Ncredir

Ncredir is our Non-Canonical Redirect service. It handles any traffic from the outside world to a long list of domainnames which we own, but which are not the primary canonical domainname for any of our projects. A key example would be wikipedia.com.

It is separate from our primary edge traffic clusters for the canonical domains, running on independent instances and public IPs, and is a very simplistic service which just serves HTTP redirects according to the rules laid out in the nc_redirects.dat file in our puppet repo. Under normal conditions, it gets very little traffic.

It is implemented using acme-chief managed certificates + compile_redirects() + nginx.

Nginx is fed with two maps containing the redirection logic. The first map populates a variable called $override, and the second one a variable called $rewrite.

The first map populating $override is generated with the override stanzas contained in the redirects definition file, while the $rewrite map is populated with the funnel and rewrite stanzas from the definition file.

This mapping between the nc_redirects.dat file and nginx happens on puppet compilation time. So in the ncredir servers only nginx + the acme-chief managed certs are needed to run the service.

The nginx config can be found in /etc/nginx/sites-enabled/ncredir and the custom logs in /var/log/nginx/ncredir.http.log and /var/log/nginx/ncredir.https.log.

This service handles its own TLS termination, so it's not behind the cp cluster. It's directly exposed to live traffic using the high-traffic1 LVS via ncredir-lb.wikimedia.org geoDNS record that balances the traffic across:

• ncredir-lb.codfw.wikimedia.org
• ncredir-lb.eqiad.wikimedia.org