Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
実践nginx〜メルカリの場合〜
Search
Tatsuhiko Kubo
April 22, 2015
Technology
33k
53
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
実践nginx〜メルカリの場合〜
Tatsuhiko Kubo
April 22, 2015
More Decks by Tatsuhiko Kubo
See All by Tatsuhiko Kubo
Mackerel in さくらのクラウド
cubicdaiya
1
980
Handling a tremendous amount of images with Fastly / Yamagoya Traverse 2020
cubicdaiya
2
1.6k
System Integration with Fastly
cubicdaiya
0
680
実例で学ぶ画像最適化集 with ImageFlux / ImageFlux meetup#2
cubicdaiya
4
20k
Software Engineer, Infrastructure
cubicdaiya
4
3.3k
High Performance Count Up!
cubicdaiya
0
430
ImageFluxを利用した画像配信の最適化 / ImageFlux meetup 201801
cubicdaiya
0
3.1k
Building high performance push notification server in Go
cubicdaiya
5
3.4k
メルカリのデータ分析基盤 / mercari data analysis infrastructure
cubicdaiya
11
12k
Other Decks in Technology
See All in Technology
【2026年版】 ベクトル検索とEmbedding最前線
mocobeta
23
7.5k
Kiro Ambassador を目指す話
k_adachi_01
0
130
AIをフル活用してオンコール機能のプロトタイプを2日で作った話 / Building an AI-Powered On-Call Prototype in Just Two Days
nari_ex
0
120
あなたの知らないPDFのアクセシビリティ
lycorptech_jp
PRO
0
240
水を運ぶ人としてのリーダーシップ
izumii19
4
990
[AWS Summit Japan 2026]迷っているあなたへ_小さな一歩が、やがて自分を助けてくれる
sh_fk2
2
410
BPaaSで進むAIオペレーションの現在地 AI実装が効く領域とスケーラビリティの選定と実装
kentarofujii
0
160
新しいUbuntu/GNOMEが使いたいからXからWaylandへ移行頑張ってるの巻 2026-06-20
nobutomurata
0
160
When Platform Engineering Meets GenAI
sucitw
0
170
コミットの「なぜ」を読む
ota1022
0
120
“詰む”前に仕組みを作れ 〜技術の波に溺れないためのキャッチアップ術〜
takasyou
7
3.7k
フィジカル版Github Onshapeの紹介
shiba_8ro
0
320
Featured
See All Featured
Faster Mobile Websites
deanohume
310
32k
Lightning talk: Run Django tests with GitHub Actions
sabderemane
0
200
WENDY [Excerpt]
tessaabrams
11
38k
16th Malabo Montpellier Forum Presentation
akademiya2063
PRO
0
150
YesSQL, Process and Tooling at Scale
rocio
174
15k
Building Applications with DynamoDB
mza
96
7.1k
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
400
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
4
2.8k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2.1k
Rails Girls Zürich Keynote
gr2m
96
14k
It's Worth the Effort
3n
188
29k
Optimising Largest Contentful Paint
csswizardry
37
3.7k
Transcript
࣮ફnginx ʙϝϧΧϦͷ߹ʙ Tatsuhiko Kubo@cubicdaiya ALM@2015/04/21
ࣗݾհ • ٱอୡ(Tatsuhiko Kubo) • bokko@cubicdaiya • Software Engineer in
Infrastructure Engineering • Mercari, Inc. • Favorites: Go, C, nginx
OSS࡞ͬͨΓίϯτϦϏϡʔτͨ͠Γ
Agenda ϝϧΧϦͰͷnginxͷ׆༻ࣄྫʹ͍ͭͯ
nginx • ੈքͰೋ൪ʹར༻͞Ε͍ͯΔOSSͷHTTPαʔό • C10Kʹ͑ΒΕΔΞʔΩςΫνϟ • Πϕϯτۦಈ • ϊϯϒϩοΩϯάI/O •
ඇಉظI/O • ܰྔͰߴ
ϝϧΧϦͰΑ͋͘Δޫܠ ࣮ࡍʹ͋Δఔू͍ͯ͠·͢
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
ϦόʔεϓϩΩγͱͯ͠ͷnginx • ϦΫΤετͷϩΪϯά • ΞΫηε੍ޚ • ίϯςϯπͷѹॖɾΩϟογϡ • όοϑΝϦϯά •
etc…
nginx.confͷઃఆྫ server { listen 443 ssl spdy; server_name xxx.yyy; #
ϓϩΩγઃఆ proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Connection ""; proxy_http_version 1.1; proxy_buffers 50 8k; # ੩తίϯςϯπnginxͰฦ͢ location ~ /(styles|js|images)/ { root /usr/share/zabbix; expires 30d; } # Zabbix(༻ͷgoogle_auth_proxy)ϓϩΩγ location / { proxy_pass http://google_auth_proxy_for_zabbix; } }
