Page MenuHomePhabricator

When an install is instanced, include the instance identifier in the URI for file data
ClosedPublic

Authored by epriestley on Feb 3 2015, 10:46 PM.
Tags
None
Referenced Files
F14098245: D11668.diff
Tue, Nov 26, 8:44 AM
Unknown Object (File)
Sat, Nov 23, 2:36 AM
Unknown Object (File)
Thu, Nov 21, 6:55 PM
Unknown Object (File)
Thu, Nov 21, 2:01 AM
Unknown Object (File)
Sun, Nov 17, 9:29 PM
Unknown Object (File)
Thu, Nov 14, 12:17 PM
Unknown Object (File)
Sun, Nov 10, 11:18 AM
Unknown Object (File)
Sun, Nov 10, 8:10 AM
Subscribers

Details

Summary

This allows us to CDN the cluster.

General problem is that we can't easily give each instance its own CDN URI (giraffe.phcdn.net) in Cloudfront, because it requires that you enumerate all aliases (and there's a limit of 100) and depends on SNI (a newish feature of SSL which allows one server to serve multiple certificates, but which doesn't have full support everywhere yet).

It's possible that we could eventually work around this, or use Cloudflare instead (which has a different model that seems like a slightly easier fit for CDN-domain-per-instance), but I don't want to sink a ton of work into this and want to keep things on AWS insofar as we reasonably can.

The easiest way to fix this is just to put the instance identity into URIs, then read it out when handling CDN requests. This has no effect on installs without cluster instance configuration, which is all of them except ours.

It's also slightly desirable to share this stuff, since we get to share the cache for static resources, which are always identical across instances.

So requests go from the Cloudfront gateway ("xyz.cloudfront.com") to the LB with a hard-coded instance name ("cdn.phacility.com"), which gets them routed to a balanced web machine. The web machine picks the correct instance name out of the URI, acts as that instance, and does the correct thing.

The messiest part of this is that we need "cdn.phacility.com" to be a real instance so it can serve static resources, but that's not a big deal. We have a few other hard-codes which have to be real resources for now, like we must have a merchant named "Phacility".

Test Plan
  • Viewed files with security.alternate-file-domain off (i.e., no file tokens).
  • Viewed pages and files with security.alternate-file-domain on. Saw correct resource behavior, @isntance generation of URIs, and correct token redirect behavior for files.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to When an install is instanced, include the instance identifier in the URI.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
btrahan edited edge metadata.
This revision is now accepted and ready to land.Feb 3 2015, 10:52 PM
epriestley retitled this revision from When an install is instanced, include the instance identifier in the URI to When an install is instanced, include the instance identifier in the URI for file data.Feb 3 2015, 10:53 PM
epriestley edited edge metadata.
epriestley updated this object.
This revision was automatically updated to reflect the committed changes.