How_to_have_multiple_services_with_multiple_origin_on_a_single_frontend_proxy
äºå§ã äŒç€Ÿã§ã¯L7ãããã·ã®éçšã»éçºãããŠããã è€æ°ã®EPïŒãã¡ã€ã³ïŒãæã£ãŠããã è€æ°ã®ãã¡ã€ã³ãã²ãšã€ã®L7ãããã·ïŒåäžã®IPïŒã§ãã°ããŠããã ããŠãããã¯ãã£ããã©ã®æ§ã«å®çŸããŠããã®ãïŒãšããã®ãä»åã®è°é¡ã IPã¢ãã¬ã¹ã¯DNSã«ãã£ãŠåäžã®ãã¡ã€ã³ãšçŽã¥ããããããšèªåã¯èªèããŠããããããã誀ãã ã£ãã ãããŠãèªåã¯ãäŒç€Ÿã«å ¥ããŸã§ãã¹ãããããŒãšããæŠå¿µãå šãåãã£ãŠããªãã£ãã HTTPã«ã¯ãã¹ãããããŒãšãããã®ããããããã«ãã£ãŠåäžIPäžã«è€æ°ã®ãã¡ã€ã³ãä¿æããããšãã§ããããã«ãªãã ãããŠããã€ã³ãã¯ãã¯ããHTTPã¯L7ã¬ã€ã€ãŒã§ãããIPã¯L3ã¬ã€ã€ãŒã§ãããšãããšããã«èœã¡çããšæãã åæ DNSã§ã®IPã¢ãã¬ã¹ãšãã¡ã€ã³ã®çŽã¥ãã¯äžå¯Ÿäžã§ã¯ãªããäžå¯Ÿå€ã§ãã£ãããããããã倧äºãªãšããã§ããã ãããŠãèªåã¯ãã¹ãããããŒã«ã€ããŠç解ããŠããªãã£ãã nginxã䜿ã£ãŠããŒãã£ã«ãµãŒããç«ãŠã chatgptãã åäžã®ç©çãµãŒããŒäžã§è€æ°ã®ãŠã§ããµã€ããã¢ããªã±ãŒã·ã§ã³ããã¹ãããããã«äœ¿çšãããæ©èœã§ããããããã®ããŒãã£ã«ãµãŒããŒã¯ãç°ãªããã¡ã€ã³åããµããã¡ã€ã³ã«å¯Ÿå¿ããŠãåå¥ã«èšå®ããããªãœãŒã¹ïŒäŸãã°ãŠã§ãããŒãžãã¢ããªã±ãŒã·ã§ã³ã®ãã¡ã€ã«ãSSL蚌ææžããã°ãã¡ã€ã«ãªã©ïŒã«ã¢ã¯ã»ã¹ãæäŸããŸãã Nginxã§ã¯ããããã®ããŒãã£ã«ãµãŒããŒãããµãŒããŒãããã¯ããšããŠèšå®ãã¡ã€ã«ã«èšè¿°ããŸãã以äžã¯ãNginxã§ã®ããŒãã£ã«ãµãŒããŒèšå®ã®åºæ¬çãªäŸã§ãïŒ server { listen 80; server_name example.com www.example.com; location / { root /var/www/example.com/html; index index.html index.htm; } error_page 404 /404.html; location = /404.html { root /var/www/example.com/html; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /var/www/example.com/html; } } ãã¹ãããããŒã®åœ¹å² chatgptãã HTTPã®ãã¹ãããããŒã¯ãHTTPãªã¯ãšã¹ããéä¿¡ããéã«éåžžã«éèŠãªåœ¹å²ãæãããŸãããã®ããããŒã¯ãã¯ã©ã€ã¢ã³ãããªã¯ãšã¹ããéä¿¡ããéã«ãã©ã®ãã¹ãïŒãã¡ã€ã³åãŸãã¯IPã¢ãã¬ã¹ïŒãšããŒãã«å¯ŸããŠãªã¯ãšã¹ããæå³ãããŠããããæå®ããããã«äœ¿çšãããŸããç¹ã«ãäžã€ã®ãµãŒããŒãè€æ°ã®ãã¡ã€ã³ããã¹ãã£ã³ã°ããŠããå ŽåïŒä»®æ³ãã¹ãã£ã³ã°ïŒããã¹ãããããŒããªããšãµãŒããŒã¯ãªã¯ãšã¹ããã©ã®ãŠã§ããµã€ãã«å¯ŸããŠãªã®ãå€æã§ããŸããã HTTP/1.1ã§ã¯ãã¹ãããããŒã¯å¿ é ãšãããŠããŸããããã¯ãHTTP/1.0ãšç°ãªãããµãŒããŒãè€æ°ã®ãã¡ã€ã³ããã¹ãããŠããç¶æ³ãäžè¬çã«ãªã£ãããã§ãããªã¯ãšã¹ãã«ãã¹ãããããŒãå«ãŸããŠããªãå ŽåããµãŒããŒã¯400 Bad Requestã®ãšã©ãŒãè¿ãããšãå€ãã§ãã DNSã®Aã¬ã³ãŒã è€æ°ã®ãµããã¡ã€ã³ãåããµãŒããŒã®ãªãœãŒã¹ãæãå Žåããããå šãŠã«åãIPã¢ãã¬ã¹ãå²ãåœãŠãããšãäžè¬çã§ãã äŸãã°ã次ã®ããã«èšå®ããããšãã§ããŸãïŒ www.example.com â 192.0.2.1 mail.example.com â 192.0.2.1 ftp.example.com â 192.0.2.1 ãããã®ãµããã¡ã€ã³å šãŠã«åãAã¬ã³ãŒãã®IPã¢ãã¬ã¹ïŒ192.0.2.1ïŒãæå®ããããšã§ãäžã€ã®ãµãŒããŒãç°ãªããµãŒãã¹ïŒãŠã§ããã¡ãŒã«ãFTPãªã©ïŒãæäŸããããšãã§ããŸããããã¯ç¹ã«ããã¹ãã£ã³ã°ãµãŒãã¹ãè€æ°ã®ãŠã§ããµã€ããåäžã®ç©çãµãŒããŒã§ç®¡çããå Žåãªã©ã«äŸ¿å©ã§ãããŸããã¡ã³ããã³ã¹ãã¢ããã°ã¬ãŒããå¿ èŠãªå Žåã«ããäžç®æã§å€æŽãè¡ãã ãã§æžãããå¹ççã§ãã ...
Oh_my_zsh
ããã䜿ããã¡ãªã·ã§ã«ã§ã ãŸãèªåã¯ãã ãããšããªãã£ãã®ã§ãbashã䜿ã£ãŠããã®ã§ãããå 茩ãã¡ã®ã¿ãŒããã«è£ããèŠãŠãããšããªããããããã§ãããã queryãšãåºããŠéå»ã®ã³ãã³ããäžçºã§å®è¡ããããtmuxãšãã§è€æ°ç«ã¡äžãããããŸããšã«ãããããã ã§ãããŸãzshãšããã®ã䜿ã£ãŠããã£ãã€ã®ã§ããã ãšããããšã§ãzshã®ã«ã€ããŠããããæžããŠããããšæããŸãã How to install sudo apt install zsh chsh -s $(which zsh) sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" (oh my zshã®ã€ã³ã¹ããŒã«) è²ã 調ã¹ãŠããæãã«ã«ã¹ã¿ãã€ãºããŠãã ãã
