How to enable TLS for Redis 6 on Sidekiq?
Solution
Use OpenSSL::SSL::VERIFY_NONE
for your Redis client.
Sidekiq
# config/initializers/sidekiq.rb
Sidekiq.configure_server do |config|
config.redis = { ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }
end
Sidekiq.configure_client do |config|
config.redis = { ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }
end
Redis
Redis.new(url: 'url', driver: :ruby, ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE })
Reason
Redis 6 requires TLS to connect. However, Heroku support explained that they manage requests from the router level to the application level involving Self Signed Certs. Turns out, Heroku terminates SSL at the router level and requests are forwarded from there to the application via HTTP while everything is behind Heroku's Firewall and security measures.
Sources
- https://ogirginc.github.io/en/heroku-redis-ssl-error
- https://devcenter.heroku.com/articles/securing-heroku-redis#connecting-directly-to-stunnel
Encrypt Sidekiq's connection to Redis
Sidekiq uses the redis
gem which has SSL/TLS support if you provide a connection URL using the rediss://
scheme (second 's' is not a typo).
# https://github.com/redis/redis-rb/blob/1317ecb518c2d0d0263f1cfc49f104cea3ea24b3/lib/redis/cluster/option.rb#L29
class Redis
class Cluster
class Option
DEFAULT_SCHEME = 'redis'
SECURE_SCHEME = 'rediss'
# ...
def secure?
@node_uris.any? { |uri| uri.scheme == SECURE_SCHEME } || @options[:ssl_params] || false
end
end
end
end
I've used this with AWS ElastiCache which supports in-transit encryption. The Azure docs suggest Azure Cache has similar SSL capability.
Heroku crashes after Heroku Redis upgrade from Hobby to Premium 0
Cause
Redis 6 requires TLS to connect. However, Heroku manages requests from the router level to the application level involving Self Signed Certs. Turns out, Heroku terminates SSL at the router level and requests are forwarded from there to the application via HTTP while everything is behind Heroku's Firewall and security measures.
Links that helped track down the cause:
https://ogirginc.github.io/en/heroku-redis-ssl-error
How to enable TLS for Redis 6 on Sidekiq?
Solution
Customize the options passed into Redis so that tls.rejectUnauthorized is set to false.
const Queue = require('bull');
const redisUrlParse = require('redis-url-parse');
const REDIS_URL = process.env.REDIS_URL || 'redis://127.0.0.1:6379';
const redisUrlParsed = redisUrlParse(REDIS_URL);
const { host, port, password } = redisUrlParsed;
const bullOptions = REDIS_URL.includes('rediss://')
? {
redis: {
port: Number(port),
host,
password,
tls: {
rejectUnauthorized: false,
},
},
}
: REDIS_URL;
const workQueue = new Queue('work', bullOptions);
Herkou Redis - certificate verify failed (self signed certificate in certificate chain)
Actually, when you install the Heroku Redis on your heroku app, it will create for you 2 Config Vars : REDIS_TLS_URL and REDIS_URL.
The docs are actually incorrect, you have to set SSL to verify_none because TLS happens automatically.
From Heroku support:
"Our data infrastructure uses self-signed certificates so certificates
can be cycled regularly... you need to set the verify_mode
configuration variable to OpenSSL::SSL::VERIFY_NONE"
Related Topics
In Ruby, Should I Use ||= or If Defined? for Memoization
Rails Previous Sunday in Relation to Any Datetime
Rspec Testing Redirect to Url with Get Params
Counting Days Excluding Weekends
Rails: Pg::Insufficientprivilege: Error: Permission Denied for Relation Schema_Migrations
How to Test for a Redirect with Rspec and Capybara
How to Generate PDF from Markdown Using Pure Ruby
Detect Rspec Test Failure on After Each Method
Finding Lines in a Text File Matching a Regular Expression
Trouble Resizing the Default Image with Paperclip
How to Use Ruby Metaprogramming to Add Callbacks to a Rails Model
Differencebetween Ruby's Send and Public_Send Methods
Ruby: No Such File or Directory @ Rb_Sysopen - Testfile (Errno::Enoent)
Ruby: Titleize: How to Ignore Smaller Words Like 'And', 'The', 'Or, etc