Https

From Wikitech
Revision as of 01:07, 2 June 2011 by Ryan Lane (Talk | contribs)

Jump to: navigation, search

Contents

Design

Service names

In our old configuration we used three service names: text.wikimedia.org, bits.wikimedia.org, and upload.wikimedia.org. All projects and sites were CNAME'd to text.wikimedia.org. For this we use name based virtual hosts, where the apaches know which service to serve based on the host header.

HTTPS requires ip based virtual hosts, unless SNI is used. SNI is only supported in fairly modern browsers, so we must use ip based virtual hosts. Our current cname -> text.wikimedia.org approach will not work in the scenario.

Of course, text.wikimedia.org is actually a CNAME itself too, due to geodns. Depending on the DNS scenario we are in, the CNAME points to either text.esams.wikimedia.org, or text.pmtpa.wikimedia.org (and soon text.eqiad.wikimedia.org).

To support ip based virtual hosts, we made the following service name CNAMES:

  • wikimedia-lb.wikimedia.org
  • wikipedia-lb.wikimedia.org
  • wiktionary-lb.wikimedia.org
  • wikiquote-lb.wikimedia.org
  • wikibooks-lb.wikimedia.org
  • wikisource-lb.wikimedia.org
  • wikinews-lb.wikimedia.org
  • wikiversity-lb.wikimedia.org
  • mediawiki-lb.wikimedia.org
  • foundation-lb.wikimedia.org

These CNAMES, like text.wikimedia.org point to <servicename>.<datacenter>.wikimedia.org, based on the DNS scenario. The records being pointed to are A records, meaning that for each service we need, we need an IP address per datacenter. Based on the above, this requires 30 IP addresses.

text.wikimedia.org will be kept, but will be used for a different purpose, described in the next section.

Handling load balancing

We use LVS-DR for load balancing. This means the LVS server will answer incoming requests for the services, and will direct the traffic to one of a cluster of realservers. Each realserver binds the service IP address to the lo device. The realserver answers directly to the client, bypassing the director.

The fact that the realserver binds the IP address to lo is problematic for a couple reasons:

  1. Since we are simply doing SSL termination, we want to decrypt the connection, and proxy it to the port 80 service. The port 80 service has the same IP. Since the IP is bound to lo, it will end up sending the traffic back to itself.
  2. pybal does health checks on the realserver to ensure it is alive and can properly serve traffic. Since we are doing IP based virtual hosts, the health checks would need to check the service ip, and not the realserver IP. This isn't possible.

To bypass problem #1 we use text.wikimedia.org as the backend, and not the service name. We take a somewhat similar approach for bits.wikimedia.org and upload.wikimedia.org. bits and upload are assigned a private routable IP address, and so are the ssl terminators. We use the private routable IPs as the backend.

To bypass problem #2 we disable content checks in the normal way, but keep the idle connection check. To re-enable the content checks, we use the ssh connection check and have it pull content from the service address directly on the host.

Performing SSL termination

To perform SSL termination we are using a cluster of nginx servers. The nginx servers answer requests on ip based virtual hosts and proxy the requests directly to the backends unencrypted. Headers are set for the host requested, the client's real IP, forwarded-for, and forwarded-protocol.

SSL termination servers in esams talk to services in esams, and failover to services in pmtpa. SSL termination servers in pmtpa talk to services only in pmtpa.

Performance settings

  • HTTP keepalive: 65 seconds, 100 requests
    • Lowering requests likely a good idea
  • SSL cache: shared, 50m (roughly 40,000 sessions); should use roughly 1.1GB RAM for all open sessions
  • SSL timeout: default (5 minutes)
  • Limit ssl_ciphers: RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
  • Using a chained certificate
  • Disabled access log
  • Worker connections set to 32768
  • Worker processes set to number of cores
  • esams servers set to hit esams squids, then pmtpa squids if esams squids are down or failing
  • Max fails set to 2, to avoid pounding backends when they are flapping
  • Proxy buffering is disabled to avoid responses eating all memory
  • sh scheduler used to allow session reuse, and to ensure session cache is maximized

Security settings

  • Limit protocols: SSLv3 TLSv1
  • Limit ssl_ciphers
Retrieved from "http://wikitech-old.wikimedia.org/index.php?title=Https&oldid=34286"
Personal tools
Namespaces

Variants
Actions
Navigation
Ops documentation
Wiki
Toolbox