nextstrain.org, next.nextstrain.org, and dev.nextstrain.org are hosted on Heroku.
data.nextstrain.org is an AWS CloudFronted S3 bucket,
staging.nextstrain.org is an AWS CloudFronted S3 bucket,
login.nextstrain.org is used by our AWS Cognito user pool.
clades.nextstrain.org is used by Nextclade.
docs.nextstrain.org is a documentation site with the Nextstrain Read the Docs project and sub-projects.
support.nextstrain.org is an email ticketing system powered by Zoho Desk.
discussion.nextstrain.org is a discussion forum powered by Discourse.
We use a Heroku pipeline named
nextstrain-server to manage multiple related apps.
The production app serving nextstrain.org is
The canary app serving next.nextstrain.org is
master to the canary app happen automatically after GitHub Actions CI tests are successful.
Deploys to the production app are performed by manually promoting the canary’s current release to production.
NODE_ENVis used to condition behaviour between production and non-production environments, following the widely-used convention set by Express. Its value affects not just the explicit conditionals in this repo but also Express and other layers in our dependencies. All our Heroku apps run under
SESSION_SECRETmust be set to a long, securely generated string. It protects the session data stored in browser cookies. Changing this will invalidate all existing sessions and forcibly logout people.
SESSION_ENCRYPTION_KEYSmust be set to a URL query param string encoding pairs of key names and base64-encoded key material. These keys protect sensitive data in the session (such as authn tokens) when session data is “at rest” (such as in Redis). You may prepend new keys to use for new sessions (i.e. key rotation) but do not drop old keys or old sessions will be unusable and people will be forcibly logged out. Keys must be 256 bits in length.
AWS_SECRET_ACCESS_KEYare tied to the
nextstrain.orgAWS IAM user. These credentials allow the backend web server limited access to private S3 buckets.
REDIS_URLis provided by the Heroku Redis add-on. It should not be modified directly. Our authentication handlers rewrite it at server start to use a secure TLS connection.
FETCH_CACHEis not currently used, but can be set to change the location of the on-disk cache used by (some) server
fetch()-es. The default location is
PAPERTRAIL_API_TOKENis used for logging through papertrail.
GITHUB_TOKENis used to make authenticated requests to the GitHub API so that we get increased rate limits. The token should have public access only, i.e. no permission scopes granted (including
public_repo, which grants write access to public repos). If not provided, requests to the GitHub API are unauthenticated. The token we use in production is associated with the
CANARY_ORIGINis the origin of a canary deployment to redirect to for users who are opted-in to the
!flags/canaryCognito group). Redirection does not happen if this variable is not defined or if the request’s origin already matches this variable’s value. In production we set this to
The Heroku Redis add-on is attached to our
Redis is used to persistently store login sessions after authentication via AWS Cognito.
A persistent data store is important for preserving sessions across deploys and regular dyno restarts.
The maintenance window is set to Friday at 22:00 UTC to Saturday at 02:00 UTC. This tries to optimize for being outside/on the fringes of business hours in relevant places around the world while being in US/Pacific business hours so the Seattle team can respond to any issues arising.
If our Redis instance reaches its maximum memory limit, existing keys will be evicted using the
volatile-ttl policy to make space for new keys.
This should preserve the most active logged in sessions and avoid throwing errors if we hit the limit.
If we regularly start hitting the memory limit, we should bump up to the next add-on plan, but I don’t expect this to happen anytime soon with current usage.
Server logs are available via the papertrail web app (requires heroku login).
The dev server does not have papertrail enabled, but logs may be viewed using the heroku CLI via
heroku logs --app=nextstrain-dev --tail.
A testing app,
nextstrain-dev, is also used, available at dev.nextstrain.org.
Deploys to it are manual, via the dashboard or git pushes to the Heroku remote, e.g.
git push -f heroku-dev <branch>:master, where the
heroku-dev remote is https://git.heroku.com/nextstrain-dev.git.
Note that the dev server runs in production mode (
NODE_ENV=production), and also uses the
nextstrain.org AWS IAM user.
We use Heroku Review Apps to create ephemeral apps for PRs to the GitHub repo. These are automatically created for PRs submitted by Nextstrain team members. To recreate an inactivated app, or create one for a PR from a fork, you can use the heroku dashboard. (Make sure to review code for security purposes before creating such an app.)
It is not currently possible to login/logout of these apps due to our AWS Cognito setup; thus private datasets cannot be accessed.
Rolling back deployments
Normal Heroku deployments, which require our GitHub Actions CI tests to pass and are subsequently built on Heroku, can take upwards of 10 minutes.
Heroku allows us to immediately return to a previous version using rollbacks.
Rollbacks can be performed via the Heroku dashboard or with
heroku rollback --app=nextstrain-server vX, where X is the version number (available via
heroku releases --app=nextstrain-server).
All resources are in the
If you don’t see them in the AWS Console, make sure to check the region you’re looking at.
Contains JSONs for our core builds, as well as the
nextstrain.yml conda environment definition.
Fetches by the server happen over unauthenticated HTTP.
Public. CloudFronted. Contains JSONs for staging copies of our core builds. Fetches by the server happen over unauthenticated HTTP.
Private. Access controlled by IAM groups/policies. Fetches by the server happen via the S3 HTTP API using signed URLs.
rethink.nextstrain.org hosts the lab’s fauna instance, used to maintain data for the core builds.
Ephemeral instances are automatically managed by AWS Batch for
nextstrain build --aws-batch jobs.
A user pool called
nextstrain.org provides authentication for Nextstrain logins.
Cognito is integrated with the nextstrain.org server using the OAuth2 support from PassportJS in our
We don’t use Cognito’s identity pools.
Nameservers for the nextstrain.org zone are hosted by DNSimple.
nextstrain/nextstrain.org is the GitHub repo for the Nextstrain website.
Core and staging narratives are sourced from the nextstrain/narratives repo (the
staging branches, respectively).