Ncredir is our Non-Canonical Redirect service. It handles any traffic from the outside world to a long list of domainnames which we own, but which are not the primary canonical domainname for any of our projects. A key example would be wikipedia.com.
It is separate from our primary edge traffic clusters for the canonical domains, running on independent instances and public IPs, and is a very simplistic service which just serves HTTP redirects according to the rules laid out in the nc_redirects.dat file in our puppet repo. Under normal conditions, it gets very little traffic.
It is implemented using acme-chief managed certificates + compile_redirects() + nginx.
Nginx is fed with two maps containing the redirection logic. The first map populates a variable called $override, and the second one a variable called $rewrite.
The first map populating $override is generated with the override stanzas contained in the redirects definition file, while the $rewrite map is populated with the funnel and rewrite stanzas from the definition file.
This mapping between the nc_redirects.dat file and nginx happens on puppet compilation time. So in the ncredir servers only nginx + the acme-chief managed certs are needed to run the service.
The nginx config can be found in /etc/nginx/sites-enabled/ncredir and the custom logs in /var/log/nginx/ncredir.http.log and /var/log/nginx/ncredir.https.log.
This service handles its own TLS termination, so it's not behind the cp cluster. It's directly exposed to live traffic using the high-traffic1 LVS via ncredir-lb.wikimedia.org geoDNS record that balances the traffic across: