SlideShare une entreprise Scribd logo

Apache Traffic Server & Lua

K
Kit Chan

Apache Traffic Server & Lua

Logiciels
1  sur  45
Télécharger pour lire hors ligne
Apache Traffic Server & Lua Kit Chan (kichan@yahoo-inc.com)
Agenda • Intro • Rationale • Details • Security • Future 11/16/2014 2
Apache Traffic Server Fast, scalable and extensible HTTP/1.1 compliant caching proxy server
History with Yahoo
Lua Fast, Powerful, lightweight, embeddable scripting language
Lua Uses • mod_lua • ngx_lua • Redis • MySQL Proxy • some games/game engines(e.g World of Warcraft)
What Can They Do Together?
Apache Traffic Server API • C APIs – Http Header – Http Transaction – Statistics – Management – More!!! 11/16/2014 8
Hooks & Plugins • Plugins implemented as Continuations • Hooks to various HTTP transaction state 11/16/2014 9
Writing Plugins is Hard! • Continuation is hard to follow – “Gotos with arguments” • C/C++ code – Memory management – Complex data structure 11/16/2014 10
header_rewrite plugin • No C code for simple tasks • Use configuration files 11/16/2014 11
header_rewrite plugin # sample header_rewrite configuration file # add Cache-Control header cond %{READ_RESPONSE_HEADER_HOOK} [AND] rm-header Cache-Control add-header Cache-Control “max-age=0, public” [L] # primitive boolean operator cond %{READ_REQUEST_HEADER_HOOK} [AND] cond %{HEADER:Host} “news.yahoo.com” [OR] cond %{HEADER:Host} “sports.yahoo.com” rm-header X-Important add-header X-Important 1 [L]
header_rewrite plugin • Hard to use – Cannot define variables – No loop – No module/function • No unit test framework
Varnish • Major Competitor to ATS 11/16/2014 14
Varnish Configuration Language (VCL) • DSL to configure Varnish • Things you can do – “direct certain requests to certain backends” – “alter the requests and the responses” • Major advantage over ATS !!!
VCL //sample VCL to //remove cookie from image reqs sub vcl_recv { if (req.url ~ "^/images") { unset req.http.cookie; } } // another example to cache response for 2 minutes // if there is no cache control header sub vcl_fetch { if (beresp.ttl < 120s) { set beresp.ttl = 120s; } }
Leveling the field using Lua • Scripting Language – Simple to learn and use – Abstract user from variable types – No worry to memory management • Extensible through C APIs • Easy to embed into applications, such as ATS 11/16/2014 17
All the Glory Details
Implementation Details • ATS C APIs are wrapped as Lua Functions under a ‘ts’ module • When ATS starts, – Creates and inits Lua VM (lua_newstate()) – Load a Lua script into VM – Register hooks with functions in script • During a HTTP transaction handled by ATS, – New Lua thread (lua_newthread()) created for VM – Call Lua functions registered to HTTP transaction hooks 11/16/2014 19
Sample 11/16/2014 20 -- Lua script (cors.lua) to add CORS header to response -- for a request with matching Referer header function send_response() if ts.ctx['origin'] == nil then ts.debug("invalid referer"); else ts.client_response.header['Access-Control-Allow-Origin']=ts.ctx['origin'] end return 0 end function do_global_read_request() local referer = ts.client_request.header.Referer if referer == nil then ts.ctx['origin'] = nil else ts.ctx['origin'] = string.match(referer, "http://%a+.yahoo.com") end ts.hook(TS_LUA_HOOK_SEND_RESPONSE_HDR, send_response) return 0 end
Sample • We refer to this script file in plugin.config # inside /usr/local/etc/trafficserver/plugin.config tslua.so /usr/local/etc/trafficserver/cors.lua
Using Module 11/16/2014 22 -- cors_lib.lua contains module for adding CORS resp header -- for a request with matching Referer header local cors_lib = {} function cors_lib.send_response() ts.client_response.header['Access-Control-Allow-Origin'] = ts.ctx['origin‘] return 0 end function cors_lib.execute() local referer = ts.client_request.header.Referer if referer ~= nil then ts.ctx['origin'] = string.match(referer, "http://%a+.yahoo.com") if ts.ctx['origin'] ~= nil then ts.hook(TS_LUA_HOOK_SEND_RESPONSE_HDR, send_response) end end end return cors_lib
Using Module -- main lua script (main.lua) to be refererd in plugin.config -- read in the module defined in separate files ts.add_package_path('/usr/local/etc/trafficserver/cors_lib.lua') local cors_lib = require “cors_lib" function do_global_read_request() cors_lib.execute() return 0 end
Using Module • We can refer to the main script file in plugin.config # inside /usr/local/etc/trafficserver/plugin.config tslua.so /usr/local/etc/trafficserver/main.lua
Other Details • Open Source – Contributers from Yahoo and Taobao • Detailed Documentation Available • ATS 5.x – Luajit 2.0.3 pulled into ATS core – Compatible with lua 5.1.x – Luajit has better performance • But a 2GB limit on memory used by lua VM 11/16/2014 25
Unit Test & Code Coverage • Needs lunit & luacov • Provide mock/stub framework
Unit Test & Code Coverage 11/16/2014 27 require "lunit" require "luacov" local mock = require ‘mock’ ts = require 'ts‘ ts.setup(mock) local cors_lib = require ‘cors_lib' module( “cors_testcase", lunit.testcase ) function test_failure() mock.client_request_header[‘Referer’] = ‘http://news.yahoo.com’ cors_lib.execute() assert_equal(‘http://news.yahoo.com’, mock.client_response_header[‘Access-Control-Allow-Origin’], ‘Matched’) end
