fun_with_flags icon indicating copy to clipboard operation
fun_with_flags copied to clipboard

Published 20 hours ago verified publisher icon tompave

Unable to use tls with ElasticCache

Open maedhr opened this issue 4 years ago • 4 comments

Apparently ElasticCache needs a specific option set for tls to work. See https://hexdocs.pm/redix/Redix.html#module-ssl .

In a release you cannot serialize the configuration needed. I have a patch that adds a configuration option to set the socket options before connecting to Redix. Wanted to start a discussion on options before submitting a PR though.

maedhr avatar Apr 20 '20 16:04 maedhr

Hi, thank you for using the library and for bringing this up.

In a release you cannot serialize the configuration needed.

Do you mean that you can't pass a function in the Config when using a release?

Can you please explain what your proposed solution would be?

tompave avatar Apr 21 '20 09:04 tompave

Yes. You can't serialize the :public_key.pkix_verify_hostname_match_fun(:https) socket option when in a release.

Check out https://github.com/planswell/fun_with_flags/commit/299250b3b4fa167cc85c5449bdf4f41c256c1a42 . It adds a new option, aws for lack of a better option. When present it will deep merge the config required for Redix to connect.

maedhr avatar Apr 21 '20 20:04 maedhr

I see, thanks for sharing.

To be honest I'm not too keen to add any AWS-specific config keyword. It might be the simplest solution, but it also doesn't seem very clean. This specific case is tricky because you can pass ssl: true, so using SSL with a Redis that is not AWS ElastiCache would work.

The package already provides a solution for this: custom persistence adapters. You could copy and modify the Redis persistence adapter, add ElastiCache support, and then configure it. You could also release it as a standalone plugin package on Hex. The problem perhaps is that you can't do this (yet?) with the notifications adapter[1], but then you can configure the package to use the Phoenix.PubSub notifications adapter instead of Redix.PubSub, and then maybe configure that to use Phoenix.PubSub.Redis under the hood, instead of Phoenix.PubSub.PG2.

How does that sound?

[1]: Customizing the notifications adapter is a less common requirement than customizing the persistence adapter, so I didn't add it to keep the complexity under control.

tompave avatar Apr 23 '20 08:04 tompave

I have found a workaround, not very clean but it does the job. It is possible to define the config like this:

socket_opts: [
    verify: :verify_none,
    customize_hostname_check: [
      match_fun: &Elixir.MyApp.MyModule.pkix_verify_hostname_match_fun_https/2
    ]
  ]

and then define a specific module in your application:

defmodule MyApp.MyModule do
  def pkix_verify_hostname_match_fun_https(a, b) do
    :public_key.pkix_verify_hostname_match_fun(:https).(a,b)
  end
end

This works because this syntax of anonymous function with arity is serializable during releases in the sys.config file

chess4ever avatar Mar 04 '24 14:03 chess4ever