On-premise の Proxy に Rescale 接続用 の whitelist を登録する

オンプレミスのプロキシーにRescale接続のためのホワイトリストを設定したいなどのご要望がありました。

そこで、Rescale に接続するための White list に登録するアドレスについて議論します。

Rescale に接続用 White list

結論から言うと Default ストレージとして Amazon S3 を選択されている場合、下記2つを登録すれば良いでしょう。

  1. platform.rescale.jp
  2. jpprod-rescale-platform.s3-ap-northeast-1.amazonaws.com

Rescaleは、BrowserからでもAPIでも、基本的には、RescaleのPlatform 経由、つまり platform.rescale.jp で、通信を行います。ただし例外もありあす。

高速ファイル転送時の Cloud Storage へのダイレクトアクセス

Rescale CLIや、Browserのファイル転送モードで "高速" を選ぶと、ファイル転送の高速化を目的とし、クラウドストレージへ直接アクセスします。

この時、ファイルの暗号化がローカルで行われ、さらにこの暗号化されたファイルを TLSv1.2 で通信するため、ナマのAPIをキックするときよりセキュリティー的にもより強固になるメリットがあります。

まとめると、platform.rescale.jp の他に、このS3への直接アクセスのFQDN, jpprod-rescale-platform.s3-ap-northeast-1.amazonaws.com をプロキシーに登録する必要があります。

パケット解析による検証 (File のアップロード)

少し突っ込んで、Wireshark をつかってパケット解析をしてみました。

尚、パケットですが、下図のように パケットバイト列 を選択し、文字列rescale で検索し、抽出しました。

image

以下結果を示しますが、プロトコル、DNSをみると、ちゃんとjpprod-rescale-platform.s3-ap-northeast-1.amazonaws.com があることが確認できます。

