Support redis user password auth and tls encryption #27888

skjnldsv · 2021-07-09T08:42:48Z

'memcache.locking' => '\OC\Memcache\Redis',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.local' =>'\OC\Memcache\Redis' ,
'redis' => [
	  'host' => 'tls://127.0.0.1',
	  'port' => 6379,
	  'user' => 'nextcloud',
	  'password' => 'password',
	  'ssl_context' => [
		    'local_cert' => '/certs/redis.crt',
		    'local_pk' => '/certs/redis.key',
		    'cafile' => '/certs/ca.crt',
		    'verify_peer_name' => false
	  ]
]

(From https://redis.io/topics/encryption)

Download redis source https://github.com/redis/redis/archive/refs/tags/6.2.4.tar.gz
Generate certificates from ./utils/gen-test-certs.sh
Create a users.acl config file containing user nextcloud on +@all ~* >password
Start redis server

redis-server --tls-port 6379 --port 0 \
  --tls-cert-file ./certs/redis.crt \
  --tls-key-file ./certs/redis.key \
  --tls-ca-cert-file ./certs/ca.crt \
  --tls-auth-clients optional \
  --aclfile users.acl \
  --protected-mode no

Setup nextcloud with above config
Profit

Questions

How shall we handle the support and throw of old phpredis module version? Is there a way to say phpredis > 5.x.x for Nextcloud 23 ?

kesselb · 2021-07-12T16:27:02Z

~~To fix Psalm: #27928~~

PVince81 · 2021-07-20T11:25:27Z

I've tested this PR and it worked for me locally with the instructions.

@skjnldsv I think we talked about the possibility of adding/updating unit tests for the RedisFactory, is this still to do ?

skjnldsv · 2021-07-20T11:32:23Z

@skjnldsv I think we talked about the possibility of adding/updating unit tests for the RedisFactory, is this still to do ?

I'm lacking the knowledge and time for that, wanna focus on it?

PVince81 · 2021-07-20T11:34:45Z

@skjnldsv I think we talked about the possibility of adding/updating unit tests for the RedisFactory, is this still to do ?

I'm lacking the knowledge and time for that, wanna focus on it?

I had a look and it would require some extra gymnastics (refactoring, injection) to be able to mock Redis and RedisCluster and considering the low complexity it's probably not worth the effort.

skjnldsv · 2021-07-20T15:54:14Z

Done, I upgraded and refactored everything for cleaner code.
Please review again @PVince81 and @juliushaertl

Signed-off-by: John Molakvoæ (skjnldsv) <[email protected]>

PVince81

👍 code looks fine, I didn't retest though.

cool that you were able to also add the bits for RedisCluster

config/config.sample.php

lib/private/RedisFactory.php

skjnldsv · 2021-07-21T10:03:05Z

Okay, I went down the rabbit hole

Tests setups NO TLS

    'memcache.locking' => '\OC\Memcache\Redis',
    'memcache.distributed' => '\OC\Memcache\Redis',
    'memcache.local' =>'\OC\Memcache\Redis' ,
    'redis.cluster' => array(
      'seeds' => [
        'redis-node-0:6379',
        'redis-node-1:6379',
        'redis-node-2:6379',
        'redis-node-3:6379',
        'redis-node-4:6379',
        'redis-node-5:6379',
      ],
      'failover_mode' => \RedisCluster::FAILOVER_ERROR,
      'password' => 'password' # optional if you're using the protected config
    ),

Docker-compose unprotected cluster

    redis-node-0:
        image: docker.io/bitnami/redis-cluster
        environment:
          - ALLOW_EMPTY_PASSWORD=yes
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-1:
        image: docker.io/bitnami/redis-cluster
        environment:
          - ALLOW_EMPTY_PASSWORD=yes
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-2:
        image: docker.io/bitnami/redis-cluster
        environment:
          - ALLOW_EMPTY_PASSWORD=yes
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-3:
        image: docker.io/bitnami/redis-cluster
        environment:
          - ALLOW_EMPTY_PASSWORD=yes
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-4:
        image: docker.io/bitnami/redis-cluster
        environment:
          - ALLOW_EMPTY_PASSWORD=yes
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-5:
        image: docker.io/bitnami/redis-cluster
        depends_on:
          - redis-node-0
          - redis-node-1
          - redis-node-2
          - redis-node-3
          - redis-node-4
        volumes:
            - ./certs:/certs
        environment:
          # - REDIS_TLS_ENABLED=yes
          # - REDIS_PORT_NUMBER=0
          # - REDIS_TLS_PORT=6379
          # - REDIS_TLS_CERT_FILE=/certs/redis.crt
          # - REDIS_TLS_KEY_FILE=/certs/redis.key
          # - REDIS_TLS_CA_FILE=/certs/ca.crt
          - ALLOW_EMPTY_PASSWORD=yes
          - REDIS_CLUSTER_REPLICAS=1
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
          - REDIS_CLUSTER_CREATOR=yes
          - REDIS_CLUSTER_SLEEP_BEFORE_DNS_LOOKUP=5
        networks:
            - nextcloud

