SSL Connection for Redis and Postgres

@dimitrie what are your thoughts on updating the connection to the database and Redis to be optionally TLS connections. Non-TLS would be the default still.

I can put in a PR.

@cristi’s the boss now on these :smiley: Hmm, we’re actually using TLS connections in our deployments: We just set POSTGRES_URL and REDIS_URL to TLS-enabled urls.

What changes are you thinking of doing?

Ah, OK. Didn’t realise it was that simple! I’ll try that

@cristi for Redis don’t you have to configure it this way? Using Redis with Node.js (node_redis) | Redis Labs Documentation Center

Otherwise it will use the non-TLS connection? That’s the way to configure TLS with client certificates to strengthen the client authentication security beyond username/password.

Most redis providers just give you a connection string that starts with rediss:// (notice the double s), which means it uses a TLS socket, and that is recognized and used by the node redis package (check redis - npm and search for rediss in the page)

Do you need a setup with redis client authentication with client certificates? (in this scenario you should also configure the server to trust those client certificates that connect to it)

Thanks for the info. I’ll have to read more about it

@cristi redis indeed only needs rediss:// protocol. However for postgres you don’t use the connection string. The connection string is created from multiple environment variables. So I’m thinking this speckle-server/knexfile.js at b9cbe2e2b43f8707126000ce11898c3f20aa1c60 · arup-group/speckle-server · GitHub

Unless there is a better solution you can think of? Yes, there are currently 2 ways of configuring the postgresql connection:

  • By specifying all env variables that are in the env file
  • By specifying only the full postgres url for the connection, as you can see on that else (i.e.: if POSTGRES_USER or POSTGRES_PASSWORD is NOT specified, then the POSTGRES_URL is used as a full connection url (and can be given with any parameters you need)

Example POSTGRES_URL (our connection string in production): postgresql://


I’m blind! I didn’t spot the else! Thanks @cristi all tls’d up.