ReleaseEngineering/Applications/Proxxy

From MozillaWiki
Jump to navigation Jump to search

Proxxy is a basic http cache used in each data center to reduce network transfers. It's essentially a docker container that runs nginx inside, and can cache requests locally to disk.

Source code is currently located here: https://github.com/mozilla/build-proxxy/

It is deployed in each region in Amazon inside the VPC. Each region has a single c3.8xlarge instance to handle the load. The instances use Elastic IPs so we can get the same IP address if there's a need to re-create the instances. The routing tables are configured so that proxxy requests files via the public network instead of the VPN connection.

DNS is configured so that *.proxxy.srv.releng.$REGION.mozilla.com is points to the proxxy instances. See https://inventory.mozilla.org/en-US/core/search/#q=proxxy

The proxxy instances can be accessed by ssh'ing to their internal IP from inside the build network. Login us user 'ubuntu' using the proxxy ssh key in the private releng repo. Logs on the machines are under /mnt/proxxy/logs.

Clients request files explicitly from the proxxy rather than relying on transparent network proxies, or HTTP_CACHE environment settings. Since the proxxy instances can be handling multiple endpoints, we prepend the hostname of the original url to the proxxy url. e.g. to fetch http://ftp.mozilla.org/foo/bar, the client would first check http://ftp.mozilla.org.proxxy.srv.releng.use1.mozilla.com. Much of this logic is handled by mozharness' proxxy mixin.

The reasons we chose to have such a setup, rather than a traditional proxy setup, include:

  • (main reason): explicit is better than implicit - from the url we can see which cache we are hitting
  • transparent proxies are hard to debug or see what's going on
  • using http_proxy or env vars may not be obvious in logging
  • with traditional proxies it can be difficult to switch to use different backends, or offer multiple proxy instances

If any authentication required, e.g. for pvtbuilds, then proxxy has those credentials baked into the AMI. Test clients on the local network can then request those files from proxxy without authentication.

Retrieved from "https://wiki.mozilla.org/index.php?title=ReleaseEngineering/Applications/Proxxy&oldid=1009304"