Docker-compose password protected cluster

    redis-node-0:
        image: docker.io/bitnami/redis-cluster
        environment:
          - REDIS_PASSWORD=password
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-1:
        image: docker.io/bitnami/redis-cluster
        environment:
          - REDIS_PASSWORD=password
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-2:
        image: docker.io/bitnami/redis-cluster
        environment:
          - REDIS_PASSWORD=password
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-3:
        image: docker.io/bitnami/redis-cluster
        environment:
          - REDIS_PASSWORD=password
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-4:
        image: docker.io/bitnami/redis-cluster
        environment:
          - REDIS_PASSWORD=password
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-5:
        image: docker.io/bitnami/redis-cluster
        depends_on:
          - redis-node-0
          - redis-node-1
          - redis-node-2
          - redis-node-3
          - redis-node-4
        volumes:
            - ./certs:/certs
        environment:
          # - REDIS_TLS_ENABLED=yes
          # - REDIS_PORT_NUMBER=0
          # - REDIS_TLS_PORT=6379
          # - REDIS_TLS_CERT_FILE=/certs/redis.crt
          # - REDIS_TLS_KEY_FILE=/certs/redis.key
          # - REDIS_TLS_CA_FILE=/certs/ca.crt
          - REDIS_PASSWORD=password
          - REDISCLI_AUTH=password
          - REDIS_CLUSTER_REPLICAS=1
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
          - REDIS_CLUSTER_CREATOR=yes
          - REDIS_CLUSTER_SLEEP_BEFORE_DNS_LOOKUP=5
        networks:
            - nextcloud

skjnldsv · 2021-07-21T10:17:22Z

Finally but not last: TLS CLUSTER PASSWORD PROTECTED

    'memcache.locking' => '\OC\Memcache\Redis',
    'memcache.distributed' => '\OC\Memcache\Redis',
    'memcache.local' =>'\OC\Memcache\Redis' ,
    'redis.cluster' => array(
      'seeds' => [
        'redis-node-0:6379',
        'redis-node-1:6379',
        'redis-node-2:6379',
        'redis-node-3:6379',
        'redis-node-4:6379',
        'redis-node-5:6379',
      ],
      'failover_mode' => \RedisCluster::FAILOVER_ERROR,
      'password' => 'password',
      'ssl_context' => [
        'local_cert' => '/certs/redis.crt',
        'local_pk' => '/certs/redis.key',
        'cafile' => '/certs/ca.crt',
        'verify_peer_name' => false
      ]
    ),

Docker compose config

    redis-node-0:
        image: docker.io/bitnami/redis-cluster
        volumes:
            - ./certs:/certs
        environment:
          - REDIS_PORT_NUMBER=0
          - REDIS_TLS_ENABLED=yes
          - REDIS_TLS_AUTH_CLIENTS=yes
          - REDIS_TLS_PORT=6379
          - REDIS_TLS_CERT_FILE=/certs/redis.crt
          - REDIS_TLS_KEY_FILE=/certs/redis.key
          - REDIS_TLS_CA_FILE=/certs/ca.crt
          - REDIS_PASSWORD=password
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-1:
        image: docker.io/bitnami/redis-cluster
        volumes:
            - ./certs:/certs
        environment:
          - REDIS_PORT_NUMBER=0
          - REDIS_TLS_ENABLED=yes
          - REDIS_TLS_AUTH_CLIENTS=yes
          - REDIS_TLS_PORT=6379
          - REDIS_TLS_CERT_FILE=/certs/redis.crt
          - REDIS_TLS_KEY_FILE=/certs/redis.key
          - REDIS_TLS_CA_FILE=/certs/ca.crt
          - REDIS_PASSWORD=password
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-2:
        image: docker.io/bitnami/redis-cluster
        volumes:
            - ./certs:/certs
        environment:
          - REDIS_PORT_NUMBER=0
          - REDIS_TLS_ENABLED=yes
          - REDIS_TLS_AUTH_CLIENTS=yes
          - REDIS_TLS_PORT=6379
          - REDIS_TLS_CERT_FILE=/certs/redis.crt
          - REDIS_TLS_KEY_FILE=/certs/redis.key
          - REDIS_TLS_CA_FILE=/certs/ca.crt
          - REDIS_PASSWORD=password
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-3:
        image: docker.io/bitnami/redis-cluster
        volumes:
            - ./certs:/certs
        environment:
          - REDIS_PORT_NUMBER=0
          - REDIS_TLS_ENABLED=yes
          - REDIS_TLS_AUTH_CLIENTS=yes
          - REDIS_TLS_PORT=6379
          - REDIS_TLS_CERT_FILE=/certs/redis.crt
          - REDIS_TLS_KEY_FILE=/certs/redis.key
          - REDIS_TLS_CA_FILE=/certs/ca.crt
          - REDIS_PASSWORD=password
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-4:
        image: docker.io/bitnami/redis-cluster
        volumes:
            - ./certs:/certs
        environment:
          - REDIS_PORT_NUMBER=0
          - REDIS_TLS_ENABLED=yes
          - REDIS_TLS_AUTH_CLIENTS=yes
          - REDIS_TLS_PORT=6379
          - REDIS_TLS_CERT_FILE=/certs/redis.crt
          - REDIS_TLS_KEY_FILE=/certs/redis.key
          - REDIS_TLS_CA_FILE=/certs/ca.crt
          - REDIS_PASSWORD=password
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
        networks:
            - nextcloud

