[BUG] Elastic cache TLS configuration

[hornv]

Describe the bug
Cannot connect to AWS elasticcache endpoint (redis OSS caches)
the output is

INFO: 2025/08/01 11:48:24 main.go:50: chproxy ver. 1.26.6, rev. f3e128843392c502dd82709f073af73bb5b56d6c, built at 2024-11-21T11:20:35Z
INFO: 2025/08/01 11:48:24 main.go:51: Loading config: /etc/chproxy/config.yaml
FATAL: 2025/08/01 11:48:27 main.go:58: error while applying config: failed to reach redis: i/o timeout

To Reproduce
create chproxy config and TLS redis endpoint

Expected behavior
A clear and concise description of what you expected to happen.

Environment information
chproxy running in EKS based on 1.26.6

configuration for cache block is

    caches:
      - name: "redis"
        mode: "redis"
        redis:
          addresses:
            - "${ELASTIC_HOST}"
          password: ${ELASTIC_TOKEN}
          insecure_skip_verify: false
        expire: 10m

Tried adding tls: true

Additional context
I ran tcpdump on the same host and was able to see all data (token) in plain text, meaning tls configuration doesn't work.
I used to have redis-cache as a stateful set in the same namespace without TLS. worked perfectly.

[sbulatnikov]

Absolutely the same issue we faced today
@mga-chka is it possible to figure out how to establish secure connection to AWS ElastiCache with default TLS options with current configuration of Chproxy?

[hileef]

Hello @hornv , @sbulatnikov ,

Starting with CHProxy v1.30.0 , you can now specify the enable_tls flag in order to turn on TLS support on the redis connection without a client cert & key pair.

In other words, the configuration can be adapted as such :

    caches:
      - name: "redis"
        mode: "redis"
        redis:
          addresses:
            - "${ELASTIC_HOST}"
          password: ${ELASTIC_TOKEN}
          enable_tls: true
          insecure_skip_verify: false
        expire: 10m

If you experience additional issues regarding TLS conns with redis ( or elasticache ),
please let us know so we re-open the issue 🙏