Docker4nerdctl
èæ¯ k8sã䜿ãã«ã¯containerdã䜿ããªããšãããªããŠãcontainerdã®ã¯ã©ã€ã¢ã³ããnerdctlãªãã§ãããããããã³ã³ããé¢ä¿ãšèšãã°dockerãªèš³ã§ãgithubãšãã§å ¬éãããŠããã·ã§ã«ã¹ã¯ãªããã¯dockerã³ãã³ãã䜿ãããŠãããå šéšæžãçŽãã®ããã©ãããããã ãããªæã«ã©ããããïŒãšã€ãªã¢ã¹ãäžæããããªããããã©ããããïŒãããªæã®ã¡ããæã ã¡ããæ sudo vim /usr/local/bin/docker #!/bin/bash # Redirect docker calls to nerdctl exec nerdctl "$@" sudo chmod +x /usr/local/bin/docker ããã§å šãŠã®dockerã³ãã³ããnerdctlã«ãªãã€ã¬ã¯ããããŸãïŒïŒçŽ æŽãããã
Master_of_athenz
Athenzãå®å šç解ãããé¡æ ã¯ããæžããŠããéãã§ããathenzãç解ãããã§ãã æ£çŽãå人éçºã¬ãã«ã§ã¯å šç¶ç解ããªããŠãããã€ã§ãããããã倧ããªäŒæ¥ã§ãå€ãã®ãµãŒãã¹ãåããŠããŠãµãŒãã¹éã§APIã䜿ãåããããšãã£ãŠãªããšå¿ é ã®æè¡ã«ãªããšæããŸãããããå éšãããã¯ãŒã¯ãšã¯ããããèªèšŒããã人ã ã£ãããµãŒãã¹ã®ã¿ã«ãµãŒãã¹ã®å©çšãéå®ããªããšãããä»®ã«å éšãããã¯ãŒã¯ã«æ»æè ãå ¥ã£ãŠããŸã£ãæã«å¥œãæŸé¡ããããŠããŸããããã ãšããããšã§ãathenzå®å šç解ãç®æããŠãã£ãŠãããããšæãã æµã athenzã®åã³ã³ããŒãã³ãã玹ä»ããŸãã athenzã§äœ¿ãããŠããRBACã«ã€ããŠèª¬æããŸã athenzãèªå® ã®ã¯ã©ã¹ã¿ãŒã«ã€ã³ã¹ããŒã«ããŸã ã€ã³ã¹ããŒã«ããathenzã䜿ã£ãŠè²ã ãšè©ŠããŠã¿ãããšæããŸããïŒãããã€ããšããã³ãã®éä¿¡ãæ¬äŒŒæ»æè ã«ãªã£ãŠã¿ããªã©ïŒ ããããathenzãšã¯ ã¢ããªã±ãŒã·ã§ã³éã®ã¢ã¯ã»ã¹ãå¶åŸ¡ããããã®ãã©ãããã©ãŒã ãã§ããã ã¢ã¯ã»ã¹å¶åŸ¡ã£ãŠã®ã¯ãREST APIãªã©ã®ãªãœãŒã¹ã«å¯ŸããŠãæš©éãäžããããšã ããã ã¢ã¯ã»ã¹å¶åŸ¡ãå®çŸããããã®æ§æèŠçŽ ãšããŠã¯ãïŒã€ãã£ãŠãèå¥ãèªèšŒãèªå¯ãã®ïŒã€ã ãã ã§ãathenzã®èªèšŒã ãã©ãRBACã£ãŠã®ã䜿ãããŠãããã ããã rbacãšã¯ ã¢ã¯ã»ã¹å¯Ÿè±¡ã圹å²ããšã«ã°ã«ãŒãåããããã§ãã°ã«ãŒãã«å¯ŸããŠæš©éãäžããæãããã®ã°ã«ãŒãã®ããšãroleã£ãŠãããã ããã 倧äºãªã®ã¯ã人ã§ã¯ãªããroleã«æš©éãäžããã£ãŠããšãã§ã人ãroleã«è¿œå ããã ã¡ãªã¿ã«ãroleã«ã¯è²ã ãã£ãŠãäŸãã°crudãå šéšã§ããroleãäœããããé²èŠ§ããã§ããªãroleãäœãããšãã§ããã ã¡ãªã¿ã«ãåroleã«äžããæš©éã®ããšãããªã·ãŒãšãããããã倧äºã roleã«policyãä»äžããããšããæãã ãªãœãŒã¹ã®æäŸè ããããã€ãããªãœãŒã¹ã®å©çšè ãããã³ããšããããããŠãäžå€®ã«athenzãããã ã§ãèå¥æ å ±ã®ããšãAthenz serviceãšãã£ãŠããããããã¡ãã£ãšé£ããããããšã§ãã¡ã€ã³ã£ãŠååãåºãŠãããã©ãã athenzã®ã¢ã¯ã»ã¹å¶åŸ¡ã®æµã ããã³ãããããã€ãã«ã¢ã¯ã»ã¹ãããšãããŸãããã³ãã¯äžå€®ã®athenzã«ããŒã¯ã³ãïŒããŒã«ããŒã¯ã³ïŒçºè¡ããŠããããããã®ãšããããã³ãèªèº«ã®ååšã蚌æããããã«x509蚌ææžãæ瀺ãããïŒããã§äžã€ç®ã®çåã誰ãx509蚌ææžãçºè¡ããŠãããã®ãïŒïŒã§ãçºè¡ããŠããã£ãããŒã¯ã³ãhttpããããŒã«ã€ããŠããããã€ãã«ã¢ã¯ã»ã¹ããã ãããã€ãã§ã¯athenz-proxyãapiã®åã§åããŠããããã§ãäžå€®ã«ããathenzããååŸããŠãããæ å ±ãšã¢ã¯ã»ã¹ãç §ããåãããŠãapiã«ãããã·ãããããªããã決å®ããæãã§ãã ã¢ãŒããã¯ãã£ãšã³ã³ããŒãã³ã 1. Management Server (ZMS) The ZMS is the central authority for managing and provisioning domain-based roles, policies, and resource permissions. It acts as the control plane where administrators define access control rules and service configurations. Key Features: Domain Management: Organizes services and resources into "domains" (like a namespace) with associated roles and policies. Role and Policy Definitions: Allows creation of roles (e.g., admin, reader) and policies specifying which roles can access specific resources. Audit