    redis-node-5:
        image: docker.io/bitnami/redis-cluster
        depends_on:
          - redis-node-0
          - redis-node-1
          - redis-node-2
          - redis-node-3
          - redis-node-4
        volumes:
            - ./certs:/certs
        environment:
          - REDIS_PORT_NUMBER=0
          - REDIS_TLS_ENABLED=yes
          - REDIS_TLS_AUTH_CLIENTS=yes
          - REDIS_TLS_PORT=6379
          - REDIS_TLS_CERT_FILE=/certs/redis.crt
          - REDIS_TLS_KEY_FILE=/certs/redis.key
          - REDIS_TLS_CA_FILE=/certs/ca.crt
          - REDIS_PASSWORD=password
          - REDISCLI_AUTH=password
          - REDIS_CLUSTER_REPLICAS=1
          - REDIS_NODES=redis-node-0 redis-node-1 redis-node-2 redis-node-3 redis-node-4 redis-node-5
          - REDIS_CLUSTER_CREATOR=yes
          - REDIS_CLUSTER_SLEEP_BEFORE_DNS_LOOKUP=5
        networks:
            - nextcloud

skjnldsv · 2021-07-21T10:21:06Z

Just for info, all my local cluster tests were successful. 🚀 🎉

juliusknorr · 2021-07-21T11:42:29Z

Hm failures seem related:

+ ./occ maintenance:install --admin-pass=admin --data-dir=/dev/shm/nc_int
Nextcloud was successfully installed
+ ./occ config:system:set redis host --value=cache
System config value redis => host set to string cache
+ ./occ config:system:set redis port --value=6379 --type=integer
System config value redis => port set to integer 6379
+ ./occ config:system:set redis timeout --value=0 --type=integer
System config value redis => timeout set to integer 0
+ ./occ config:system:set --type string --value "\OC\Memcache\Redis" memcache.local
System config value memcache.local set to string \OC\Memcache\Redis
+ ./occ config:system:set --type string --value "\OC\Memcache\Redis" memcache.distributed
PHP Warning:  Redis::connect() expects at most 6 parameters, 7 given in /drone/src/lib/private/RedisFactory.php on line 118
An unhandled exception has been thrown:
RedisException: Redis server went away in /drone/src/lib/private/Memcache/Redis.php:55
Stack trace:
#0 /drone/src/lib/private/Memcache/Redis.php(55): Redis->get('63dfb9db467bd4b...')
#1 /drone/src/lib/private/App/InfoParser.php(58): OC\Memcache\Redis->get('/drone/src/apps...')
#2 /drone/src/lib/private/App/AppManager.php(502): OC\App\InfoParser->parse('/drone/src/apps...')
#3 /drone/src/lib/private/legacy/OC_App.php(593): OC\App\AppManager->getAppInfo('files', false, NULL)
#4 /drone/src/lib/private/AppFramework/App.php(69): OC_App::getAppInfo('files')
#5 /drone/src/lib/private/legacy/OC_App.php(278): OC\AppFramework\App::buildAppNamespace('files')
#6 /drone/src/lib/private/AppFramework/Bootstrap/Coordinator.php(108): OC_App::registerAutoloading('files', '/drone/src/apps...')
#7 /drone/src/lib/private/AppFramework/Bootstrap/Coordinator.php(82): OC\AppFramework\Bootstrap\Coordinator->registerApps(Array)
#8 /drone/src/lib/base.php(640): OC\AppFramework\Bootstrap\Coordinator->runInitialRegistration()
#9 /drone/src/lib/base.php(1083): OC::init()
#10 /drone/src/console.php(48): require_once('/drone/src/lib/...')
#11 /drone/src/occ(11): require_once('/drone/src/cons...')