Memory Consumption • 2GB limit due to luajit • Check memory usage of your script – With the lua function - collectgarbage(“count”) • If necessary, disable luajit – Build ATS with “--disable-luajit” option – Still need lua binary for plugin to work – Lua allows custom memory allocator when creating new VM to limit memory usage 11/16/2014 28
Performance • Tested with 100K objects fetched 100 requests/s • Latency of origin server is 500ms • 3 Test cases – No plugin – header_rewrite plugin adding request/response headers – Lua script doing the same thing as above • No effect on CPU / Memory utilization • No effect on latency 11/16/2014 29
“With Great Power Comes Great Responsbility”
XSS -- /test?<script>alert('XSS');</script> function send_data() local nt = '<!DOCTYPE html><html lang="en-us"><head><title>Test</title>'.. '</head><body>'..ts.ctx['args'].. '</body></html>' local resp = 'HTTP/1.1 500 Internal Server Errorrn' .. 'Content-Type: text/htmlrn' .. 'Content-Length: ' .. (string.len(nt)) .. 'rn' .. 'Last-Modified: '..os.date("%a, %d %b %Y %H:%M:%S GMT",os.time())..'rn'.. 'Connection: keep-alivern' .. 'Cache-Control: max-age=0, privaternrn' .. nt ts.say(resp) end function do_global_read_request() local args = ts.client_request.get_uri_args() ts.ctx[‘args’] = args ts.http.intercept(send_data) end
File System Attack -- /test?test.lua function do_global_read_request() local args = ts.client_request.get_uri_args() local f = io.open(args) local result = f:read(“*a”) f:close() ts.debug(result) end
Local File Inclusion -- /test?test.lua function do_global_read_request() local args = ts.client_request.get_uri_args() dofile(“/tmp/”..args) end
Code Injection -- /test?os.clock() function do_global_read_request() local args = ts.client_request.get_uri_args() loadstring(args)() end
OS Command Injection -- /test?john function do_global_read_request() local args = ts.client_request.get_uri_args() os.execute(“ls –l /home/”..args) end
Potential Security Concerns Name of the Attack CWE (Common Weakness Enumeration) Possible Way to Prevent XSS CWE-79 Input Validation SQL Injection CWE-89 Input Validation File System Attack N/A Don’t pass user input to file system functions File Inclusion CWE-98 (for Lua as well) Don’t pass user input to require() or dofile() Code Injection CWE-94 Disable loadstring() OS Command Injection CWE-78 Disable os.execute() & io.popen()
Input/Output Validation • Important to prevent many security problems • Need to provide a library of functions
Sandboxing • Also important to disable some lua functions • Sandboxing can be done in global or functional scope function test() -- setting local environment for this function local env = { os = {clock = os.clock}, string = {find = string.find} } setfenv (1, env) print(os.clock()) -- cannot run this “os.execute(‘ls’)” end
What’s Next?
Future • Expose more ATS APIs as Lua functions • Input Validation Library • Open Source Mock/Stub framework 11/16/2014 40
TS-2281: Augment Config System to use LUA module(..., package.seeall) function config() ats.config.proxy.config.http.server_ports("8888 8443:ipv4:ssl") ats.config.proxy.config.url_remap.pristine_host_hdr(0) end function config_ssl(add) add({ dest_ip = "*", ssl_cert_name = "bar.pem", ssl_key_name = "barKey.pem" }) end function config_remap(r) r:definefilter("name", { src_ip = { "192.168.0.0-192.168.255.255", "10.0.0.0-10.255.255.255" } , method = { "PURGE", "DELETE" } , action = "allow" }) r:activatefilter("name") r:map("http://localhost:8888/special/", "http://example.com/", { src_ip = "127.0.0.1" }, { plugin = "foo.so", pparams = { "arg1", "arg2" } } ) r:deactivatefilter("name") Pseudo Code
Q & A
Thank You!
Reference 1) ATS - https://docs.trafficserver.apache.org/en/latest/sdk/how-to- create-trafficserver-plugins.en.html 2) Lua - http://www.lua.org/ 3) Computational Continuations - http://www.jquigley.com/files/talks/continuations.pdf 4) header_rewrite - https://docs.trafficserver.apache.org/en/latest/reference/plugins/hea der_rewrite.en.html 5) Varnish - https://www.varnish-cache.org/ 6) VCL - https://www.varnish-cache.org/docs/4.0/users-guide/vcl.html 7) http://www.slideshare.net/bryan_call/choosing-a-proxy-server- apachecon-2014 (Slides 47) 8) http://www.bizety.com/2014/06/11/interview-founder-of-varnish- software/ 11/16/2014 44
Reference 9) mod_lua - http://www.modlua.org/ 10) ngx_lua - https://github.com/openresty/lua-nginx-module 11) Redis - http://redis.io/ 12) Mysql-proxy - https://launchpad.net/mysql-proxy 13) Lua/World of Warcraft - http://www.wowwiki.com/Lua 14) ATS Lua Pugin Documentation - https://docs.trafficserver.apache.org/en/latest/reference/plugins/ts_lua.en.html 15) Luajit - http://luajit.org/luajit.html 16) Lunit - http://www.mroth.net/lunit/ 17) Luacov - http://luacov.luaforge.net/ 18) Custom memory allocator - http://stackoverflow.com/questions/9671793/limiting-a-lua- scripts-memory-usage 19) Lua Web Application Security Vulnerabilities - http://seclists.org/fulldisclosure/2014/May/128 20) TS-2281 - https://issues.apache.org/jira/browse/TS-2281

Recommandé

Apache Traffic Server
Apache Traffic ServerApache Traffic Server
Apache Traffic Serversupertom
 
How to Avoid Common Mistakes When Using Reactor Netty
How to Avoid Common Mistakes When Using Reactor NettyHow to Avoid Common Mistakes When Using Reactor Netty
How to Avoid Common Mistakes When Using Reactor NettyVMware Tanzu
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
HDFS Selective Wire Encryption
HDFS Selective Wire EncryptionHDFS Selective Wire Encryption
HDFS Selective Wire EncryptionKonstantin V. Shvachko
 
[164] pinpoint
[164] pinpoint[164] pinpoint
[164] pinpointNAVER D2
 
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013Introduction and Overview of Apache Kafka, TriHUG July 23, 2013
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013mumrah
 
톰캣 운영 노하우
톰캣 운영 노하우톰캣 운영 노하우
톰캣 운영 노하우jieunsys
 
From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.Taras Matyashovsky
 

Recommandé

Apache Traffic Server
Apache Traffic ServerApache Traffic Server
Apache Traffic Serversupertom
 
How to Avoid Common Mistakes When Using Reactor Netty
How to Avoid Common Mistakes When Using Reactor NettyHow to Avoid Common Mistakes When Using Reactor Netty
How to Avoid Common Mistakes When Using Reactor NettyVMware Tanzu
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
HDFS Selective Wire Encryption
HDFS Selective Wire EncryptionHDFS Selective Wire Encryption
HDFS Selective Wire EncryptionKonstantin V. Shvachko
 
[164] pinpoint
[164] pinpoint[164] pinpoint
[164] pinpointNAVER D2
 
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013Introduction and Overview of Apache Kafka, TriHUG July 23, 2013
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013mumrah
 
톰캣 운영 노하우
톰캣 운영 노하우톰캣 운영 노하우
톰캣 운영 노하우jieunsys
 
From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.Taras Matyashovsky
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
 
Integrating Microservices with Apache Camel
Integrating Microservices with Apache CamelIntegrating Microservices with Apache Camel
Integrating Microservices with Apache CamelChristian Posta
 
Networking in Java with NIO and Netty
Networking in Java with NIO and NettyNetworking in Java with NIO and Netty
Networking in Java with NIO and NettyConstantine Slisenka
 
Introduction to Kotlin coroutines
Introduction to Kotlin coroutinesIntroduction to Kotlin coroutines
Introduction to Kotlin coroutinesRoman Elizarov
 
10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化Takuya ASADA
 
Introduction to memcached
Introduction to memcachedIntroduction to memcached
Introduction to memcachedJurriaan Persyn
 
Distributed load testing with k6
Distributed load testing with k6Distributed load testing with k6
Distributed load testing with k6Thijs Feryn
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & FeaturesDataStax Academy
 
C* Summit 2013: The World's Next Top Data Model by Patrick McFadin
C* Summit 2013: The World's Next Top Data Model by Patrick McFadinC* Summit 2013: The World's Next Top Data Model by Patrick McFadin
C* Summit 2013: The World's Next Top Data Model by Patrick McFadinDataStax Academy
 
Introduction to Thrift
Introduction to ThriftIntroduction to Thrift
Introduction to ThriftDvir Volk
 
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...Codemotion
 
Tools for Metaspace
Tools for MetaspaceTools for Metaspace
Tools for MetaspaceTakahiro YAMADA
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to RedisDvir Volk
 
プロが解説!Hinemosによる運用管理テクニック
プロが解説!Hinemosによる運用管理テクニックプロが解説!Hinemosによる運用管理テクニック
プロが解説!Hinemosによる運用管理テクニックhinemos_atomitech
 
At least onceってぶっちゃけ問題の先送りだったよね #kafkajp
At least onceってぶっちゃけ問題の先送りだったよね #kafkajpAt least onceってぶっちゃけ問題の先送りだったよね #kafkajp
At least onceってぶっちゃけ問題の先送りだったよね #kafkajpYahoo!デベロッパーネットワーク
 
