Skip to content

Commit

Permalink
Allow connecting to Redis with TLS
Browse files Browse the repository at this point in the history
Previously we've been using a client-side proxy to connect to our TLS-enabled
ElastiCache cluster. But ioredis supports connecting with TLS natively. There
are two ways to opt in:

1. If a connection string is passed to the Redis constructor, using rediss://
   rather than redis:// as the scheme enables TLS.
2. Pass a 'tls' option whose value is a (possibly-empty) object of options to
   pass through to Node's tls.connect() method.

Add a new REDIS_TLS environment variable, which can be set to '1' or 'true' to
connect with TLS. If set, set the 'tls' option to an empty object to enable TLS.

https://phabricator.endlessm.com/T35672
  • Loading branch information
wjt committed Sep 30, 2024
1 parent 8f5cd59 commit 68f07b7
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
2 changes: 2 additions & 0 deletions config/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ const server_bind_address = process.env.BIND_ADDRESS || '127.0.0.1';
const redis_host = process.env.REDIS_HOST || '127.0.0.1';
const redis_port = parseInt(process.env.REDIS_PORT, 10) || 6379;
const redis_password = process.env.REDIS_PASSWORD || '';
const redis_tls = ["true", "1"].includes((process.env.REDIS_TLS || '').toLowerCase());

// Crash handler
process.on('uncaughtException', (err) => {
Expand All @@ -26,4 +27,5 @@ exports = module.exports = {
redis_host,
redis_port,
redis_password,
redis_tls,
};
6 changes: 6 additions & 0 deletions util/redis.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,16 @@ exports = module.exports = {
redisPort: config.redis_port,
redisPassword: config.redis_password,
getRedis: (callback) => {
/* ioredis uses tls.connect() if the tls option is set, and passes it as
* additional options to tls.connect().
*/
let tls = config.redis_tls ? {} : undefined;

const redis = new Redis({
host: config.redis_host,
port: config.redis_port,
password: config.redis_password,
tls,
reconnectOnError(err) {
/* Reconnect when ElastiCache has promoted some other node to primary &
* demoted the node we are connected to a replica.
Expand Down

0 comments on commit 68f07b7

Please sign in to comment.