Ncredir

From Wikitech

Ncredir is our Non-Canonical Redirect service. It handles traffic from the outside world to a list of domain names which we own but are not primary canonical domain names for our projects. A key example would be wikipedia.com.

It is separate from our primary edge traffic clusters for the canonical domains, running on independent instances and public IPs. Under normal conditions, it gets little traffic.

Components

ncredir is implemented using a combination of acme-chief managed certificates and nginx. nginx redirects are created in the Puppet repository according to the rules laid out in the nc_redirects.dat file. nc_redirects.dat is used as input for the the custom compile_redirects() function in Puppet which outputs redirects as nginx configuration.

Redirection logic

Nginx is fed with two maps containing the redirection logic. The first map populates a variable called $override, and the second one a variable called $rewrite.

The first map populating $override is generated with the override stanzas contained in the redirects definition file, while the $rewrite map is populated with the funnel and rewrite stanzas from the definition file.

This mapping between the nc_redirects.dat file and nginx happens on puppet compilation time. So in the ncredir servers only nginx + the acme-chief managed certs are needed to run the service.

TLS

ncredir does not utilize the CDN clusters; It handles its own TLS termination. ncredir exposes itself to live traffic using the high-traffic1 class in LVS. The service is geographically balanced via GeoDNS with the ncredir-lb.wikimedia.org record which balances the traffic across:

  • ncredir-lb.codfw.wikimedia.org
  • ncredir-lb.eqiad.wikimedia.org

Logging

ncredir uses fifo-log-demux to provide logging through pipes. Providing pipes allows for real-time debugging without needing to store logs locally on the server and compromise user privacy.

To view the real-time logs, run:

# fifo-log-tailer -socket /var/log/nginx/ncredir.access_log.socket

An alias is provided for convenience:

# ncredirlog-access_log

See also