Alfresco CMIS
Alfresco CMISAlfresco CMIS
Alfresco CMISAlfresco Software
 
実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjug実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjugYahoo!デベロッパーネットワーク
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
OGDC2012 Lua In Game_Mr. Van, Nguyen Ngoc
OGDC2012 Lua In Game_Mr. Van, Nguyen NgocOGDC2012 Lua In Game_Mr. Van, Nguyen Ngoc
OGDC2012 Lua In Game_Mr. Van, Nguyen NgocBuff Nguyen
 
Benefits/tutorial of Lua in games
Benefits/tutorial of Lua in gamesBenefits/tutorial of Lua in games
Benefits/tutorial of Lua in gamesaction.vn
 

Contenu connexe

Tendances

Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
 
Integrating Microservices with Apache Camel
Integrating Microservices with Apache CamelIntegrating Microservices with Apache Camel
Integrating Microservices with Apache CamelChristian Posta
 
Networking in Java with NIO and Netty
Networking in Java with NIO and NettyNetworking in Java with NIO and Netty
Networking in Java with NIO and NettyConstantine Slisenka
 
Introduction to Kotlin coroutines
Introduction to Kotlin coroutinesIntroduction to Kotlin coroutines
Introduction to Kotlin coroutinesRoman Elizarov
 
10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化Takuya ASADA
 
Introduction to memcached
Introduction to memcachedIntroduction to memcached
Introduction to memcachedJurriaan Persyn
 
Distributed load testing with k6
Distributed load testing with k6Distributed load testing with k6
Distributed load testing with k6Thijs Feryn
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & FeaturesDataStax Academy
 
C* Summit 2013: The World's Next Top Data Model by Patrick McFadin
C* Summit 2013: The World's Next Top Data Model by Patrick McFadinC* Summit 2013: The World's Next Top Data Model by Patrick McFadin
C* Summit 2013: The World's Next Top Data Model by Patrick McFadinDataStax Academy
 
Introduction to Thrift
Introduction to ThriftIntroduction to Thrift
Introduction to ThriftDvir Volk
 
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...Codemotion
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to RedisDvir Volk
 
プロが解説!Hinemosによる運用管理テクニック
プロが解説!Hinemosによる運用管理テクニックプロが解説!Hinemosによる運用管理テクニック
プロが解説!Hinemosによる運用管理テクニックhinemos_atomitech
 
実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjug実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjugYahoo!デベロッパーネットワーク
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 

Tendances (20)

Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
 
Integrating Microservices with Apache Camel
Integrating Microservices with Apache CamelIntegrating Microservices with Apache Camel
Integrating Microservices with Apache Camel
 
Networking in Java with NIO and Netty
Networking in Java with NIO and NettyNetworking in Java with NIO and Netty
Networking in Java with NIO and Netty
 
Introduction to Kotlin coroutines
Introduction to Kotlin coroutinesIntroduction to Kotlin coroutines
Introduction to Kotlin coroutines
 
10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化
 
Introduction to memcached
Introduction to memcachedIntroduction to memcached
Introduction to memcached
 
Distributed load testing with k6
Distributed load testing with k6Distributed load testing with k6
Distributed load testing with k6
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & Features
 
C* Summit 2013: The World's Next Top Data Model by Patrick McFadin
C* Summit 2013: The World's Next Top Data Model by Patrick McFadinC* Summit 2013: The World's Next Top Data Model by Patrick McFadin
C* Summit 2013: The World's Next Top Data Model by Patrick McFadin
 
Introduction to Thrift
Introduction to ThriftIntroduction to Thrift
Introduction to Thrift
 
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...
 
Tools for Metaspace
Tools for MetaspaceTools for Metaspace
Tools for Metaspace
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to Redis
 
プロが解説!Hinemosによる運用管理テクニック
プロが解説!Hinemosによる運用管理テクニックプロが解説!Hinemosによる運用管理テクニック
プロが解説!Hinemosによる運用管理テクニック
 
At least onceってぶっちゃけ問題の先送りだったよね #kafkajp
At least onceってぶっちゃけ問題の先送りだったよね #kafkajpAt least onceってぶっちゃけ問題の先送りだったよね #kafkajp
At least onceってぶっちゃけ問題の先送りだったよね #kafkajp
 
Alfresco CMIS
Alfresco CMISAlfresco CMIS
Alfresco CMIS
 
実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjug実運用して分かったRabbit MQの良いところ・気をつけること #jjug
実運用して分かったRabbit MQの良いところ・気をつけること #jjug
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 

Similaire à Apache Traffic Server & Lua

OGDC2012 Lua In Game_Mr. Van, Nguyen Ngoc
OGDC2012 Lua In Game_Mr. Van, Nguyen NgocOGDC2012 Lua In Game_Mr. Van, Nguyen Ngoc
OGDC2012 Lua In Game_Mr. Van, Nguyen NgocBuff Nguyen
 
Benefits/tutorial of Lua in games
Benefits/tutorial of Lua in gamesBenefits/tutorial of Lua in games
Benefits/tutorial of Lua in gamesaction.vn
 
Java on Windows Azure (Cloud Computing Expo 2010)
Java on Windows Azure (Cloud Computing Expo 2010)Java on Windows Azure (Cloud Computing Expo 2010)
Java on Windows Azure (Cloud Computing Expo 2010)David Chou
 