લஈʹnginxΛஔ͘ϝϦοτ • HTTP or HTTPSαʔόʹඞཁͳλεΫΛҰ௨Γ͜ͳͤΔ • ΞϓϦέʔγϣϯαʔό(e.g. Unicorn)ʹΓͳ͍ػೳΛิ • ωοτϫʔΫϨΠςϯγͷվળ
• KeepAlive • gzipѹॖ • TLS Session (Cache | Tickets)ɺOCSP Stapling • SPDY • etc…
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
HTTPS௨৴ͷߴԽ • ҰൠʹHTTPS௨৴ͰTCP 3-way handshakeʹՃ͑ͯ TLS 3-way handshake͕ൃੜ͢ΔͷͰHTTP௨৴ΑΓ͘ͳΔ • HTTPS௨৴ߴԽͷͨΊͷࡾछͷਆث
• TLS Session Cache • TLS Session Tickets • OCSP Stapling
TLS Session Cache • TLSϋϯυγΣΠΫͷηογϣϯใΛαʔόʹ Ωϟογϡ • nginxͰڞ༗ϝϞϦ্ʹΩϟογϡ͞ΕΔ • ࣍ճͷTLSϋϯυγΣΠΫΛলུ
• CPUͷϦιʔεͷݮϨΠςϯγͷղফʹޮՌ͕͋Δ
TLS Session Cache with nginx
TLS Session Tickets • ҉߸Խͨ͠ηογϣϯใ(νέοτ)ΛΫϥΠΞϯ τʹ͢ • νέοτΛݩʹTLSηογϣϯΛ࠶։ • HTTPSαʔόෳͰηογϣϯใΛڞ༗Ͱ͖Δ
• εϚϗͩͱαϙʔτ͍ͯ͠Δ͕গͳ͍…
TLS Session Tickets with nginx
OCSP Stapling • OCSPʹΑΔSSLূ໌ॻͷࣦޮ֬ೝΛαʔόଆͰߦͬ ͯΩϟογϡ • ΫϥΠΞϯτଆͰΔͱTLSϋϯυγΣΠΫ࣌ʹϨΠ ςϯγ͕ൃੜ͢Δ • ͬͺΓεϚϗͩͱ͋Μ·ΓରԠͯ͠ͳ͍
• Google Chrome for iOSͩͱରԠͯͨ͠
OCSP Stapling with nginx ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/xxx.yyy.ocsp.crt;
resolver xxx.xxx.xxx.xxx valid=30s; resolver_timeout 5s;
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
SPDY with nginx
Ͱɺ࣮ࡍͷޮՌͱݴ͏ͱ
TLS Session (Cache|Tickets) ಋೖλΠϛϯά
TLS Session (Cache|Tickets) ಋೖλΠϛϯά
SPDY 41%:ಋೖͨ͠ͷϐʔΫ
͏ͪΐͬͱ۩ମతͳྫ
ຊ͔Βւ֎ͷZabbix dashboardʹΞΫηε
Client • MacBookPro • Google Chrome • HTTP/2༗ޮ • ϒϥβΩϟογϡৗʹແޮˣ
Server(ॳظঢ়ଶ) • Apache(prefork) + mod_php • தZabbix • KeepAlive Off
• gzipѹॖແޮ • TLS Session Cache & Tickets༗ޮ
Server(ॳظঢ়ଶ) "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ Ϣʔβೝূ
Zabbix
ύϑΥʔϚϯε(ॳظঢ়ଶ) ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# -PBE5JNF TFD %0.$POUFOU-PBE FE5JNF TFD
νϡʔχϯά ͦͷ1 KeepAlive On KeepAliveΛ༗ޮʹ͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBE FE5JNF TFD TFD TFD
νϡʔχϯά ͦͷ2 <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/js AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/json-rpc </IfModule> gzipѹॖΛ༗ޮʹ͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD
νϡʔχϯάͦͷ3 "QBDIF 1PSU HTTPS Server (PPHMF"VUI1SPYZ "QBDIF 1PSU SSLऴ Ϣʔβೝূ
Zabbix OHJOY 1PSU SSLऴΛnginxͰߦ͏
νϡʔχϯάͦͷ3 # nginx.conf # in main context worker_processes auto; tcp_nopush
on; keepalive_timeout 65s; open_file_cache max=1000 inactive=20s; ssl_session_cache shared:SSL:30m; gzip on; gzip_comp_level 9; gzip_types text/css text/plain text/js text/javascript application/javascript application/json-rpc; # in event context accept_mutex_delay 100ms; # in event context ੩తϑΝΠϧશ෦nginxͰ৴͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD
νϡʔχϯάͦͷ4 listen 443 ssl spdy; SPDY/3.1Λ༗ޮʹ͢Δ
ύϑΥʔϚϯε ໊߲ ܭଌ લճ ͱͷൺֱ ॳظঢ়ଶ ͱͷൺֱ 3FDFJWFESFRVFTUT
%BUB5SBOTGFS ,# ,# ,# -PBE5JNF TFD TFD TFD %0.$POUFOU-PBEF E5JNF TFD TFD TFD ࠷ऴతʹWebϖʔδͷϩʔυ͕࣌ؒ4ඵ͔Β1ඵʹ
Agenda • Reverse proxy • SSL termination • SPDY gateway
• L7 load balancer
OHJOY
൚༻ϓογϡ௨γεςϜ PS CBUDIαʔό
·ͱΊ • nginx • ϝϧΧϦͰαʔϏεɺࣾγεςϜͰ͍ΖΜ ͳՕॴʹڬΜͰ׆༻͍ͯ͠·͢ • L7ϩʔυόϥϯαʔɺϦόϓϩɺSSLऴαʔ όͱͯ͠ͱͯ༏ल •
ࠓޙར༻Օॴ͕૿͑Δ༧ఆ