Skip to content

Edge

Edge nodes serve the CookieHub consent widget and related assets to end users. The edge layer is currently a hybrid of three systems that coexist during an active migration.

Architecture

Scaleway PHP Servers

Virtual servers hosted on Scaleway running raw PHP. These handle the original widget serving logic.

Being phased out

All bare metal infrastructure (including LUKS/RAID1/Tang encrypted servers referenced in older docs) is being phased out. The Scaleway PHP servers are the remaining non-AWS edge component.

CloudFront + Lambda@Edge

AWS-managed CDN with Lambda@Edge functions for:

  • Region detection — determines user's region for consent law applicability
  • Consent logging — logs consent events at the edge before forwarding to the analytics pipeline
flowchart LR
    User[End user] --> CF[CloudFront]
    CF --> Lambda[Lambda@Edge]
    Lambda -->|region| User
    Lambda -->|consent log| SQS[SQS Queue]
    SQS --> Vault[Vault pipeline]

Being replaced

The /log Lambda@Edge function is being superseded by the edge-api service (below). It will be decommissioned once all widget traffic has migrated to edge-api.cookiehub.net.

edge-api (Hono / Node.js on ECS)

TypeScript service replacing Lambda@Edge for consent event ingestion and introducing server-issued session identity. Handles widget traffic via CloudFront → ALB → ECS. Accepts v3 events with HMAC-signed session_proof and exposes a /v1/log compatibility endpoint for widgets still on v1 tokens.

flowchart LR
    User[End user] --> CF[CloudFront<br/>geo headers]
    CF --> ALB[Public ALB]
    ALB --> API[edge-api<br/>ECS service]
    API --> SQS[SQS Queue]
    SQS --> Vault[Vault pipeline]
    API --> CH[(ClickHouse<br/>read-only)]

Status: live on stage at https://edge-api.stage.cookiehub.net. Prod deployment (edge-api.cookiehub.net) is the current blocker for widget 2.9 release — see edge-api migration plan. Deployment runbook: Deployments → Edge API.

Infrastructure (Stage)

Managed via Terraform — modules/edge/cdn/ for the CloudFront/Lambda layer and modules/edge/edge-api/ + modules/edge/ecs/ + modules/edge/ecr/ for edge-api.

Component Details
CloudFront distribution CDN for widget assets + geo header enrichment
Lambda@Edge: region Returns user's geographic region
Lambda@Edge: consent log Processes v1 consent events (being replaced)
edge-api ECS service Hono service on stage-euc1-edge-ecs-cluster
ECR: edge-api Container registry for edge-api images
ACM cert (us-east-1) edge-api.stage.cookiehub.net (CloudFront requirement)
SQS queue Consent event buffer before vault ingestion
S3 buckets Static asset storage

Dependencies

  • Vault pipeline — receives consent events via SQS (handles both v3 and v1 envelope formats)
  • S3 — widget assets and static files
  • ClickHouse — read-only dependency of edge-api for consent state lookup