ちなみに、APIだけ使った場合は、もちろんこのアドレスは表示されません。

解析結果

パケット解析結果, Rescale との通信のみを抽出しているため"No" は飛び飛びの値となっている

No. Time Source Destination Protocol Length Info
66 1.666408 192.168.100.111 54.64.177.245 TLSv1.2 583 Client Hello
67 1.739548 54.64.177.245 192.168.100.111 TLSv1.2 1434 Server Hello
68 1.740004 54.64.177.245 192.168.100.111 TCP 1434 [TCP segment of a reassembled PDU]
69 1.740079 192.168.100.111 54.64.177.245 TCP 66 62630 > 443 [ACK] Seq=518 Ack=2737 Win=129696 Len=0 TSval=128616939 TSecr=776176988
70 1.740442 54.64.177.245 192.168.100.111 TCP 1434 [TCP segment of a reassembled PDU]
71 1.740447 54.64.177.245 192.168.100.111 TLSv1.2 731 Certificate
72 1.740538 192.168.100.111 54.64.177.245 TCP 66 62630 > 443 [ACK] Seq=518 Ack=4770 Win=129024 Len=0 TSval=128616939 TSecr=776176988
73 1.741555 192.168.100.111 54.64.177.245 TLSv1.2 192 Client Key Exchange
74 1.795048 54.64.177.245 192.168.100.111 TLSv1.2 324 New Session Ticket
75 1.795127 192.168.100.111 54.64.177.245 TCP 66 62630 > 443 [ACK] Seq=644 Ack=5028 Win=130784 Len=0 TSval=128616994 TSecr=776177002
76 1.799505 192.168.100.111 54.64.177.245 TCP 1434 [TCP segment of a reassembled PDU]
77 1.799506 192.168.100.111 54.64.177.245 TLSv1.2 382 Application Data
78 1.854933 54.64.177.245 192.168.100.111 TCP 66 443 > 62630 [ACK] Seq=5028 Ack=2328 Win=33408 Len=0 TSval=776177017 TSecr=128616998
79 1.863898 54.64.177.245 192.168.100.111 TLSv1.2 569 Application Data
80 1.864044 54.64.177.245 192.168.100.111 TLSv1.2 153 Application Data
81 1.864050 54.64.177.245 192.168.100.111 TLSv1.2 100 Application Data
82 1.864066 192.168.100.111 54.64.177.245 TCP 66 62552 > 443 [ACK] Seq=3380 Ack=14606 Win=4080 Len=0 TSval=128617061 TSecr=776177018
83 1.864109 192.168.100.111 54.64.177.245 TCP 66 62552 > 443 [ACK] Seq=3380 Ack=14693 Win=4093 Len=0 TSval=128617061 TSecr=776177018
84 1.864109 192.168.100.111 54.64.177.245 TCP 66 62552 > 443 [ACK] Seq=3380 Ack=14727 Win=4092 Len=0 TSval=128617061 TSecr=776177019
85 1.903496 54.64.177.245 192.168.100.111 TLSv1.2 627 Application Data
86 1.903499 54.64.177.245 192.168.100.111 TLSv1.2 100 Application Data
87 1.903553 192.168.100.111 54.64.177.245 TCP 66 62598 > 443 [ACK] Seq=3402 Ack=1186 Win=4078 Len=0 TSval=128617098 TSecr=776177029
88 1.903554 192.168.100.111 54.64.177.245 TCP 66 62598 > 443 [ACK] Seq=3402 Ack=1220 Win=4077 Len=0 TSval=128617098 TSecr=776177029
89 1.984986 54.64.177.245 192.168.100.111 TLSv1.2 635 Application Data
90 1.984991 54.64.177.245 192.168.100.111 TLSv1.2 100 Application Data
91 1.985068 192.168.100.111 54.64.177.245 TCP 66 62630 > 443 [ACK] Seq=2328 Ack=5597 Win=130496 Len=0 TSval=128617178 TSecr=776177049
92 1.985068 192.168.100.111 54.64.177.245 TCP 66 62630 > 443 [ACK] Seq=2328 Ack=5631 Win=130464 Len=0 TSval=128617178 TSecr=776177049
93 2.326767 HuaweiTe_69:79:25 Spanning-tree-(for-bridges)_00 STP 52 Conf. Root = 32768/0/a4:71:74:69:79:24 Cost = 0 Port = 0x8002
94 2.594332 192.168.100.111 130.211.38.145 TLSv1.2 720 Application Data
95 2.653859 130.211.38.145 192.168.100.111 TCP 66 443 > 62613 [ACK] Seq=1 Ack=655 Win=590 Len=0 TSval=2601391496 TSecr=128617785
96 2.794428 130.211.38.145 192.168.100.111 TLSv1.2 1122 Application Data
97 2.794536 192.168.100.111 130.211.38.145 TCP 66 62613 > 443 [ACK] Seq=655 Ack=1057 Win=4063 Len=0 TSval=128617983 TSecr=2601391634
98 3.803909 192.168.100.111 192.168.100.1 DNS 79 Standard query 0x0e7a A platform.rescale.jp
99 3.804773 192.168.100.111 192.168.100.1 DNS 79 Standard query 0xd15e AAAA platform.rescale.jp
100 3.811649 192.168.100.1 192.168.100.111 DNS 163 Standard query response 0x0e7a A platform.rescale.jp CNAME ec2-54-64-177-245.ap-northeast-1.compute.amazonaws.com A 54.64.177.245
