postfacto icon indicating copy to clipboard operation
postfacto copied to clipboard
verified publisher icon pivotal

Support TLS connections to Redis

Open textbook opened this issue 4 years ago • 1 comments

Per Heroku's guidance on the introduction of Redis 6 to the hobby add-on:

Heroku Redis hobby add-ons using version 6 will see two connection strings published to their app’s config vars:

REDIS_URL:      redis://:password@hostname:port
REDIS_TLS_URL:  rediss://:password@hostname:tls-port

Continued use of the plaintext REDIS_URL will function as expected, even after upgrading from version 4 or 5 to version 6. However, we recommend using the encrypted REDIS_TLS_URL for all client connections.

In the future, the plaintext redis:// connection string will be replaced with the encrypted rediss:// connection string. It is recommended that users transition their application’s configuration to support and use the TLS connection string to make secure client connections to their Heroku Redis add-on.

I had a quick try at simply adding this option to the redis_configuration_provider.rb:

diff --git a/api/lib/configurations/redis_configuration_provider.rb b/api/lib/configurations/redis_configuration_provider.rb
index 9c6384f..059ed71 100644
--- a/api/lib/configurations/redis_configuration_provider.rb
+++ b/api/lib/configurations/redis_configuration_provider.rb
@@ -33,6 +33,7 @@ require 'cf-app-utils'
 class RedisConfigurationProvider
   def redis_config
     return nil unless ENV['RAILS_ENV'] == 'production'
+    return ENV['REDIS_TLS_URL'] unless ENV['REDIS_TLS_URL'].nil?
     return ENV['REDIS_URL'] unless ENV['REDIS_URL'].nil?
 
     unless ENV['VCAP_SERVICES'].nil?

but this led to:

2021-05-15T10:45:19.487510+00:00 app[web.1]: /app/vendor/ruby-2.7.3/lib/ruby/2.7.0/openssl/ssl.rb:395:in `post_connection_check': hostname "ec2-50-16-232-225.compute-1.amazonaws.com" does not match the server certificate (OpenSSL::SSL::SSLError)
2021-05-15T10:45:19.487541+00:00 app[web.1]: from /app/vendor/bundle/ruby/2.7.0/gems/redis-3.3.5/lib/redis/connection/ruby.rb:289:in `connect'

and a crashing app. Reading the next paragraph in the original docs:

At this time, when establishing an encrypted client connection, you will need to skip certificate verification. More details about language-specific client connections can be found in our Dev Center article and Help Center article.

Based on the latter I tried adding:

diff --git a/api/lib/configurations/action_cable_adapter_configuration_provider.rb b/api/lib/configurations/action_cable_adapter_configuration_provider.rb
index c77ef20..5fd6e59 100644
--- a/api/lib/configurations/action_cable_adapter_configuration_provider.rb
+++ b/api/lib/configurations/action_cable_adapter_configuration_provider.rb
@@ -24,6 +24,7 @@ class ActionCableAdapterConfigurationProvider
   def redis_adapter
     {
       adapter: 'redis',
+      ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE },
       url: RedisConfigurationProvider.new.redis_config
     }
   end

but this didn't seem to make any difference, although rails/rails#42036 implies this config should help.

textbook avatar May 15 '21 17:05 textbook

I was trying to deploy postfacto on Azure, using azure cache for Redis, which forces TLS by default, and it didn't work.

I had to enable NON-TLS connections in Redis server and also set DISABLE_SSL_REDIRECT flag in postfacto deployment to make it work properly.

kvmw avatar Oct 10 '22 11:10 kvmw