diff --git a/cache/async_cache_test.go b/cache/async_cache_test.go index aef2ab15..9e29bccd 100644 --- a/cache/async_cache_test.go +++ b/cache/async_cache_test.go @@ -299,6 +299,45 @@ func TestAsyncCache_RedisCache_TLS(t *testing.T) { } } +func TestAsyncCache_RedisCache_ServerOnlyTLS(t *testing.T) { + serverCfg := config.TLS{ + CertFile: "../testdata/example.com.cert", + KeyFile: "../testdata/example.com.key", + } + + clientCfg := config.TLS{ + InsecureSkipVerify: true, + } + + tlsServerConfig, err := serverCfg.BuildTLSConfig(nil) + if err != nil { + t.Fatalf("could not build tls config: %s", err) + } + s := miniredis.NewMiniRedis() + if err := s.StartTLS(tlsServerConfig); err != nil { + t.Fatalf("could not start miniredis: %s", err.Error()) + // not reached + } + t.Cleanup(s.Close) + + var redisCfg = config.Cache{ + Name: "test", + Mode: "redis", + Redis: config.RedisCacheConfig{ + EnableTLS: true, + TLS: clientCfg, + Addresses: []string{s.Addr()}, + }, + Expire: config.Duration(cacheTTL), + MaxPayloadSize: config.ByteSize(100000000), + } + + _, err = NewAsyncCache(redisCfg, 1*time.Second) + if err != nil { + t.Fatalf("could not instanciate redis async cache because of the following error: %s", err.Error()) + } +} + func TestAsyncCache_RedisCache_wrong_instantiation(t *testing.T) { var redisCfg = config.Cache{ Name: "test", diff --git a/clients/redis.go b/clients/redis.go index 3dbe3f4d..5ed4d948 100644 --- a/clients/redis.go +++ b/clients/redis.go @@ -22,7 +22,8 @@ func NewRedisClient(cfg config.RedisCacheConfig) (redis.UniversalClient, error) options.DB = cfg.DBIndex } - if len(cfg.CertFile) != 0 || len(cfg.KeyFile) != 0 { + // maintain backwards compatibility in case of non-presence of enable_tls + if len(cfg.CertFile) != 0 || len(cfg.KeyFile) != 0 || cfg.EnableTLS { tlsConfig, err := cfg.TLS.BuildTLSConfig(nil) if err != nil { return nil, err diff --git a/config/config.go b/config/config.go index 3691c792..a8f94c4e 100644 --- a/config/config.go +++ b/config/config.go @@ -367,12 +367,10 @@ func (c *TLS) BuildTLSConfig(acm *autocert.Manager) (*tls.Config, error) { c.CertFile, c.KeyFile, err) } tlsCfg.Certificates = []tls.Certificate{cert} - } else { - if acm == nil { - return nil, fmt.Errorf("autocert manager is not configured") - } + } else if acm != nil { tlsCfg.GetCertificate = acm.GetCertificate } + return &tlsCfg, nil } @@ -965,7 +963,8 @@ type FileSystemCacheConfig struct { } type RedisCacheConfig struct { - TLS `yaml:",inline"` + TLS `yaml:",inline"` + EnableTLS bool `yaml:"enable_tls,omitempty"` Username string `yaml:"username,omitempty"` Password string `yaml:"password,omitempty"` diff --git a/docs/src/content/docs/configuration/default.md b/docs/src/content/docs/configuration/default.md index b554ba73..1076d72b 100644 --- a/docs/src/content/docs/configuration/default.md +++ b/docs/src/content/docs/configuration/default.md @@ -67,18 +67,22 @@ caches: # Applicable for cache mode: redis # You should use multiple addresses only if they all belong to the same redis cluster. redis: - # Paths to TLS cert and key files for the redis server. - # If you change the cert & key files while chproxy is running, you have to restart chproxy so that it loads them. - # Triggering a SIGHUP signal won't work as for the rest of the configuration. - cert_file: "redis tls cert file path" - key_file: "redis tls key file apth" - # Allow to skip the verification of the redis server certificate. - insecure_skip_verify: true - addresses: - "localhost:16379" username: "user" password: "pass" + + # TLS: For backwards compatibility, having a non-empty cert_file and key_file also enables TLS configuration. + enable_tls: false + + # TLS: Switch to true to disable server certificate validation ( e.g. when using self-signed certificates ) + insecure_skip_verify: false + + # TLS: Paths to cert and key file for client-side X.509/mTLS authentication. + # Reload is NOT automatic : SIGHUP insufficient, chproxy must be restarted. + cert_file: "path to of tls client certificate to present to redis conn" + key_file: "path to of tls client cert key to present to redis conn" + expire: 10s # Optional network lists, might be used as values for `allowed_networks`.