101 3.812191 192.168.100.111 192.168.100.1 DNS 114 Standard query 0xd15e AAAA ec2-54-64-177-245.ap-northeast-1.compute.amazonaws.com
102 3.857281 192.168.100.1 192.168.100.111 DNS 215 Standard query response 0xd15e AAAA platform.rescale.jp CNAME ec2-54-64-177-245.ap-northeast-1.compute.amazonaws.com SOA dns-external-master.amazon.com
103 3.868714 192.168.100.1 192.168.100.111 DNS 182 Standard query response 0xd15e AAAA ec2-54-64-177-245.ap-northeast-1.compute.amazonaws.com SOA dns-external-master.amazon.com
104 3.947822 192.168.100.111 54.64.177.245 TCP 78 62632 > 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=128619134 TSecr=0 SACK_PERM=1
105 4.010324 54.64.177.245 192.168.100.111 TCP 74 443 > 62632 [SYN
106 4.010443 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=1 Ack=1 Win=131328 Len=0 TSval=128619196 TSecr=776177554
107 4.010522 192.168.100.111 54.64.177.245 TLSv1.2 264 Client Hello
108 4.070945 54.64.177.245 192.168.100.111 TLSv1.2 1434 Server Hello
109 4.071372 54.64.177.245 192.168.100.111 TCP 1434 [TCP segment of a reassembled PDU]
110 4.071437 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=199 Ack=2737 Win=129696 Len=0 TSval=128619256 TSecr=776177570
111 4.071959 54.64.177.245 192.168.100.111 TCP 1434 [TCP segment of a reassembled PDU]
112 4.072046 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=199 Ack=4105 Win=131072 Len=0 TSval=128619257 TSecr=776177570
113 4.072250 54.64.177.245 192.168.100.111 TLSv1.2 750 Certificate
114 4.072294 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=199 Ack=4789 Win=130368 Len=0 TSval=128619257 TSecr=776177570
115 4.094253 192.168.100.111 54.64.177.245 TLSv1.2 141 Client Key Exchange
116 4.183500 54.64.177.245 192.168.100.111 TCP 66 443 > 62632 [ACK] Seq=4789 Ack=274 Win=28032 Len=0 TSval=776177599 TSecr=128619278
117 4.183606 192.168.100.111 54.64.177.245 TLSv1.2 117 Change Cipher Spec
118 4.225823 54.64.177.245 192.168.100.111 TCP 66 443 > 62632 [ACK] Seq=4789 Ack=325 Win=28032 Len=0 TSval=776177609 TSecr=128619366
119 4.225828 54.64.177.245 192.168.100.111 TLSv1.2 117 Change Cipher Spec
120 4.225903 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=325 Ack=4840 Win=131008 Len=0 TSval=128619408 TSecr=776177609
121 4.244756 192.168.100.111 54.64.177.245 TLSv1.2 243 Application Data
122 4.319223 HuaweiTe_69:79:25 Spanning-tree-(for-bridges)_00 STP 52 Conf. Root = 32768/0/a4:71:74:69:79:24 Cost = 0 Port = 0x8002
123 4.343962 54.64.177.245 192.168.100.111 TCP 66 443 > 62632 [ACK] Seq=4840 Ack=502 Win=29056 Len=0 TSval=776177639 TSecr=128619426
124 4.367708 54.64.177.245 192.168.100.111 TCP 1434 [TCP segment of a reassembled PDU]
125 4.367725 54.64.177.245 192.168.100.111 TLSv1.2 498 Application Data
126 4.367727 54.64.177.245 192.168.100.111 TLSv1.2 100 Application Data
127 4.367839 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=502 Ack=6640 Win=129248 Len=0 TSval=128619547 TSecr=776177644
128 4.367840 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=502 Ack=6674 Win=129216 Len=0 TSval=128619547 TSecr=776177644
129 5.035810 192.168.100.111 54.64.177.245 TLSv1.2 243 Application Data
130 5.096455 54.64.177.245 192.168.100.111 TCP 66 443 > 62632 [ACK] Seq=6674 Ack=679 Win=30080 Len=0 TSval=776177827 TSecr=128620213
131 5.173950 54.64.177.245 192.168.100.111 TLSv1.2 570 Application Data
132 5.174030 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=679 Ack=7178 Win=130560 Len=0 TSval=128620350 TSecr=776177846
133 5.174290 54.64.177.245 192.168.100.111 TLSv1.2 1391 Application Data
134 5.174295 54.64.177.245 192.168.100.111 TLSv1.2 100 Application Data
135 5.174346 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=679 Ack=8503 Win=129728 Len=0 TSval=128620350 TSecr=776177846