Trails: Keeps a record of all configuration changes for security and compliance purposes. REST API: Provides APIs for managing domains, roles, and policies programmatically. Storage: Persistently stores configuration data in databases like MySQL. Athenz is a robust system for managing service-to-service authentication and fine-grained access control through its primary components: ZMS (Management Server), ZTS (Token Server), and its User Interface. 1. Management Server (ZMS) The ZMS is the central authority for managing and provisioning domain-based roles, policies, and resource permissions. It acts as the control plane where administrators define access control rules and service configurations. Key Features: Domain Management: Organizes services and resources into "domains" (like a namespace) with associated roles and policies. Role and Policy Definitions: Allows creation of roles (e.g., admin, reader) and policies specifying which roles can access specific resources. Audit Trails: Keeps a record of all configuration changes for security and compliance purposes. REST API: Provides APIs for managing domains, roles, and policies programmatically. Storage: Persistently stores configuration data in databases like MySQL. 2. Token Server (ZTS) The ZTS is the runtime component responsible for generating and validating short-lived tokens and certificates that services use to authenticate with one another. Key Features: Token Issuance: Issues Access Tokens (JWTs) and Role Tokens for authorization. Tokens are short-lived, improving security by reducing exposure to stolen credentials. Certificate Issuance: Provides short-lived X.509 certificates for mutual TLS authentication between services. Decentralized Authorization: Services can independently validate tokens or certificates using the ZTS public keys, reducing reliance on the ZTS during runtime. Dynamic Trust: Works seamlessly in dynamic environments like Kubernetes, issuing tokens based on pod identities. Integration: Compatible with OAuth 2.0 and OIDC for standardized authentication. 3. User Interface Athenz includes a user-friendly web-based UI that enables administrators and users to interact with the system without directly accessing APIs or configuration files. Key Features: Role and Policy Management: Intuitive interfaces for creating and managing roles, policies, and resource permissions. Domain Browsing: Easily navigate through domains and view their configurations. Audit and Reporting: Visualize audit logs and track changes to roles, policies, and resource access. Ease of Use: Simplifies complex RBAC configurations into a graphical and interactive platform, making it easier to onboard new administrators. ã³ã³ããŒãã³ãã®ãŸãšã Summary of Workflow: Setup Phase: Use the ZMS or UI to define domains, roles, and policies. Runtime Phase: Services request