How to Enable Tls for Redis 6 on Sidekiq

How to enable TLS for Redis 6 on Sidekiq?

Solution

Use OpenSSL::SSL::VERIFY_NONE for your Redis client.

Sidekiq

# config/initializers/sidekiq.rb
Sidekiq.configure_server do |config|
  config.redis = { ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }
end

Sidekiq.configure_client do |config|
  config.redis = { ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }
end

Redis

Redis.new(url: 'url', driver: :ruby, ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE })

Reason

Redis 6 requires TLS to connect. However, Heroku support explained that they manage requests from the router level to the application level involving Self Signed Certs. Turns out, Heroku terminates SSL at the router level and requests are forwarded from there to the application via HTTP while everything is behind Heroku's Firewall and security measures.

Sources

https://ogirginc.github.io/en/heroku-redis-ssl-error
https://devcenter.heroku.com/articles/securing-heroku-redis#connecting-directly-to-stunnel

Encrypt Sidekiq's connection to Redis

Sidekiq uses the redis gem which has SSL/TLS support if you provide a connection URL using the rediss:// scheme (second 's' is not a typo).

# https://github.com/redis/redis-rb/blob/1317ecb518c2d0d0263f1cfc49f104cea3ea24b3/lib/redis/cluster/option.rb#L29
class Redis
  class Cluster
    class Option
      DEFAULT_SCHEME = 'redis'
      SECURE_SCHEME = 'rediss'

      # ...

      def secure?
        @node_uris.any? { |uri| uri.scheme == SECURE_SCHEME } || @options[:ssl_params] || false
      end
    end
  end
end

I've used this with AWS ElastiCache which supports in-transit encryption. The Azure docs suggest Azure Cache has similar SSL capability.

Heroku crashes after Heroku Redis upgrade from Hobby to Premium 0

Cause

Redis 6 requires TLS to connect. However, Heroku manages requests from the router level to the application level involving Self Signed Certs. Turns out, Heroku terminates SSL at the router level and requests are forwarded from there to the application via HTTP while everything is behind Heroku's Firewall and security measures.

Links that helped track down the cause:

https://ogirginc.github.io/en/heroku-redis-ssl-error

How to enable TLS for Redis 6 on Sidekiq?

Solution

Customize the options passed into Redis so that tls.rejectUnauthorized is set to false.

const Queue = require('bull');
const redisUrlParse = require('redis-url-parse');

const REDIS_URL = process.env.REDIS_URL || 'redis://127.0.0.1:6379';
const redisUrlParsed = redisUrlParse(REDIS_URL);
const { host, port, password } = redisUrlParsed;
const bullOptions = REDIS_URL.includes('rediss://')
  ? {
      redis: {
        port: Number(port),
        host,
        password,
        tls: {
          rejectUnauthorized: false,
        },
      },
    }
  : REDIS_URL;

const workQueue = new Queue('work', bullOptions);

Herkou Redis - certificate verify failed (self signed certificate in certificate chain)

Actually, when you install the Heroku Redis on your heroku app, it will create for you 2 Config Vars : REDIS_TLS_URL and REDIS_URL.

The docs are actually incorrect, you have to set SSL to verify_none because TLS happens automatically.

From Heroku support:

"Our data infrastructure uses self-signed certificates so certificates
can be cycled regularly... you need to set the verify_mode
configuration variable to OpenSSL::SSL::VERIFY_NONE"

How to Enable Tls for Redis 6 on Sidekiq