Introducing Node.js in an Oracle technology environment (including hands-on)
Introducing Node.js in an Oracle technology environment (including hands-on)Introducing Node.js in an Oracle technology environment (including hands-on)
Introducing Node.js in an Oracle technology environment (including hands-on)Lucas Jellema
 
Serverless Pune meetup 3
Serverless Pune meetup 3Serverless Pune meetup 3
Serverless Pune meetup 3Vishal Biyani
 
Fighting Against Chaotically Separated Values with Embulk
Fighting Against Chaotically Separated Values with EmbulkFighting Against Chaotically Separated Values with Embulk
Fighting Against Chaotically Separated Values with EmbulkSadayuki Furuhashi
 
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...BIOVIA
 
Openstack Cactus Survey
Openstack Cactus SurveyOpenstack Cactus Survey
Openstack Cactus SurveyPjack Chen
 
Give your little scripts big wings: Using cron in the cloud with Amazon Simp...
Give your little scripts big wings: Using cron in the cloud with Amazon Simp...Give your little scripts big wings: Using cron in the cloud with Amazon Simp...
Give your little scripts big wings: Using cron in the cloud with Amazon Simp...Amazon Web Services
 
WebSphere Application Server Liberty Profile and Docker
WebSphere Application Server Liberty Profile and DockerWebSphere Application Server Liberty Profile and Docker
WebSphere Application Server Liberty Profile and DockerDavid Currie
 
One daytalk hbraun_oct2011
One daytalk hbraun_oct2011One daytalk hbraun_oct2011
One daytalk hbraun_oct2011hbraun
 
KubeCon 2017: Kubernetes from Dev to Prod
KubeCon 2017: Kubernetes from Dev to ProdKubeCon 2017: Kubernetes from Dev to Prod
KubeCon 2017: Kubernetes from Dev to ProdSubhas Dandapani
 
Tech-Spark: SQL Server on Linux
Tech-Spark: SQL Server on LinuxTech-Spark: SQL Server on Linux
Tech-Spark: SQL Server on LinuxRalph Attard
 
Spark Summit EU talk by Mike Percy
Spark Summit EU talk by Mike PercySpark Summit EU talk by Mike Percy
Spark Summit EU talk by Mike PercySpark Summit
 
Was liberty profile and docker
Was liberty profile and dockerWas liberty profile and docker
Was liberty profile and dockersflynn073
 
Kubernetes Manchester - 6th December 2018
Kubernetes Manchester - 6th December 2018Kubernetes Manchester - 6th December 2018
Kubernetes Manchester - 6th December 2018David Stockton
 
Kamailio - Unifying SIP and Web Worlds with Lua
Kamailio - Unifying SIP and Web Worlds with LuaKamailio - Unifying SIP and Web Worlds with Lua
Kamailio - Unifying SIP and Web Worlds with LuaDaniel-Constantin Mierla
 

Similaire à Apache Traffic Server & Lua (20)

OGDC2012 Lua In Game_Mr. Van, Nguyen Ngoc
OGDC2012 Lua In Game_Mr. Van, Nguyen NgocOGDC2012 Lua In Game_Mr. Van, Nguyen Ngoc
OGDC2012 Lua In Game_Mr. Van, Nguyen Ngoc
 
Benefits/tutorial of Lua in games
Benefits/tutorial of Lua in gamesBenefits/tutorial of Lua in games
Benefits/tutorial of Lua in games
 
Java on Windows Azure (Cloud Computing Expo 2010)
Java on Windows Azure (Cloud Computing Expo 2010)Java on Windows Azure (Cloud Computing Expo 2010)
Java on Windows Azure (Cloud Computing Expo 2010)
 
Introducing Node.js in an Oracle technology environment (including hands-on)
Introducing Node.js in an Oracle technology environment (including hands-on)Introducing Node.js in an Oracle technology environment (including hands-on)
Introducing Node.js in an Oracle technology environment (including hands-on)
 
Serverless Pune meetup 3
Serverless Pune meetup 3Serverless Pune meetup 3
Serverless Pune meetup 3
 
Fighting Against Chaotically Separated Values with Embulk
Fighting Against Chaotically Separated Values with EmbulkFighting Against Chaotically Separated Values with Embulk
Fighting Against Chaotically Separated Values with Embulk
 
What is CF
What is CFWhat is CF
What is CF
 
GoDocker presentation
GoDocker presentationGoDocker presentation
GoDocker presentation
 
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
 
Openstack Cactus Survey
Openstack Cactus SurveyOpenstack Cactus Survey
Openstack Cactus Survey
 
Give your little scripts big wings: Using cron in the cloud with Amazon Simp...
Give your little scripts big wings: Using cron in the cloud with Amazon Simp...Give your little scripts big wings: Using cron in the cloud with Amazon Simp...
Give your little scripts big wings: Using cron in the cloud with Amazon Simp...
 
