AWSではてなブログの常時HTTPS配信をバーンとやる話 / The Epic of migration from HTTP to HTTPS on Hatena Blog with AWS

Transcript

1. AWSͰ͸ͯͳϒϩάͷ
 ৗ࣌HTTPS഑৴Λ
 όʔϯͱ΍Δ࿩ Hatena Engineer Seminar #10 @ Tokyo גࣜձࣾ͸ͯͳ

   id:aereal

2. ࣗݾ঺հ • id:aereal • GitHub: aereal • Twitter: aereal •

   ϒϩάϢʔβʔνʔϜ
 ΞϓϦέʔγϣϯΤϯδχΞ
 ςοΫϦʔυ

3. ࿩͢͜ͱ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷٕज़తͳৄࡉ • ূ໌ॻͷಈతಡΈࠐΈ • ূ໌ॻͷࣗಈߋ৽ • ͓ΑͼϓϩδΣΫτͷਐΊํ

4. എܠ • ͸ͯͳϒϩάͰ͸ɺ͸ͯͳఏڙυϝΠϯͷ
 ͍ͣΕ͔͔Βબ΂·͢ • *.hatenablog.com, *.hatenadiary.jp, etc. • ͞Βʹɺ͸ͯͳϒϩάPro

   (༗ྉΦϓγϣϯ) ʹਃ͠ࠐΉͱ
 ಠࣗυϝΠϯ͕࢖͑·͢ • ಠࣗυϝΠϯͰ΋ৗ࣌HTTPS഑৴Λ࣮ݱ͍ͨ͠

5. Let's Encrypt • https://letsencrypt.org/ • ISRG = Internet Security Research

   Group͕ఏڙ͢Δ
 ϓϩάϥϚϒϧʹΞΫηεՄೳͳೝূہ (CA) • ෆಛఆଟ਺ͷυϝΠϯʹର͢Δ
 ূ໌ॻൃߦͷࣗಈԽ͕Մೳʹͳͬͨ

6. Let's Encrypt • ಠࣗυϝΠϯͷৗ࣌HTTPS഑৴ʹ͔ܽͤͳ͍ଘࡏɺ౰વ ར༻͠·͢ • Let's EncryptΛར༻͢Δاۀͱͯ͠ɺ
 ·ͨܝ͛Δࢥ૝ʹڞײ͢ΔWebαʔϏεࣄۀऀͱͯ͠ɺ
 ͸ͯͳ͸Let's

   Encryptʹد෇Λ͠·͢

7. ಠࣗυϝΠϯͱূ໌ॻ • DONE: ͸ͯͳఏڙυϝΠϯ (*.hatenablog.com, etc.) • ਺͕஌Ε͍ͯΔͷͰূ໌ॻ1ͭͷ഑ஔͰࡁΉ • SAN

   (= Subject Alternative Names) Λ࢖͏ • ϫΠϧυΧʔυূ໌ॻΛ࢖͏

8. ಠࣗυϝΠϯͱূ໌ॻ • ಠࣗυϝΠϯ • ਺͕ଟ͍ͷͰূ໌ॻͷൃߦ΋ಡΈࠐΈ΋େม • LE = Let's Encrypt͸ূ໌ॻ͋ͨΓ


   100υϝΠϯͷ੍໿͕͋Δ • Ұ౓ʹಡΈࠐΉͱproxyͷϝϞϦ࢖༻ྔ͕ਹΉ

9. ΰʔϧ(1): ূ໌ॻͷಡΈࠐΈ • ؆୯ͷͨΊূ໌ॻ͸1υϝΠϯ1ͭɺSAN͸࢖Θͳ͍ • ΦϯσϚϯυͰಡΈࠐΜͰϝϞϦઅ໿ • ϘτϧωοΫʹͳΓ͏ΔͷͰ
 ϥ΢ϯυτϦοϓɺϨΠςϯγΛ཈͍͑ͨ

10. ΰʔϧ (2): ఆظߋ৽ • ϦΞϧλΠϜੑ͸௿͍ • ظݶΛܴ͑Δ·Ͱͷ೚ҙͷλΠϛϯάͰ
 ࣮ߦ͢Ε͹Α͍ • ҰํɺσʔλҰ؏ੑʹର͢Δཁٻ͕ߴ͍

