如何在 Sidekiq 上为 Redis 6 启用 TLS? [英] How to enable TLS for Redis 6 on Sidekiq?

问题描述

在我的 Ruby on Rails 应用程序中，我不断收到以下关于 Heroku Redis Premium 0 附加组件:

On my Ruby on Rails app, I keep getting the error below for the Heroku Redis Premium 0 add-on:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: 证书验证失败(证书链中的自签名证书)

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

Heroku Redis 文档 提到我需要在我的 Redis 客户端配置中启用 TLS 以连接到 Redis 6 数据库.为了实现这一点，我阅读了 redis-rb 上的 SSL/TLS 支持文档.我的理解是；我需要为 Redis.new#ssl_params 分配 ca_file、cert 和 key.问题是如何为 Redis 或通过 Heroku 上的 Sidekiq 设置这些?

Heroku Redis documentation mentions that I need to enable TLS in my Redis client's configuration in order to connect to a Redis 6 database. To achive this, I have read SSL/TLS Support documentation on redis-rb. My understanding from it is; I need to assign ca_file, cert and key for Redis.new#ssl_params. The question is how to set these for Redis or through Sidekiq on Heroku?

更新 3:Heroku 支持提供了解决问题的答案.

Update 3: Heroku support provided an answer which solved the problem.

更新 2:创建 Heroku 支持票并等待响应.

Update 2: Created Heroku support ticket and waiting response.

更新 1:询问 Sidekiq 的 Github 问题，并被建议去写 Heroku 支持.当我得到答案时会更新这个问题.

Update 1: Asked on Sidekiq's Github issues and was adviced go write Heroku support. Will update this question, when I do get an answer.

我已经验证，当插件是以下任一情况时，该应用程序确实可以工作:

I have verified the app does work when the add-on is either one of the below:

• Redis 6 的业余爱好开发
• Redis 5 的高级版 0

版本:

• Ruby – 3.0.0p0
• Ruby on Rails – 6.1.1
• Redis – 6.0
• redis-rb – 4.2.5
• Sidekiq – 6.2.1
• Heroku 堆栈 – 20

一些帮助我缩小问题范围的链接:

Some links that helped me to narrow down the issue:

• https://bibwild.wordpress.com/2020/11/24/are-you-talking-to-heroku-redis-in-cleartext-or-ssl/
• https://mislav.net/2013/07/ruby-openssl/

推荐答案

解决方案

为您的 Redis 客户端使用 OpenSSL::SSL::VERIFY_NONE.

# config/initializers/sidekiq.rb
Sidekiq.configure_server do |config|
  config.redis = { ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }
end

Sidekiq.configure_client do |config|
  config.redis = { ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE } }
end

Redis

Redis.new(url: 'url', driver: :ruby, ssl_params: { verify_mode: OpenSSL::SSL::VERIFY_NONE })

原因

Redis 6 需要 TLS 才能连接.但是，Heroku 支持解释说，他们管理从路由器级别到涉及自签名证书的应用程序级别的请求.事实证明，Heroku 在路由器级别终止 SSL，请求从那里通过 HTTP 转发到应用程序，而一切都在 Heroku 的防火墙和安全措施之后.

Reason

Redis 6 requires TLS to connect. However, Heroku support explained that they manage requests from the router level to the application level involving Self Signed Certs. Turns out, Heroku terminates SSL at the router level and requests are forwarded from there to the application via HTTP while everything is behind Heroku's Firewall and security measures.

来源

• https://ogirginc.github.io/en/heroku-redis-ssl错误
• https://devcenter.heroku.com/文章/securing-heroku-redis#connecting-directly-to-stunnel

这篇关于如何在 Sidekiq 上为 Redis 6 启用 TLS?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！