WebSphere Application Server Liberty Profile and Docker
WebSphere Application Server Liberty Profile and DockerWebSphere Application Server Liberty Profile and Docker
WebSphere Application Server Liberty Profile and Docker
 
One daytalk hbraun_oct2011
One daytalk hbraun_oct2011One daytalk hbraun_oct2011
One daytalk hbraun_oct2011
 
TechBeats #2
TechBeats #2TechBeats #2
TechBeats #2
 
KubeCon 2017: Kubernetes from Dev to Prod
KubeCon 2017: Kubernetes from Dev to ProdKubeCon 2017: Kubernetes from Dev to Prod
KubeCon 2017: Kubernetes from Dev to Prod
 
Tech-Spark: SQL Server on Linux
Tech-Spark: SQL Server on LinuxTech-Spark: SQL Server on Linux
Tech-Spark: SQL Server on Linux
 
Spark Summit EU talk by Mike Percy
Spark Summit EU talk by Mike PercySpark Summit EU talk by Mike Percy
Spark Summit EU talk by Mike Percy
 
Was liberty profile and docker
Was liberty profile and dockerWas liberty profile and docker
Was liberty profile and docker
 
Kubernetes Manchester - 6th December 2018
Kubernetes Manchester - 6th December 2018Kubernetes Manchester - 6th December 2018
Kubernetes Manchester - 6th December 2018
 
Kamailio - Unifying SIP and Web Worlds with Lua
Kamailio - Unifying SIP and Web Worlds with LuaKamailio - Unifying SIP and Web Worlds with Lua
Kamailio - Unifying SIP and Web Worlds with Lua
 

Plus de Kit Chan

Experience with jemalloc
Experience with jemallocExperience with jemalloc
Experience with jemallocKit Chan
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2Kit Chan
 
Life on the Edge with ESI
Life on the Edge with ESILife on the Edge with ESI
Life on the Edge with ESIKit Chan
 
Learning from Captain Kirk, Spock and Crew of the Enterprise
Learning from Captain Kirk, Spock and Crew of the EnterpriseLearning from Captain Kirk, Spock and Crew of the Enterprise
Learning from Captain Kirk, Spock and Crew of the EnterpriseKit Chan
 
Yahoo's Adventure with ATS
Yahoo's Adventure with ATSYahoo's Adventure with ATS
Yahoo's Adventure with ATSKit Chan
 
Life on the Edge with ESI
Life on the Edge with ESILife on the Edge with ESI
Life on the Edge with ESIKit Chan
 
Failsafe Mechanism for Yahoo Homepage
Failsafe Mechanism for Yahoo HomepageFailsafe Mechanism for Yahoo Homepage
Failsafe Mechanism for Yahoo HomepageKit Chan
 
Replacing Squid with ATS
Replacing Squid with ATSReplacing Squid with ATS
Replacing Squid with ATSKit Chan
 

Plus de Kit Chan (8)

Experience with jemalloc
Experience with jemallocExperience with jemalloc
Experience with jemalloc
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2
 
Life on the Edge with ESI
Life on the Edge with ESILife on the Edge with ESI
Life on the Edge with ESI
 
Learning from Captain Kirk, Spock and Crew of the Enterprise
Learning from Captain Kirk, Spock and Crew of the EnterpriseLearning from Captain Kirk, Spock and Crew of the Enterprise
Learning from Captain Kirk, Spock and Crew of the Enterprise
 
Yahoo's Adventure with ATS
Yahoo's Adventure with ATSYahoo's Adventure with ATS
Yahoo's Adventure with ATS
 
Life on the Edge with ESI
Life on the Edge with ESILife on the Edge with ESI
Life on the Edge with ESI
 
Failsafe Mechanism for Yahoo Homepage
Failsafe Mechanism for Yahoo HomepageFailsafe Mechanism for Yahoo Homepage
Failsafe Mechanism for Yahoo Homepage
 
Replacing Squid with ATS
Replacing Squid with ATSReplacing Squid with ATS
Replacing Squid with ATS
 

Dernier

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 

Dernier (20)