    • ࣦഊ͢ΔͳͲߋ৽࿙Ε͕͋Δͱ·͍ͣ • ֎෦API (LE) Λར༻͢ΔͨΊࣦഊՄೳੑ͕ߴ͍
 →ద੾ͳϦτϥΠॲཧ͕ඞཁ

11. γεςϜͷߏ੒

12. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

13. ূ໌ॻͷಡΈࠐΈ

14. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTPS ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

15. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

16. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

17. ূ໌ॻͷಈతಡΈࠐΈ • cert-dispatcher: ngx_mruby • TLS handshake࣌ʹϋϯυϥ͕ݺ͹ΕΔ • cert-cache-gwʹHTTP GETͯ͠ূ໌ॻΛऔಘ͢Δ

    • cert-cache-gw: GoͰॻ͍ͨHTTP API • υϝΠϯʹରԠ͢Δূ໌ॻΛcert-store (DynamoDB) ͔ Βऔಘͯ͠ฦ͢ • cert-cache (memcached) ʹ΋อଘ͢Δ

18. ূ໌ॻͷऔಘ

19. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

20. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

21. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

22. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

23. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

24. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

25. ূ໌ॻͷൃߦ • cert-updater-state: AWS Step Functions • JSONͰεςʔτϚγϯΛ࣮ߦͯ͘͠ΕΔαʔϏε • ॊೈͳϦτϥΠॲཧ΍ঢ়ଶભҠΛ؅ཧͰ͖Δ

    • cert-updater-function: AWS Lambda • LEͱ௨৴͠ূ໌ॻΛऔಘ͢Δ • ൃߦͨ͠ূ໌ॻ͸DynamoDBʹॻ͖ࠐΉ • cert-update-notifier: AWS Lambda • ূ໌ॻͷൃߦঢ়گΛ͸ͯͳϒϩάຊମʹ఻͑Δ

26. ূ໌ॻͷఆظߋ৽

27. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

28. cert-dispatcher cert-cache-gw cert-updater-state cert-updater-function cert-update-notifier cert-update-trigger Let's Encrypt cert-store cert-cache

    cert-lifecycle-store User Blog HTTP ssl_handshake_handler HTTP Get/Set Get HTTP HTTP ࣮ߦ ࣮ߦ ࣮ߦ UpdateItem UpdateItem TTL trigger ࣮ߦ ূ໌ॻൃߦ

29. ূ໌ॻͷఆظߋ৽ • cert-lifecycle-store: DynamoDB • ূ໌ॻͷऔಘ࣌ʹ͜ͷςʔϒϧʹ΋ॻ͖ࠐΉ • TTL triggerΛൃߦ͠ɺcert-update-triggerΛىಈ͢Δ •

    cert-update-trigger: AWS Lambda • TTL͕੾Εͯ࡟আ͞ΕͨΞΠςϜΛड͚औΔ • cert-updater-stateΛ࣮ߦ͠ɺূ໌ॻऔಘϑϩʔΛ։࢝

30. DynamoDB TTL

31. cert-lifecycle-store
 (DynamoDB) Domain: ex1.example.com ExpiresAt: 2018-05-23T02:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

32. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T03:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00

    Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

33. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T04:00:00 Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

34. cert-lifecycle-store
 (DynamoDB) Domain: ex2.example.com ExpiresAt: 2018-05-23T05:00:00

35. ͳͥAWS͔ • ෳࡶ͔ͭߴ౓ͳόονΛߏஙʹඞཁͳαʔϏε͕
 ἧ͍ͬͯΔ͔Β • ෳࡶ: ূ໌ॻͷऔಘɾ݁Ռͷ௨஌ͳͲෳ਺εςοϓ͔Β ͳΔ • ߴ౓:

    ෼ࢄΞϓϦέʔγϣϯʹ΋ؔΘΒͣ
 σʔλͷҰ؏ੑ͕ߴ͍ϨϕϧͰٻΊΒΕΔ • = Lambda, Step Functions, etc.

