Ncredir is the non canonical redirect service. Currently is implemented using acme-chief managed certificates + compile_redirects() + nginx.
Nginx is feed with two maps containing the redirection logic. The first map populates a variable called $override, and the second one a variable called $rewrite.
The first map populating $override is generated with the override stanzas contained in the redirects definition file, while the $rewrite map is populated with the funnel and rewrite stanzas from the definition file.
This mapping between the nc_redirects.dat file and nginx happens on puppet compilation time. So in the ncredir servers only nginx + the acme-chief managed certs are needed to run the service.
The nginx config can be found in /etc/nginx/sites-enabled/ncredir and the custom logs in /var/log/nginx/ncredir.http.log and /var/log/nginx/ncredir.https.log.
This service handles its own TLS termination, so it's not behind the cp cluster. It's directly exposed to live traffic using the high-traffic1 LVS via ncredir-lb.wikimedia.org geoDNS record that balances the traffic across: