SSL Connection for Redis and Postgres

peter.grainger · 22 July 2021 08:16

@dimitrie what are your thoughts on updating the connection to the database and Redis to be optionally TLS connections. Non-TLS would be the default still.

I can put in a PR.

dimitrie · 22 July 2021 09:21

@cristi’s the boss now on these

cristi · 22 July 2021 09:28

@peter.grainger Hmm, we’re actually using TLS connections in our deployments: We just set POSTGRES_URL and REDIS_URL to TLS-enabled urls.

What changes are you thinking of doing?

peter.grainger · 22 July 2021 11:05

Ah, OK. Didn’t realise it was that simple! I’ll try that

peter.grainger · 22 July 2021 11:06

@cristi for Redis don’t you have to configure it this way? Using Redis with Node.js (node_redis) | Redis Labs Documentation Center

Otherwise it will use the non-TLS connection?

cristi · 22 July 2021 11:18

@peter.grainger That’s the way to configure TLS with client certificates to strengthen the client authentication security beyond username/password.

Most redis providers just give you a connection string that starts with rediss:// (notice the double s), which means it uses a TLS socket, and that is recognized and used by the node redis package (check redis - npm and search for rediss in the page)

Do you need a setup with redis client authentication with client certificates? (in this scenario you should also configure the server to trust those client certificates that connect to it)

peter.grainger · 22 July 2021 17:02

Thanks for the info. I’ll have to read more about it

peter.grainger · 11 August 2021 20:45

@cristi redis indeed only needs rediss:// protocol. However for postgres you don’t use the connection string. The connection string is created from multiple environment variables. So I’m thinking this speckle-server/knexfile.js at b9cbe2e2b43f8707126000ce11898c3f20aa1c60 · arup-group/speckle-server · GitHub

Unless there is a better solution you can think of?

cristi · 11 August 2021 21:50

@peter.grainger Yes, there are currently 2 ways of configuring the postgresql connection:

By specifying all env variables that are in the env file
By specifying only the full postgres url for the connection, as you can see on that else (i.e.: if POSTGRES_USER or POSTGRES_PASSWORD is NOT specified, then the POSTGRES_URL is used as a full connection url (and can be given with any parameters you need)

Example POSTGRES_URL (our connection string in production): postgresql://admin:[email protected]:1337/speckle_db?sslmode=require

peter.grainger · 12 August 2021 20:04

I’m blind! I didn’t spot the else! Thanks @cristi all tls’d up.