tokens or certificates from ZTS to authenticate with other services. Decentralized Validation: Tokens are validated locally by consuming services using ZTS-provided public keys. äžæŠçšèªèª¬æ atehnz service ïŒã¢ã¯ã»ã¹å ãèå¥ããããã®Info role : åãæš©éãæã€Athenz serviceãã°ã«ãŒããšããŠãŸãšãããã®ãAthenz serviceãè¿œå ããæãã Policy : Roleã§ã©ã®ãããªããšãè¡ããã®ããèšãããã® Domain : Athenz Service, Role, Policyã管çããåå空é x509蚌ææžïŒathenz serviceã§ããããšã蚌æãããã®ã ããŒã¯ã³ã®çš®é¡ èšå® ããã³ãåŽïŒ ãŸããã¢ã¯ã»ã¹å ãèå¥ããããã®athenz serviceãäœæããå¿ èŠãããã ãããŠãx509蚌ææžãååŸããå¿ èŠããããïŒããã¯ç§å¯éµãçæããŠãã©ããã«csrãéã£ãŠã蚌ææžãé åžããŠãããããšããæµãã ã£ãæ°ãããã®ã ãïŒ ã¡ãªãç°å¢ã«ãã£ãŠã¯ããããèªååãããŠããããšãããã ...
Nginx2vector2kafka2opensearch
nginxã®ã¡ããªã¯ã¹ãšãã°ãã¢ãã¿ãªã³ã°ããã ã¡ããªã¯ã¹ããŒã¿ã¯ä»¥äžã®ããã«æµã nginx -> vector -> kafka -> opensearch/influxDB ãšããæãã§ãnginxããåºãçãã°ãvectorã§ãšããkafkaã«éä¿¡ãkafkaãããopensearchãšinfluxDBããããããšã£ãŠããããšããæµãã«ããã®ãè¯ããã ã§ãnginxããã°ãåãåºã/var/log/nginx/access.logãšvectorãåãããŒã ã¹ããŒã¹ã§æ±ãããã®ã§ããã®äºã€ã¯ç©çãã·ã³äžã«ã€ã³ã¹ããŒã«ãããšããæµãã«ããããšæãã ç°å¢æ§æ 以äžã®3ã€ã®ãã·ã³ã䜿ã delta (100.64.1.48,192.168.3.1) : 192.168.3.1/24ã®ã«ãŒã¿,kafka, kafka-ui, opensearch master (192.168.3.8) : ãããã·ãµãŒãïŒnginxïŒãvector gamma/zeta/ã: ãªãªãžã³ kafkaãå°å ¥ããdocker composeã®èšå® services: kafka-broker: image: apache/kafka:3.7.0 container_name: kafka-broker ports: - "${KAFKA_BROKER_LOCAL_PORT}:9092" environment: KAFKA_NODE_ID: 1 KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: "CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT" KAFKA_ADVERTISED_LISTENERS: "PLAINTEXT_HOST://localhost:${KAFKA_BROKER_LOCAL_PORT},PLAINTEXT://kafka-broker:${KAFKA_BROKER_PUBLIC_PORT}" KAFKA_PROCESS_ROLES: "broker,controller" KAFKA_CONTROLLER_QUORUM_VOTERS: "1@kafka-broker:${KAFKA_BROKER_CONTROLLER_PORT}" KAFKA_LISTENERS: "CONTROLLER://:${KAFKA_BROKER_CONTROLLER_PORT},PLAINTEXT_HOST://:${KAFKA_BROKER_LOCAL_PORT},PLAINTEXT://:${KAFKA_BROKER_PUBLIC_PORT}" KAFKA_INTER_BROKER_LISTENER_NAME: "PLAINTEXT" KAFKA_CONTROLLER_LISTENER_NAMES: "CONTROLLER" KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0 KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1 KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1 KAFKA_LOG_DIRS: "/tmp/kraft-combined-logs" kafka-ui: container_name: kafka-ui image: provectuslabs/kafka-ui:v0.7.2 ports: - "${KAFKA_UI_PORT}:8080" depends_on: - kafka-broker restart: always environment: KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} init-kafka: # kafka-topics ã³ãã³ãã䜿ãããã®ã§ confluenticsã®ã³ã³ãããå©çš image: confluentinc/cp-kafka:7.6.1 container_name: init-kafka depends_on: - kafka-broker entrypoint: ["/bin/sh", "-c"] command: | " # blocks until kafka is reachable kafka-topics --bootstrap-server kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} --list echo -e 'Creating topics' kafka-topics --bootstrap-server kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} --create --if-not-exists --topic nginx-log --replication-factor 1 --partitions 1 echo -e 'Successfully created :' kafka-topics --bootstrap-server kafka-broker:${KAFKA_BROKER_PUBLIC_PORT} --list " opensearchãå°å ¥ããèšå® version: '3' services: opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/) image: opensearchproject/opensearch:latest # Specifying the latest available image - modify if you want a specific version container_name: opensearch-node1 environment: - cluster.name=opensearch-cluster # Name the cluster - node.name=opensearch-node1 # Name the node that will run in this container - discovery.seed_hosts=opensearch-node1,opensearch-node2 # Nodes to look for when discovering the cluster - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 # Nodes eligible to serve as cluster manager - bootstrap.memory_lock=true # Disable JVM heap memory swapping - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" # Set min and max JVM heap sizes to at least 50% of system RAM - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} # Sets the demo admin user password when using demo configuration, required for OpenSearch 2.12 and later ulimits: memlock: soft: -1 # Set memlock to unlimited (no soft or hard limit) hard: -1 nofile: soft: 65536 # Maximum number of open files for the opensearch user - set to at least 65536 hard: 65536 volumes: - opensearch-data1:/usr/share/opensearch/data # Creates volume called opensearch-data1 and mounts it to the container ports: - 9200:9200 # REST API - 9600:9600 # Performance Analyzer networks: - opensearch-net # All of the containers will join the same Docker bridge network opensearch-node2: image: opensearchproject/opensearch:latest # This should be the same image used for opensearch-node1 to avoid issues container_name: opensearch-node2 environment: - cluster.name=opensearch-cluster - node.name=opensearch-node2 - discovery.seed_hosts=opensearch-node1,opensearch-node2 - cluster.initial_cluster_manager_nodes=opensearch-node1,opensearch-node2 - bootstrap.memory_lock=true - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD} ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - opensearch-data2:/usr/share/opensearch/data networks: - opensearch-net opensearch-dashboards: image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes container_name: opensearch-dashboards ports: - 5601:5601 # Map host port 5601 to container port 5601 expose: - "5601" # Expose port 5601 for web access to OpenSearch Dashboards environment: OPENSEARCH_HOSTS: '["https://opensearch-node1:9200","https://opensearch-node2:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query networks: - opensearch-net volumes: opensearch-data1: opensearch-data2: networks: opensearch-net: nginxãå°å ¥ããèšå® ããã¯æ®éã« ...
Comments_on_real_world_http
Real world httpã«æžããŠããããšã殎ãæžãããŠãããŸã éçºç°å¢ ã®åã«ãlanã®ipã¢ãã¬ã¹ãæžããŠããããã§ãã 100.64.1.27 : alpha 100.64.1.61 : evn 100.64.1.48 : delta (K8Sã¯ã©ã¹ã¿ãžã®GWã§ã) deltaã®åœ¹å² åã«ãDHCPãµãŒããšã«ãŒã¿ãäœæããèšäºãæžããã ãã¡ãã®èšäºã ãã ã§ãdeltaã¯DHCPãµãŒãå Œã«ãŒã¿ãšããç«ã¡äœçœ®ã§ãã
202411æTODO
2024/11/1æç¹ã§ã®ã¿ã¹ã¯ãªã¹ã éçºé¢ä¿ èªå® ã®K8Säžã«echo-serverãç«ãŠãŠãproxyãè€æ°ç«ãŠãŠãããã«vipãç«ãŠãŠãvegetaã§è² è·è©Šéšãã§ããããã«ãããããããŠãæ§ã ãªã¡ããªã¯ã¹ãåããããã«ããããã©ããããã ããããæµãçã«ã¯ãã ãã¶é åãã«ãªãããšã¯æ¿ç¥ã ãã ãŸããreal-world-httpãèªã¿ãããããã¯ãã ãã¶é·ãã®ãããã¡ã¢ãåããªããé²ããŠãããæçµç®çã¯ãããã·2å°ãšecho-server1å°ã®æ§æã§ãvegetaã§è² è·ããããããããã«ããããšã ãã¡ã®ãåèã«ãããšããããããããŠãå£ããŠåŠã¶k8sçãªæ¬ãè²·ã£ãã®ã§ããããèªãã§ãgoã§æžããecho-serverãã©ãºãã€ã«ãããã€ãããæãã§ãããããããããã€ãŸã§ã«ãããã ãã©ã ISUCONã®éå»åã解ããŸããããä»å¹Žã®ISUCONã«ããããçœæšãããšåºãããšã«ãªããŸãã足ãåŒã£åŒµããããªãã®ã§é 匵ããŸãã ãŒãŒïŒisucon14ã®ç³ã蟌ã¿ãå§ãŸã£ããšãã話ã§ããé 匵ããŸãããã äŒèšãœãããå°å ¥ããããã®èŸºãè¯ããã https://ledger-cli.org/ ååäŒç€Ÿã®èšç«ãé²ãã I and shiraki-san decided to develop GSLB using go lang. It is going to be funny Learn DNS ïŒãã£ã¡ã¯ããªãããæãã§é²ãã§ãããïŒ â> Done Learn How to write packer parser using Go on TCP Layer. It is also going to be funny. äŸã®ç«¶éŠ¬ã·ã¹ãã ãåããæãæ¥ããèªå® ã®k8sã§åãããããã«manifestãã¡ã€ã«ãæžããŠãã ããããããŽããé¡ãããŸãã§ãã Goèšèªã§distributed file systemãäœã£ãŠããïŒãã®youtubeãèŠãŠã§ãããããgoã§åæ£ã·ã¹ãã ãäœããã£ãŠå ¥ã£ãŠãããã®æ¬ã§ããããã©ã£ã¡ã§ãããããã ãåŸè ã ãšk8säžã«äœã£ãåæ£ã·ã¹ãã ãå±éããã®ã§ãäžã®ãã€ãšã芪åæ§ãé«ãæ°ãããŠããŸããã¯ãã ãã®ä» æ¯ææ©ãèµ·ããŠããã23æã«å¯ãŠ0630ã«èµ·ããç掻ãã§ãããšæé«ã ã æ©ãæ¥åå§èšã§äœãããã®æ¡ä»¶ãåã£ãŠããŠå£²ãã æ©ãyoutubeãã£ã³ãã«éèšããŠãçµè²»ç掻ãå§ããŠããïŒ é·æç®ç· ç°¿èš2çŽãšã£ãŠããïŒ åå°ãã©ãã«è²·ãããããããŠããïŒïŒãããŠè²¯éããïŒïŒããžãªè©±ãç掻費8äžãšãå ±é貯éå£åº§5äžä»¥å€ã¯å šéšãã£ã¡ã«åããŠããã ã€ãŸããæã®ã¯ã¬ã«æ¯æãã«äœ¿ãããéã¯17äžãšããããšã«ãªããä¿éºã§10ãã³èœãšãããã®ã§ãæ®ã7äžãããŸããããªãã®ãããã
ECDH ECDSA EdDSAãç解ãããŸã§ã¯æ»ããªã
ECDHå®å šç解ããã åè ECDHã玹ä»ããyoutube æ¥åæ²ç·æå·ãããªã€ãŒãã«äŸããŠããäŸ ECDHã®èª¬æ ããªãé¢çœãããECDHã ãŸããæ¥åæ²ç·äžã§è¶³ãç®ãšãããã®ãå®çŸ©ããã ããã¯ãããªã€ãŒãã§ãããäºç¹ã決ããŠããã®çŽç·ãåŒããšæ°ãã«æ¥åæ²ç·ãšäº€ããç¹ãçããããããx軞ã«å¯Ÿè±¡ã«æãæ²ããç¹ãããã足ãç®ã®çµæãšããã a + b = c ããã§ãp + p = 2pãšãããã®ãå®çŸ©å¯èœã§ãããpãšããã®ã¯ãæ¥ç·ãšãªãã ã§ãããã§äžæè°ãªã®ãã以äžã®çµåæ³åãæãç«ã€ããšã p + 2p = 3p 3p + p = 4p 2p + 2p = 4p å ã« p + 2p = 3p 3p + p = 4p ãèšç®ããŠåºãã4pã 2p + 2p = 4p ã§åºããïŒpãåãç¹ã«ãªããããã¯é¢çœãã ã§ã ã ãããªæãã§æåã®ç¹Gã決ããŠãkåããç¹Q Q = kP ãæ±ããããšã¯ç°¡åã§ãããïŒäŸãã°ãk = 128ã®æã¯ã2p+2p, 4P+4p,,,, 64p+64pã§èšç®é¢æ°ã¯å°ãªãæžããïŒ ããããQãšPããkãæ±ããããšã¯å°é£ã§ãããåããé çªã«ãã£ãŠãããããªãã®ã§ããã ãšããããšã§ãQãšããå€ããµãŒããšã¯ã©ã€ã¢ã³ãã§çæãããã ããããããããQ1,Q2. Q1 = K1P Q2 = k2P ãããŠãQ1ãšQ2ã亀æããŸããopensslã§ã¯RSAãªã©ã§çœ²åãæœãããŠäº€æãããã®ã§ãçæ£æ§ãæ ä¿ãããã ã§ãããªãã¹ã¿ãŒã·ãŒã¯ã¬ãããã Q = K1K2P ãšããŠãéµäº€æãå®äºããããå ã«å ±ééµãçæããŠæå·éä¿¡ãã¹ã¿ãŒãããããšããæãã ã çŽ æŽãããã æ¥åæ²ç·æå·ã®ã€ã¡ãŒãžã¯ã以äžã®ããã«èª¬æãããŠããŸãã ...
