Https

From Wikitech
Revision as of 22:40, 2 June 2011 by Ryan Lane (Talk | contribs)

Jump to: navigation, search

Contents

Design

Service names

For HTTP we use name based virtual hosts, where the appservers know which service to serve based on a host header. For HTTPS we use IP based virtual hosts, as HTTPS requires this unless SNI is used. SNI is only supported in fairly modern browsers, so we must use IP based virtual hosts. Our current CNAME approach will not work in the scenario.

In out current CNAME approach we use three service names: text.wikimedia.org, bits.wikimedia.org, and upload.wikimedia.org. All project domains (wikipedia, wikimedia, etc.), languages (en.wikipedia, de.wikinews, etc) and sites (commons.wikimedia, meta.wikimedia, etc.) were CNAME'd to text.wikimedia.org.

text.wikimedia.org is a CNAME itself as well, due to geodns. Depending on the DNS scenario we are in, the CNAME points to either text.esams.wikimedia.org, or text.pmtpa.wikimedia.org (and soon text.eqiad.wikimedia.org).

To support IP based virtual hosts, we made the following service name CNAMES:

  • wikimedia-lb.wikimedia.org
  • wikipedia-lb.wikimedia.org
  • wiktionary-lb.wikimedia.org
  • wikiquote-lb.wikimedia.org
  • wikibooks-lb.wikimedia.org
  • wikisource-lb.wikimedia.org
  • wikinews-lb.wikimedia.org
  • wikiversity-lb.wikimedia.org
  • mediawiki-lb.wikimedia.org
  • foundation-lb.wikimedia.org

These CNAMES, like text.wikimedia.org point to <servicename>.<datacenter>.wikimedia.org, based on the DNS scenario. The records being pointed to are A records, meaning that for each service we need, we need an IP address per datacenter. Based on the above, this requires 30 IP addresses.

text.wikimedia.org will be kept, but will be used for a different purpose, described in the next section.

Load balancing

We use LVS-DR for load balancing. This means the LVS server will direct incoming traffic for the services to a number of realservers. Each realserver binds the service IP address to the lo device. The realserver answers directly to the client, bypassing the director.

The fact that the realserver binds the IP address to lo is problematic for a couple reasons:

  1. Since we are simply doing SSL termination, we want to decrypt the connection, and proxy it to the port 80 service. The port 80 service has the same IP. Since the IP is bound to lo, it will end up sending the backend requests back to itself.
  2. pybal does health checks on the realserver to ensure it is alive and can properly serve traffic. Since we are doing IP based virtual hosts the health checks would need to check the service ip, and not the realserver IP. This isn't possible.

To bypass problem #1 we use text.wikimedia.org as the backend, and not the service name. We take a somewhat similar approach for bits.wikimedia.org and upload.wikimedia.org. bits and upload are assigned a private routable IP address, as are the SSL terminators. We use the private routable IPs as the backend.

To bypass problem #2 we disable content health checks in the normal way, but keep the idle connection health check. To re-enable the content health checks, we use the SSH health check and have it make requests to the service address directly on the host.

SSL termination

To perform SSL termination we are using a cluster of nginx servers. The nginx servers answer requests on IP based virtual hosts and proxy the requests directly to the backends unencrypted. Headers are set for the host requested, the client's real IP, forwarded-for information, and forwarded-protocol information.

SSL termination servers in esams talk to services in esams, and failover to services in pmtpa. SSL termination servers in pmtpa talk to services only in pmtpa.

Performance settings

  • HTTP keepalive: 65 seconds, 100 requests
    • Lowering requests likely a good idea
  • SSL cache: shared, 50m (roughly 200,000 sessions)
    • should use roughly 1.1GB RAM for all open sessions
  • SSL timeout: default (5 minutes)
  • Limit ssl_ciphers: RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
    • Do not set the server preference for cipher use
  • Using a chained certificate
  • Disabled access log
  • Worker connections set to 32768
  • Worker processes set to number of cores
  • esams servers set to hit esams squids, then pmtpa squids if esams squids are down or failing
  • Max fails set to 2, to avoid pounding backends when they are flapping
  • Proxy buffering is disabled to avoid responses eating all memory
  • sh scheduler used to allow session reuse, and to ensure session cache is maximized

Initial connection testing

Using ab we were able to get an average of 5,100 requests per second on a single processor, quad core server, with 4GB RAM. We used the following command, which was run three times concurrently: 

ab -c2000 -n100000 -H 'Host: upload.wikimedia.org' -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)' https://wikimedia-lb.wikimedia.org/pybaltestfile.txt

This test has 6,000 concurrent clients, making 300,000 requests. Since we are testing the number of requests per second based on initial connections for each request, the resource requested is small and static, to ensure speed isn't heavily affected by the backend. We pull from the backend to ensure that we are opening connections both for the client and for the backend, and to ensure that any backend related issues will also be reflected.

The server's total CPU usage was on average 85%. Memory usage was roughly 1GB.

Image transfer with keepalive testing

Using ab we were able to get an average of 600 requests per second. Hardware tested was same as in the initial connection testing. We used the following command, which was run three times concurrently: 

ab -k -c500 -n20000 -H 'Host: upload.wikimedia.org' -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)' https://wikimedia-lb.wikimedia.org/wikipedia/commons/thumb/f/ff/Viaduc_Saillard.jpg/691px-Viaduc_Saillard.jpg

This test has 1,500 concurrent clients, using keepalive, making 60,000 requests. We used keepalive since we were testing the number of thumbnail requests per second, allowing us to bypass the overhead of the initial connection. The thumbnail chosen was the size shown on an image page.

The server's total CPU usage was on average 25%, suggesting the backend is a bottleneck. Memory usage was negligible.

Security settings

  • Limit protocols: SSLv3 TLSv1
  • Limit ssl_ciphers
Retrieved from "http://wikitech-old.wikimedia.org/index.php?title=Https&oldid=34306"
Personal tools
Namespaces

Variants
Actions
Navigation
Ops documentation
Wiki
Toolbox