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 

Apache Traffic Server & Lua

  • 1. Apache Traffic Server & Lua Kit Chan (kichan@yahoo-inc.com)
  • 2. Agenda • Intro • Rationale • Details • Security • Future 11/16/2014 2
  • 3. Apache Traffic Server Fast, scalable and extensible HTTP/1.1 compliant caching proxy server
  • 5. Lua Fast, Powerful, lightweight, embeddable scripting language
  • 6. Lua Uses • mod_lua • ngx_lua • Redis • MySQL Proxy • some games/game engines(e.g World of Warcraft)
  • 7. What Can They Do Together?
  • 8. Apache Traffic Server API • C APIs – Http Header – Http Transaction – Statistics – Management – More!!! 11/16/2014 8
  • 9. Hooks & Plugins • Plugins implemented as Continuations • Hooks to various HTTP transaction state 11/16/2014 9
  • 10. Writing Plugins is Hard! • Continuation is hard to follow – “Gotos with arguments” • C/C++ code – Memory management – Complex data structure 11/16/2014 10
  • 11. header_rewrite plugin • No C code for simple tasks • Use configuration files 11/16/2014 11
  • 12. header_rewrite plugin # sample header_rewrite configuration file # add Cache-Control header cond %{READ_RESPONSE_HEADER_HOOK} [AND] rm-header Cache-Control add-header Cache-Control “max-age=0, public” [L] # primitive boolean operator cond %{READ_REQUEST_HEADER_HOOK} [AND] cond %{HEADER:Host} “news.yahoo.com” [OR] cond %{HEADER:Host} “sports.yahoo.com” rm-header X-Important add-header X-Important 1 [L]
  • 13. header_rewrite plugin • Hard to use – Cannot define variables – No loop – No module/function • No unit test framework
  • 14. Varnish • Major Competitor to ATS 11/16/2014 14
  • 15. Varnish Configuration Language (VCL) • DSL to configure Varnish • Things you can do – “direct certain requests to certain backends” – “alter the requests and the responses” • Major advantage over ATS !!!
  • 16. VCL //sample VCL to //remove cookie from image reqs sub vcl_recv { if (req.url ~ "^/images") { unset req.http.cookie; } } // another example to cache response for 2 minutes // if there is no cache control header sub vcl_fetch { if (beresp.ttl < 120s) { set beresp.ttl = 120s; } }
  • 17. Leveling the field using Lua • Scripting Language – Simple to learn and use – Abstract user from variable types – No worry to memory management • Extensible through C APIs • Easy to embed into applications, such as ATS 11/16/2014 17
  • 18. All the Glory Details
  • 19. Implementation Details • ATS C APIs are wrapped as Lua Functions under a ‘ts’ module • When ATS starts, – Creates and inits Lua VM (lua_newstate()) – Load a Lua script into VM – Register hooks with functions in script • During a HTTP transaction handled by ATS, – New Lua thread (lua_newthread()) created for VM – Call Lua functions registered to HTTP transaction hooks 11/16/2014 19
  • 20. Sample 11/16/2014 20 -- Lua script (cors.lua) to add CORS header to response -- for a request with matching Referer header function send_response() if ts.ctx['origin'] == nil then ts.debug("invalid referer"); else ts.client_response.header['Access-Control-Allow-Origin']=ts.ctx['origin'] end return 0 end function do_global_read_request() local referer = ts.client_request.header.Referer if referer == nil then ts.ctx['origin'] = nil else ts.ctx['origin'] = string.match(referer, "http://%a+.yahoo.com") end ts.hook(TS_LUA_HOOK_SEND_RESPONSE_HDR, send_response) return 0 end
  • 21. Sample • We refer to this script file in plugin.config # inside /usr/local/etc/trafficserver/plugin.config tslua.so /usr/local/etc/trafficserver/cors.lua
  • 22. Using Module 11/16/2014 22 -- cors_lib.lua contains module for adding CORS resp header -- for a request with matching Referer header local cors_lib = {} function cors_lib.send_response() ts.client_response.header['Access-Control-Allow-Origin'] = ts.ctx['origin‘] return 0 end function cors_lib.execute() local referer = ts.client_request.header.Referer if referer ~= nil then ts.ctx['origin'] = string.match(referer, "http://%a+.yahoo.com") if ts.ctx['origin'] ~= nil then ts.hook(TS_LUA_HOOK_SEND_RESPONSE_HDR, send_response) end end end return cors_lib
  • 23. Using Module -- main lua script (main.lua) to be refererd in plugin.config -- read in the module defined in separate files ts.add_package_path('/usr/local/etc/trafficserver/cors_lib.lua') local cors_lib = require “cors_lib" function do_global_read_request() cors_lib.execute() return 0 end
  • 24. Using Module • We can refer to the main script file in plugin.config # inside /usr/local/etc/trafficserver/plugin.config tslua.so /usr/local/etc/trafficserver/main.lua
  • 25. Other Details • Open Source – Contributers from Yahoo and Taobao • Detailed Documentation Available • ATS 5.x – Luajit 2.0.3 pulled into ATS core – Compatible with lua 5.1.x – Luajit has better performance • But a 2GB limit on memory used by lua VM 11/16/2014 25
  • 26. Unit Test & Code Coverage • Needs lunit & luacov • Provide mock/stub framework
  • 27. Unit Test & Code Coverage 11/16/2014 27 require "lunit" require "luacov" local mock = require ‘mock’ ts = require 'ts‘ ts.setup(mock) local cors_lib = require ‘cors_lib' module( “cors_testcase", lunit.testcase ) function test_failure() mock.client_request_header[‘Referer’] = ‘http://news.yahoo.com’ cors_lib.execute() assert_equal(‘http://news.yahoo.com’, mock.client_response_header[‘Access-Control-Allow-Origin’], ‘Matched’) end
