Page MenuHomePhabricator

Setup a dedicated HTTPS terminating proxy for maps project
Open, NormalPublic

Description

The maps project uses a number of https reverse proxy service names for its tile servers. This is fine *most* of the time, but occasionally the rate of requests for tiles rises to a point where the current globally shared reverse proxy becomes saturated. This is not great for the maps tile server users, but it is even worse for the large number of other http endpoints in other projects that share the same reverse proxy.

It would be nice to separate the tile server's reverse proxy from the general purpose reverse proxy to isolate overload failures. Because we want TLS for this, the new solution would need to either use Let's Encrypt to get certificates if the proxy lives in the maps project, or the proxy would need to live in the project-proxy project where we have the existing wildcard certificate. Single points of failure are not fun, so a replacement should have redundant nodes. Ideally this redundancy would move traffic between 2 proxy instances automatically based on some health monitoring. The current shared proxies are manually failed over so that would work here too, but it might also be a good opportunity to experiment with some automatic HA solution that could later be propagated to domainproxy & urlproxy.

Event Timeline

bd808 created this task.Thu, Sep 26, 10:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptThu, Sep 26, 10:34 PM
bd808 triaged this task as Normal priority.Fri, Oct 4, 9:55 PM

Discussed in the 2019-10-01 WMCS team meeting. Consensus was that this would be a nice thing to have, but that it is not high enough priority to displace current work by the team so it will wait for now. Building this could be used as a prototype for a newer proxy setup for more general use.

bd808 renamed this task from Consider setup of a dedicated HTTPS terminating proxy for maps project to Setup a dedicated HTTPS terminating proxy for maps project.Fri, Oct 4, 9:55 PM
bd808 moved this task from Needs discussion to Important on the cloud-services-team (Kanban) board.