36. Step Functions͸࠷ߴ • ग़ྗ಺༰ʹԠͯ͡ঢ়ଶભҠΛ෼ذͰ͖Δ • άϥϑΟΧϧʹग़ྗͯ͘͠ΕΔ (͍͢͝!) • Τϥʔग़ྗ಺༰ʹԠ্ͨ͡ݶ෇͖ϦτϥΠॲཧ •

    ΊͪΌͪ͘Ό͔ͬ͜Α͘ͳ͍Ͱ͔͢?
37. None
38. None

39. Go • Lambda function͸͢΂ͯGo, cert-cache-gw΋Go • ίϯύΠϥʹΑΔܕݕࠪͰ҆৺ • ೖग़ྗͷܕΛLambda functionؒͰڞ༗Ͱ͖ɺ


    ᴥᴪ͕ੜͨ͡ΒίϯύΠϧΤϥʔʹͳΔ • ΤίγεςϜ͕੒ख़͍ͯ͠Δ • ΫϩείϯύΠϧ • ςετϥϯφʔɺςετϑϨʔϜϫʔΫ

40. ϓϩδΣΫτͷਐΊํ • ΞʔΩςΫνϟΛݕ౼ • AWSΛۦ࢖ͨ࣍͠ੈ୅TSDBͷઃܭʹؔΘͬͨ
 id:y_uukiʹڠྗͯ͠΋Βͬͨ • http://blog.yuuk.io/entry/the-rebuild-of-tsdb-on-cloud • ϓϩτλΠϐϯά

    (1िؒ) • ࣮ࡍʹखΛಈ͔͢͜ͱͰෆ໌ྎͩͬͨ఺ͷݟੵ΋Γ͕ਖ਼֬ʹͳͬͨ • (LambdaͷσϓϩΠͳͲ) • Goॳֶऀͩͬͨϝϯόʔ΋צΛ௫Ίͯɺຊ࣮૷Ͱ૝ఆҎ্ʹ
 ϕϩγςΟ͕҆ఆͨ͠

41. ϓϩδΣΫτͷਐΊํ • ·ͣূ໌ॻಡΈࠐΈ෦෼ (cert-loader) Λ։ൃ • ͜ͷ࣌఺Ͱ͸·ͩূ໌ॻΛऔಘ͠ͳ͍ͷͰɺӨڹ͸ͳ ͍ • ࣍ʹূ໌ॻऔಘ෦෼

    (cert-updater) Λ։ൃ • ͜ͷ෦෼ΛϦϦʔε͢Δ͜ͱͰ͸͡Ίͯ
 ಠࣗυϝΠϯͰHTTPS഑৴͕ར༻ՄೳʹͳΔ

42. ϓϩδΣΫτͷਐΊํ • ϦϦʔε୯ҐͷCQS = ίϚϯυΫΤϦ෼ׂ͕ͳ͞Εͨ • command: cert-updater • query:

    cert-loader • CQS = Command-query Separation: • มߋܥ (command) ͱಡऔܥ (query) Λ
 ෼ׂ͢ΔΞʔΩςΫνϟ • େ͖ͳϦϦʔεͰ͋Δ͕ɺগͣͭ͠ग़͍ͯ͘͠ͱ͍͏
 ීஈͷελΠϧΛऔΓೖΕΒΕ͍ͯΔ

43. ·ͱΊ • ͸ͯͳϒϩάͷৗ࣌HTTPS഑৴ͷཪଆΛ͝঺հ͠·ͨ͠ • ։ൃ͸ॱௐͰɺࠂ஌௨ΓͷεέδϡʔϧͰ
 ఏڙ։࢝Ͱ͖ΔݟࠐΈͰ͢ • ࣮͸Perl͚ͩ͡Όͳ͍͠ɺAWS΋׆༻͍ͯ͠·͢!

44. એ఻: αϚʔΠϯλʔϯ2018 • http://developer.hatenastaff.com/entry/intern- preentry-2018 • ࠓ೥΋΍Γ·͢ • લ൒ߨٛͷݴޠ͸GoͰ͢

45. ׬