Signed-off-by: John Molakvoæ (skjnldsv) <[email protected]>

skjnldsv · 2021-07-22T10:50:02Z

/backport to stable22

PVince81 · 2021-07-23T07:55:00Z

this introduced a little regression for those like me who relied on default values, PR here to fix it: #28129

skjnldsv added 2. developing Work in progress enhancement feature: caching Related to our caching system: scssCacher, jsCombiner... labels Jul 9, 2021

This comment has been minimized.

Sign in to view

skjnldsv force-pushed the fix/redis-auth branch from 4c52f34 to c6a8f18 Compare July 20, 2021 08:15

skjnldsv changed the title ~~Support redis user password auth~~ Support redis user password auth and tls encryption Jul 20, 2021

skjnldsv force-pushed the fix/redis-auth branch 2 times, most recently from 494b9dc to 99ed44c Compare July 20, 2021 08:36

skjnldsv requested review from ChristophWurst, PVince81, blizzz, icewind1991, juliusknorr and kesselb July 20, 2021 08:36

skjnldsv self-assigned this Jul 20, 2021

skjnldsv added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Jul 20, 2021

skjnldsv added this to the Nextcloud 23 milestone Jul 20, 2021

This comment has been minimized.

Sign in to view

skjnldsv force-pushed the fix/redis-auth branch from 99ed44c to 9a6b151 Compare July 20, 2021 09:09

This comment has been minimized.

Sign in to view

skjnldsv requested a review from LukasReschke July 20, 2021 09:28

This comment has been minimized.

Sign in to view

skjnldsv force-pushed the fix/redis-auth branch from 9a6b151 to df6a0a4 Compare July 20, 2021 10:31

This comment has been minimized.

Sign in to view

skjnldsv force-pushed the fix/redis-auth branch from df6a0a4 to bfb541b Compare July 20, 2021 15:53

skjnldsv added 2 commits July 20, 2021 17:57

Support redis user password auth and tls encryption

ed10d85

Signed-off-by: John Molakvoæ (skjnldsv) <[email protected]>

Move integration-php7.3 to latest

66c1e05

Signed-off-by: John Molakvoæ (skjnldsv) <[email protected]>

skjnldsv force-pushed the fix/redis-auth branch from bfb541b to 66c1e05 Compare July 20, 2021 15:57

PVince81 approved these changes Jul 20, 2021

View reviewed changes

config/config.sample.php Outdated Show resolved Hide resolved

lib/private/RedisFactory.php Outdated Show resolved Hide resolved

skjnldsv force-pushed the fix/redis-auth branch from dfb9ba9 to c3ecb12 Compare July 21, 2021 10:23

juliusknorr approved these changes Jul 21, 2021

View reviewed changes

Properly support RedisCluster

6e00fe8

Signed-off-by: John Molakvoæ (skjnldsv) <[email protected]>

skjnldsv force-pushed the fix/redis-auth branch from c3ecb12 to 6e00fe8 Compare July 22, 2021 05:42

This comment has been minimized.

Sign in to view

skjnldsv added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Jul 22, 2021

skjnldsv force-pushed the fix/redis-auth branch from 99b2374 to 6e00fe8 Compare July 22, 2021 10:46

skjnldsv merged commit f14b8aa into master Jul 22, 2021

skjnldsv deleted the fix/redis-auth branch July 22, 2021 10:47

backportbot-nextcloud bot added the backport-request label Jul 22, 2021

backportbot-nextcloud bot mentioned this pull request Jul 22, 2021

[stable22] Support redis user password auth and tls encryption #28112

Merged

backportbot-nextcloud bot removed the backport-request label Jul 22, 2021

PVince81 mentioned this pull request Jul 23, 2021

Allow empty Redis config #28129

Merged

artonge mentioned this pull request Feb 16, 2022

Add doc to connect to Redis over TLS nextcloud/documentation#8042

Merged

Uh oh!

Support redis user password auth and tls encryption #27888

Support redis user password auth and tls encryption #27888

Uh oh!

Conversation

skjnldsv commented Jul 9, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Questions

Uh oh!

kesselb commented Jul 12, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

PVince81 commented Jul 20, 2021

Uh oh!

skjnldsv commented Jul 20, 2021

Uh oh!

PVince81 commented Jul 20, 2021

Uh oh!

This comment has been minimized.

skjnldsv commented Jul 20, 2021

Uh oh!

PVince81 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

skjnldsv commented Jul 21, 2021

Uh oh!

skjnldsv commented Jul 21, 2021

Uh oh!

skjnldsv commented Jul 21, 2021

Uh oh!

juliusknorr commented Jul 21, 2021

Uh oh!

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

skjnldsv commented Jul 22, 2021

Uh oh!

PVince81 commented Jul 23, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

skjnldsv commented Jul 9, 2021 •

edited

Loading

kesselb commented Jul 12, 2021 •

edited

Loading