MTLS_on_OVPN
å ¬ééµæå·ã®äœç³»ãå®å šã«ç解ãã ã¯ããéµäº€æã¢ã«ãŽãªãºã ã眲åã¢ã«ãŽãªãºã ãæå·ã¢ã«ãŽãªãºã ãæå·ã¢ãŒããããã·ã¥ ã®ïŒã€ã®ã»ããïŒæå·ã¹ã€ãŒãïŒãæå®ããŠéä¿¡ãæå·åããããããã俺ãç¥ã£ãŠããæå·äœç³»ã®å šãŠã§ãã ã§ã§ãããopenVPNã§ã¯ã©ã€ã¢ã³ããšãµãŒãã®éä¿¡ãæå·åããŸãããã ãã®æã«è²ã ãšèšŒææžãçºè¡ãããšæããã§ããããã ã俺ã¯ã©ã®èšŒææžãã©ã®ããã«çšããããã®ããå šãããã£ãŠããªãã£ãã ã ãããä»åãæ¹ããŠopenVPNã§ã¯ã©ã€ã¢ã³ããšãµãŒããæ§ç¯ããéã®èšŒææžã®åœ¹å²ãªã©ã確èªããããšæãã éå»ã®åã®èšäº basic client site to site routeing ãã€ãåèã«ããŠããèšäº qiita ã§ã¯è¿œã£ãŠãããŸããã èªèšŒå± (CA) ã®èšç« ããããå§ãŸã£ãŠããã£ãœããã ããã $ ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: path/to/easy-rsa/easyrsa3/pki CA蚌ææžã®çæ $ ./easyrsa build-ca ãã¹ãã¬ãŒãºãèãããã ããã§ãç§å¯éµãšå ¬ééµããã§ã«çæãããŠãããèªèšŒå±ã®ã ãµãŒã蚌ææžã®çæ $ ./easyrsa build-server-full server nopass ããã§ãCA蚌ææžãçæãããšãã®ãã¹ãã¬ãŒãºãåã³å ¥åããã ããã§ããããããµãŒãã®å ¬ééµã«çœ²åããããã(CSRãæžãã§ãã) DHéµã®çæ ããã§DHéµãçæãããã®ãããªãã ïŒïŒTLSã§ã®DHéµã¯æ¯åéããã®ã䜿ãããã®ã§ã¯ãªãã®ãïŒïŒ ãªãã»ã©ãchatGPTã«èããã®ã§ãã£ãŠãããã¯ãããããããã®æ®µéã§çæããããã®ã¯ãDHãã©ã¡ãŒã¿ïŒçŽ æ°ãšçæå ïŒã ãã ããã¯çŽåŸã ãã ã€ãŸãã y = g ^ (x) mod p ã®ãpãšgãçæããããã§ããµãŒããšã¯ã©ã€ã¢ã³ãã¯ãäºãé©åœã«xãéžã¶ããã§ãããã¯ãå®å šç解ã ã¡ãªã¿ã«ãecdhã䜿ã£ãŠéµäº€æãããããšãã§ããŸãã 蚌ææžå€±å¹ãªã¹ãã®çæïŒãã¡ããåç §ããŠããããŒãžã§ã¯ééã£ãŠããã®ã§æ³šæãå¿ èŠïŒ $ ./easyrsa gen-crl ãã¡ãããCAã®ç§å¯éµã§çœ²åããããã§ããã ã¯ã©ã€ã¢ã³ãçšç§å¯éµã®çæ $ cd easy-rsa/easyrsa3 $ ./easyrsa build-client-full username ã¯ããããã§ã¯ã©ã€ã¢ã³ãã®èšŒææžãšç§å¯éµãçæããããã§ããã ã§ã蚌ææžã¯CAãèªèšŒããå¿ èŠãããã®ã§ãåã³ãã¹ãã¬ãŒãºãå ¥ããæãã«ãªããŸãã ...
