You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Ncredir: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Majavah
(add few links, bold first word)
imported>BBlack
No edit summary
 
Line 1: Line 1:
'''Ncredir''' is the non canonical redirect service. Currently is implemented using [[acme-chief]] managed certificates + compile_redirects() + nginx.
'''Ncredir''' is our ''Non-Canonical Redirect'' service.  It handles any traffic from the outside world to a long list of domainnames which we own, but which are not the primary canonical domainname for any of our projects.  A key example would be ''wikipedia.com''.
 
It is separate from our primary edge traffic clusters for the canonical domains, running on independent instances and public IPs, and is a very simplistic service which just serves HTTP redirects according to the rules laid out in the  [https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/production/modules/ncredir/files/nc_redirects.dat nc_redirects.dat file in our puppet repo].  Under normal conditions, it gets very little traffic.
 
It is implemented using [[acme-chief]] managed certificates + compile_redirects() + nginx.


Nginx is feed with two maps containing the redirection logic. The first map populates a variable called $override, and the second one a variable called $rewrite.
Nginx is feed with two maps containing the redirection logic. The first map populates a variable called $override, and the second one a variable called $rewrite.

Latest revision as of 23:02, 4 May 2022

Ncredir is our Non-Canonical Redirect service. It handles any traffic from the outside world to a long list of domainnames which we own, but which are not the primary canonical domainname for any of our projects. A key example would be wikipedia.com.

It is separate from our primary edge traffic clusters for the canonical domains, running on independent instances and public IPs, and is a very simplistic service which just serves HTTP redirects according to the rules laid out in the nc_redirects.dat file in our puppet repo. Under normal conditions, it gets very little traffic.

It is implemented using acme-chief managed certificates + compile_redirects() + nginx.

Nginx is feed with two maps containing the redirection logic. The first map populates a variable called $override, and the second one a variable called $rewrite.

The first map populating $override is generated with the override stanzas contained in the redirects definition file, while the $rewrite map is populated with the funnel and rewrite stanzas from the definition file.

This mapping between the nc_redirects.dat file and nginx happens on puppet compilation time. So in the ncredir servers only nginx + the acme-chief managed certs are needed to run the service.

The nginx config can be found in /etc/nginx/sites-enabled/ncredir and the custom logs in /var/log/nginx/ncredir.http.log and /var/log/nginx/ncredir.https.log.

This service handles its own TLS termination, so it's not behind the cp cluster. It's directly exposed to live traffic using the high-traffic1 LVS via ncredir-lb.wikimedia.org geoDNS record that balances the traffic across:

  • ncredir-lb.codfw.wikimedia.org
  • ncredir-lb.eqiad.wikimedia.org