  • 28. Memory Consumption • 2GB limit due to luajit • Check memory usage of your script – With the lua function - collectgarbage(“count”) • If necessary, disable luajit – Build ATS with “--disable-luajit” option – Still need lua binary for plugin to work – Lua allows custom memory allocator when creating new VM to limit memory usage 11/16/2014 28
  • 29. Performance • Tested with 100K objects fetched 100 requests/s • Latency of origin server is 500ms • 3 Test cases – No plugin – header_rewrite plugin adding request/response headers – Lua script doing the same thing as above • No effect on CPU / Memory utilization • No effect on latency 11/16/2014 29
  • 30. “With Great Power Comes Great Responsbility”
  • 31. XSS -- /test?<script>alert('XSS');</script> function send_data() local nt = '<!DOCTYPE html><html lang="en-us"><head><title>Test</title>'.. '</head><body>'..ts.ctx['args'].. '</body></html>' local resp = 'HTTP/1.1 500 Internal Server Errorrn' .. 'Content-Type: text/htmlrn' .. 'Content-Length: ' .. (string.len(nt)) .. 'rn' .. 'Last-Modified: '..os.date("%a, %d %b %Y %H:%M:%S GMT",os.time())..'rn'.. 'Connection: keep-alivern' .. 'Cache-Control: max-age=0, privaternrn' .. nt ts.say(resp) end function do_global_read_request() local args = ts.client_request.get_uri_args() ts.ctx[‘args’] = args ts.http.intercept(send_data) end
  • 32. File System Attack -- /test?test.lua function do_global_read_request() local args = ts.client_request.get_uri_args() local f = io.open(args) local result = f:read(“*a”) f:close() ts.debug(result) end
  • 33. Local File Inclusion -- /test?test.lua function do_global_read_request() local args = ts.client_request.get_uri_args() dofile(“/tmp/”..args) end
  • 34. Code Injection -- /test?os.clock() function do_global_read_request() local args = ts.client_request.get_uri_args() loadstring(args)() end
  • 35. OS Command Injection -- /test?john function do_global_read_request() local args = ts.client_request.get_uri_args() os.execute(“ls –l /home/”..args) end
  • 36. Potential Security Concerns Name of the Attack CWE (Common Weakness Enumeration) Possible Way to Prevent XSS CWE-79 Input Validation SQL Injection CWE-89 Input Validation File System Attack N/A Don’t pass user input to file system functions File Inclusion CWE-98 (for Lua as well) Don’t pass user input to require() or dofile() Code Injection CWE-94 Disable loadstring() OS Command Injection CWE-78 Disable os.execute() & io.popen()
  • 37. Input/Output Validation • Important to prevent many security problems • Need to provide a library of functions
  • 38. Sandboxing • Also important to disable some lua functions • Sandboxing can be done in global or functional scope function test() -- setting local environment for this function local env = { os = {clock = os.clock}, string = {find = string.find} } setfenv (1, env) print(os.clock()) -- cannot run this “os.execute(‘ls’)” end
  • 40. Future • Expose more ATS APIs as Lua functions • Input Validation Library • Open Source Mock/Stub framework 11/16/2014 40
  • 41. TS-2281: Augment Config System to use LUA module(..., package.seeall) function config() ats.config.proxy.config.http.server_ports("8888 8443:ipv4:ssl") ats.config.proxy.config.url_remap.pristine_host_hdr(0) end function config_ssl(add) add({ dest_ip = "*", ssl_cert_name = "bar.pem", ssl_key_name = "barKey.pem" }) end function config_remap(r) r:definefilter("name", { src_ip = { "192.168.0.0-192.168.255.255", "10.0.0.0-10.255.255.255" } , method = { "PURGE", "DELETE" } , action = "allow" }) r:activatefilter("name") r:map("http://localhost:8888/special/", "http://example.com/", { src_ip = "127.0.0.1" }, { plugin = "foo.so", pparams = { "arg1", "arg2" } } ) r:deactivatefilter("name") Pseudo Code
  • 42. Q & A
  • 44. Reference 1) ATS - https://docs.trafficserver.apache.org/en/latest/sdk/how-to- create-trafficserver-plugins.en.html 2) Lua - http://www.lua.org/ 3) Computational Continuations - http://www.jquigley.com/files/talks/continuations.pdf 4) header_rewrite - https://docs.trafficserver.apache.org/en/latest/reference/plugins/hea der_rewrite.en.html 5) Varnish - https://www.varnish-cache.org/ 6) VCL - https://www.varnish-cache.org/docs/4.0/users-guide/vcl.html 7) http://www.slideshare.net/bryan_call/choosing-a-proxy-server- apachecon-2014 (Slides 47) 8) http://www.bizety.com/2014/06/11/interview-founder-of-varnish- software/ 11/16/2014 44
  • 45. Reference 9) mod_lua - http://www.modlua.org/ 10) ngx_lua - https://github.com/openresty/lua-nginx-module 11) Redis - http://redis.io/ 12) Mysql-proxy - https://launchpad.net/mysql-proxy 13) Lua/World of Warcraft - http://www.wowwiki.com/Lua 14) ATS Lua Pugin Documentation - https://docs.trafficserver.apache.org/en/latest/reference/plugins/ts_lua.en.html 15) Luajit - http://luajit.org/luajit.html 16) Lunit - http://www.mroth.net/lunit/ 17) Luacov - http://luacov.luaforge.net/ 18) Custom memory allocator - http://stackoverflow.com/questions/9671793/limiting-a-lua- scripts-memory-usage 19) Lua Web Application Security Vulnerabilities - http://seclists.org/fulldisclosure/2014/May/128 20) TS-2281 - https://issues.apache.org/jira/browse/TS-2281