åããTLS Cipherãã¹ã¿ãŒã«ãªãããïŒ
åæç¥è TLSã§ã¯ã éµäº€æã¢ã«ãŽãªãºã ã䜿ã£ãŠå ±ééµã®ææãšãªãå€ã亀æããå ±ééµãçæãããã®éµãçšããŠéä¿¡ãæå·åãããããã§ããã éµå ±æã«äœ¿ãããæå·ããå ¬ééµæå·ãšèšããŸãããå ±ééµã¯ãå ±ééµæå·ã§ãã å ¬ééµæå· RSA DH ECDH DEH = DH ephemeral ECDHE = ECDH epemeral DHãšECDHã¯é¢æ£å¯Ÿæ°åé¡ã䜿ã£ãŠããŸã g^x mod p = y ã§ãy,p,gãäžãããããšããxãæ±ããããªãã£ãŠããšã å ±ééµæå· RC4 (å±æ®å) DES = (å±æ®å) 3DES ãããã ChaCha20 AES = æã䜿ãããŠããŠå®å š RC4 = ã¹ããªãŒã æå· AES = ãããã¯æå· ããã·ã¥é¢æ° MD5 SHA-1 SHA-2 SHA-3 TLSã®æå·ã¹ã€ãŒãã«ã€ã㊠ã¯ããããããã倧äºãªããšèšããŸããTLSã䜿ã£ãŠéä¿¡ãæå·åããããŸã§ã®æµãã§ããã TLSãã³ãã·ã§ã€ã¯ å®éã«TLSã®éä¿¡ãå§ãŸã ã§ã§ãããTLSãã³ãã·ã§ã€ã¯ã§äœã決ããŠãããïŒãªãã§ããã以äžã決ããŠããããã§ããã éµäº€æã¢ã«ãŽãªãºã 眲åã¢ã«ãŽãªãºã æå·ã¢ã«ãŽãªãºã æå·å©çšã¢ãŒã ããã·ã¥é¢æ° éµäº€æã¢ã«ãŽãªãºã ã¯äžã«æžãããRSA,ECDHE,DHEã§ãã 眲åã¢ã«ãŽãªãºã ã¯ãRSA/ECDHEãæå®ã§ããŸãããããã¯ãçºè¡ãããµãŒã蚌ææžã®éµã®çš®é¡ã«äŸåããŸããããããã倧äºã å®ã¯ãéµäº€æã¢ã«ãŽãªãºã ã§çæããããããã¯ãããã«ãµãŒã蚌ææžã®ç§å¯éµã§æå·åãããå ¬ééµã§åŸ©å·ããããã§ãããã§ãçæ£æ§ã確ããããã§ãããã ãããç¥ãããã£ããããã倧äºã ãã èŠããŠããããã®ããRSAãçšããéµäº€æã§ã¯ã眲åããªãããªããšããããšã蚌ææžã®å ¬ééµã¯ãã¯ã©ã€ã¢ã³ããçæããããªãã¹ã¿ãŒã·ãŒã¯ã¬ãããæå·åããããã«äœ¿ãããããããŠãç§å¯éµã§åŸ©å·ãããã ããã ECDHEã§ã¯ãæ¯åå ¬ééµãçæããããã ãããã§ããã®å ¬ééµã®æ£åœæ§ã蚌æããããã«ç§å¯éµã§çœ²åããå ¬ééµã§æ€èšŒãããã ããã RSAãçšããéµäº€æã§ã¯æ¯ååãå ¬ééµãšç§å¯éµã®ãã¢ã§éä¿¡ããªããããã ãããããªãã¹ã¿ãŒã·ã¯ã¬ãããå«ããŠãã ã ãããã¹ããŒãã³äºä»¶ã®æã¿ããã«ãæå·åããããã®ããã£ãšæºããŠãããŠãåŸã§ã©ãã«ãç§å¯éµãå ¥æããŠãããªãã¹ã¿ãŒã·ã¯ã¬ãããç¹å®ã ããã®éä¿¡å 容ãç¹å®ããšãã£ãããšãã§ããŠããŸããã ããããããåæ¹ç¹ç§æ§ããªãã£ãŠèšããŸããã ããã«å¯ŸããŠãECDHEãDHEã¯ãäžåäžåç§å¯éµãšå ¬ééµãçæãããã ãããã¯ãããã ãã ã§ããå ¬ééµããç§å¯éµã¯ãé 匵ãã°äœå¹Žããããã°ãæšæž¬å¯èœã ããïŒã ããåæ¹ç¹ç§æ§ã¯ããªããšæããã ãã©ã ãããchatGPTã«èããŠã¿ããããåž°ã£ãŠããŸããã Q. é¢æ£å¯Ÿæ°åé¡ã¯æéããããã°è§£èªå¯èœã§ããåã»ãã·ã§ã³ã§äœ¿ãããå ¬ééµããç§å¯éµãå²ãåºãããšããåçäžã¯å¯èœã§ãã ããã§ãåã»ãã·ã§ã³ã®å ¬ééµãšãæå·åãããéä¿¡å šãŠãä¿åããŠãã人ããããšããŸãããããããããšãæéãããããã°ãæå·æã解èªã§ãããšæãã®ã§ãããããã§ãããã ...