ͷΞοϓάϨʔυ͕Ͱ͖ͳ͍ ➤ nginx 1.9 ͷ package ͕ conf ϑΝΠϧΛ௫ΜͰ͍ͯ


    conflict Λىͯ͜͠ nginx 1.10 ͕ೖΒͳ͍ ➤ Ұ౓ uninstall ͕ඞཁ

34. ANSIBLE Λ2ճྲྀ͞ͳ͍ͱ NGINX ͕ىಈ͠ͳ͍ ➤ ansible ͸ python ੡ͷߏ੒؅ཧπʔϧ ➤

    ansible Λ࢖ͬͯ΋ɺ
 ਓ͕ؒਖ਼͘͠ॻ͔ͳ͚Ε͹ႈ౳ʹͳͳΒͳ͍

35. NGINX 1.9 Λ UNINSTALL ͢Δͱ LOG ͕ফ͑Δ ➤ nginx 1.10

    Ͱ͸࠶ݱ͠ͳ͍ ➤ apt remove ࣌ʹ log, cache ͷσΟϨΫτϦ͕ແ࣊൵ʹফ͑Δ ➤ ansible Ͱ apt remove લޙͰ log ͚ͩ͸όοΫΞοϓΛऔΔ ͜ͱͰରॲ ➤ લड़ͷݪҼ͸ओʹίϨͰͨ͠…

36. NGINX ͷίωΫγϣϯ਺͕ര૿ ➤ HTTP/2 ରԠͷຊ൪ద༻தʹ Gun̋sy ๒Λड͚Δ ➤ HTTP/2 ରԠͨ͠Πϯελϯε͕ಛʹίωΫγϣϯ਺͕૿Ճ

    ➤ ͱ͋Δཧ༝ʹΑΓ nginx ͕Ұ੪ʹ restart ➤ Ϣʔβ͔Βܨ͕Γʹ͍͘ঢ়ଶʹ…

37. ݪҼ੾Γ෼͚ͷҝʹμ΢ϯάϨʔυ ➤ ݩͷ nginx ͷόʔδϣϯ΁໭͢ ➤ 2ൃ໨ͷ๒஄͕ண஄͠ɺ೔෇͕มΘΔ

38. ؒʹ߹͍·ͤΜ Ͱͨ͠

39. ~࠶ݕূத~ photo: https://www.flickr.com/photos/paulk/23784089050/

40. ڭ܇ ➤ ຊ൪؀ڥͰ͸༧ظͤ͵ࣗମ͕ى͜Δ ➤ ӡ༻͍ͯ͠ΔαʔϏεͰ͸৻ॏʹ (ϢʔβӨڹ͸৴༻ʹڹ͘) ➤ ख٧·ΓʹͳͬͨΒ packet Λಡ΋͏

    ➤ ϓϩτίϧΛཧղ͠Α͏ ➤ ςετͷແ͍ίʔυ͸(ಛʹ)े෼ಡΜͰཧղ͢Δ
 (ansible playbook ؚΉ)

41. ͝ਗ਼ௌ͋Γ͕ͱ͏
 ͍͟͝·ͨ͠