Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72622

Support TLS connections for Redis

    XMLWordPrintable

Details

    • MOODLE_311_STABLE, MOODLE_401_STABLE
    • MOODLE_403_STABLE
    • MDL-72622-redis-tls
    • Hide

       

      Having Redis locally

      Create a selfsigned certificate. You can run this command on Ubuntu:

       

      sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/redis/redis.key -out /etc/redis/redis.crt 

      You can leave all answers by default. One that is important is Common Name - if you have smth with dot in your hosts file (i.e. moodle.my or localhost) - put it there. Or add it to hosts first and put as Common Name. You might update ownership of those files to be owned by redis

      Update you redis config to user those certificates:

      port 0
      tls-port 6379tls-cert-file /etc/redis/redis.crt
      tls-key-file /etc/redis/redis.key
      tls-protocols "TLSv1.2 TLSv1.3"
      tls-auth-clients no  

      Restart redis by running

      /etc/init.d/redis-server restart 

      Redis Cache

      Test config

      Config - Plugins -> Caching / Configuration /cache/admin.php

      Redis -> Add instance:
      1. Store name: some name
      2. Server: Redis server hostname from above
      3. Tick Use TLS encryption
      4. If your SSL certificate is for the correct hostname you can enter /etc/redis/redis.crt in CA file path, otherwise leave it empty, it will skip the verification.
      5. Save changes

      Confirm that there is a green tick in the Ready column for the store.

      Now you can either map individual cache definitions of types Application and Session to your newly created Redis instance, or, at the bottom of the page:

      Stores used when no mapping is present -> Edit mappings:
      1. Change Application and/or Session to your newly created Redis instance
      2. Save changes

      Plugins -> Caching / Cache stores / Redis /admin/settings.php?section=cachestore_redis_settings

      1. Test server: the name you gave yo your Redis server instance
      2. Tick Use TLS encryption
      3. Same reasoning for the SSL certificate as above
      4. Save changes

      Test

      Confirm that site is functioning without cache errors.

      Plugins -> Caching / Test performance /cache/testperformance.php

      For all tests:
      Confirm that Result for Redis is Tested.

      Note: Redis cache doesn't support REQUEST mode.

      Plugins -> Caching / Cache usage /cache/usage.php

      For all tests:
      Confirm that Redis store is used, either for the individual mappings, or across the board for the Application and Session types.

      Redis Session

      config.php

      Same reasoning for the SSL certificate as in Cache Store Config above.

      $CFG->session_handler_class = '\core\session\redis';
      $CFG->session_redis_host = '<Redis server hostname from above>';
      $CFG->session_redis_encrypt = ['cafile' => '/path/to/redis.pem'];
      // or
      $CFG->session_redis_encrypt = ['verify_peer' => false, 'verify_peer_name' => false];
      

      Home page with debug panel at the bottom

      Confirm that Session is core\session\redis and that page opens without an error.

      Show
        Having Redis locally Create a selfsigned certificate. You can run this command on Ubuntu:   sudo openssl req -x509 -nodes -days 365 -newkey rsa: 2048 -keyout /etc/redis/redis.key -out /etc/redis/redis.crt You can leave all answers by default. One that is important is Common Name - if you have smth with dot in your hosts file (i.e. moodle.my or localhost) - put it there. Or add it to hosts first and put as Common Name. You might update ownership of those files to be owned by redis Update you redis config to user those certificates: port 0 tls-port 6379tls-cert-file /etc/redis/redis.crt tls-key-file /etc/redis/redis.key tls-protocols "TLSv1.2 TLSv1.3" tls-auth-clients no Restart redis by running /etc/init.d/redis-server restart Redis Cache Test config Config - Plugins -> Caching / Configuration /cache/admin.php Redis -> Add instance: Store name : some name Server : Redis server hostname from above Tick Use TLS encryption If your SSL certificate is for the correct hostname you can enter /etc/redis/redis.crt in CA file path , otherwise leave it empty, it will skip the verification. Save changes Confirm that there is a green tick in the Ready column for the store. Now you can either map individual cache definitions of types Application and Session to your newly created Redis instance, or, at the bottom of the page: Stores used when no mapping is present -> Edit mappings: Change Application and/or Session to your newly created Redis instance Save changes Plugins -> Caching / Cache stores / Redis /admin/settings.php?section=cachestore_redis_settings Test server : the name you gave yo your Redis server instance Tick Use TLS encryption Same reasoning for the SSL certificate as above Save changes Test Confirm that site is functioning without cache errors. Plugins -> Caching / Test performance /cache/testperformance.php For all tests: Confirm that Result for Redis is Tested . Note: Redis cache doesn't support REQUEST mode. Plugins -> Caching / Cache usage /cache/usage.php For all tests: Confirm that Redis store is used, either for the individual mappings, or across the board for the Application and Session types. Redis Session config.php Same reasoning for the SSL certificate as in Cache Store Config above. $CFG ->session_handler_class = '\core\session\redis' ; $CFG ->session_redis_host = '<Redis server hostname from above>' ; $CFG ->session_redis_encrypt = [ 'cafile' => '/path/to/redis.pem' ]; // or $CFG ->session_redis_encrypt = [ 'verify_peer' => false, 'verify_peer_name' => false]; Home page with debug panel at the bottom Confirm that Session is core\session\redis and that page opens without an error.

    Description

      Redis v6 supports TLS connections, and this is the default setup for eg Azure Cache for Redis (disables access on port 6379, enables TLS connections on port 6380). The current Redis caching plugin makes an assumption that all connections are unsecured, and it would be good to support TLS where available.

      Potential suggestion is to support the supply of `tls://`-prefixed hosts eg `tls://my-redis-server:6380`, which the Redis PHP extension supports out of the box.

      Attachments

        1. Screenshot from 2023-06-27 09-18-29.png
          Screenshot from 2023-06-27 09-18-29.png
          42 kB
        2. test1_session.png
          test1_session.png
          112 kB
        3. test1_step_5.png
          test1_step_5.png
          76 kB
        4. test1_step_6.png
          test1_step_6.png
          530 kB
        5. test2_performance.png
          test2_performance.png
          407 kB
        6. test2_usage.png
          test2_usage.png
          443 kB

        Issue Links

          Activity

            People

              srdjan Srdjan Jankovic
              richsage Rich Sage
              Brendan Heywood Brendan Heywood
              Ilya Tregubov Ilya Tregubov
              Huong Nguyen Huong Nguyen
              Votes:
              4 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours, 31 minutes
                  2h 31m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.