136 5.174347 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=679 Ack=8537 Win=129696 Len=0 TSval=128620350 TSecr=776177846
137 5.318610 192.168.100.111 54.64.177.245 TLSv1.2 526 Application Data
138 5.326451 192.168.100.111 17.252.157.4 TCP 275 62437 > 5223 [FIN
139 5.386390 54.64.177.245 192.168.100.111 TCP 66 443 > 62632 [ACK] Seq=8537 Ack=1139 Win=31232 Len=0 TSval=776177899 TSecr=128620494
140 5.920449 192.168.100.111 54.64.177.245 TCP 1434 [TCP segment of a reassembled PDU]
141 5.920450 192.168.100.111 54.64.177.245 TLSv1.2 375 Application Data
142 5.921363 192.168.100.111 54.64.177.245 TCP 1434 [TCP segment of a reassembled PDU]
143 5.921363 192.168.100.111 54.64.177.245 TLSv1.2 387 Application Data
144 5.995101 54.64.177.245 192.168.100.111 TCP 66 443 > 62598 [ACK] Seq=1220 Ack=4770 Win=844 Len=0 TSval=776178052 TSecr=128621094
145 5.995118 54.64.177.245 192.168.100.111 TCP 66 443 > 62598 [ACK] Seq=1220 Ack=5091 Win=844 Len=0 TSval=776178052 TSecr=128621094
146 5.995141 54.64.177.245 192.168.100.111 TCP 66 443 > 62630 [ACK] Seq=5631 Ack=4005 Win=38912 Len=0 TSval=776178052 TSecr=128621094
147 6.045939 54.64.177.245 192.168.100.111 TLSv1.2 569 Application Data
148 6.045945 54.64.177.245 192.168.100.111 TLSv1.2 153 Application Data
149 6.045946 54.64.177.245 192.168.100.111 TLSv1.2 100 Application Data
150 6.046045 192.168.100.111 54.64.177.245 TCP 66 62598 > 443 [ACK] Seq=5091 Ack=1723 Win=4080 Len=0 TSval=128621218 TSecr=776178065
151 6.046046 192.168.100.111 54.64.177.245 TCP 66 62598 > 443 [ACK] Seq=5091 Ack=1810 Win=4077 Len=0 TSval=128621218 TSecr=776178065
152 6.046046 192.168.100.111 54.64.177.245 TCP 66 62598 > 443 [ACK] Seq=5091 Ack=1844 Win=4076 Len=0 TSval=128621218 TSecr=776178065
153 6.096209 54.64.177.245 192.168.100.111 TLSv1.2 563 Application Data
154 6.096280 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=1139 Ack=9034 Win=130560 Len=0 TSval=128621267 TSecr=776178077
155 6.096577 54.64.177.245 192.168.100.111 TLSv1.2 852 Application Data
156 6.096582 54.64.177.245 192.168.100.111 TLSv1.2 100 Application Data
157 6.096630 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=1139 Ack=9820 Win=130272 Len=0 TSval=128621267 TSecr=776178077
158 6.096630 192.168.100.111 54.64.177.245 TCP 66 62632 > 443 [ACK] Seq=1139 Ack=9854 Win=130240 Len=0 TSval=128621267 TSecr=776178077
159 6.144949 192.168.100.111 192.168.100.1 DNS 115 Standard query 0xc7f6 A jpprod-rescale-platform.s3-ap-northeast-1.amazonaws.com
160 6.145142 192.168.100.111 192.168.100.1 DNS 115 Standard query 0x732a AAAA jpprod-rescale-platform.s3-ap-northeast-1.amazonaws.com
161 6.207167 192.168.100.1 192.168.100.111 DNS 167 Standard query response 0xc7f6 A jpprod-rescale-platform.s3-ap-northeast-1.amazonaws.com CNAME s3-r-w.ap-northeast-1.amazonaws.com A 52.219.4.79
162 6.207172 192.168.100.1 192.168.100.111 DNS 233 Standard query response 0x732a AAAA jpprod-rescale-platform.s3-ap-northeast-1.amazonaws.com CNAME s3-r-w.ap-northeast-1.amazonaws.com SOA ns-1264.awsdns-30.org
163 6.207730 192.168.100.111 192.168.100.1 DNS 95 Standard query 0x732a AAAA s3-r-w.ap-northeast-1.amazonaws.com
164 6.269701 192.168.100.1 192.168.100.111 DNS 177 Standard query response 0x732a AAAA s3-r-w.ap-northeast-1.amazonaws.com SOA ns-1264.awsdns-30.org
165 6.271346 192.168.100.111 52.219.4.79 TCP 78 62634 > 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=128621440 TSecr=0 SACK_PERM=1
166 6.322495 HuaweiTe_69:79:25 Spanning-tree-(for-bridges)_00 STP 52 Conf. Root = 32768/0/a4:71:74:69:79:24 Cost = 0 Port = 0x8002
167 6.330202 52.219.4.79 192.168.100.111 TCP 66 443 > 62634 [SYN
168 6.330320 192.168.100.111 52.219.4.79 TCP 54 62634 > 443 [ACK] Seq=1 Ack=1 Win=262144 Len=0
169 6.330403 192.168.100.111 52.219.4.79 TLSv1.2 316 Client Hello