Redis basic plans are not SSL whereas production plan are.

Question

Redis basic plans are not SSL whereas production plan are.

ombr opened this issue a year ago · comments

Luc Boissaye commented a year ago

Required Terms

I agree to follow this project's Code of Conduct
I have read and accept the Salesforce Program Agreement

What service(s) is this request for?

redis/platform

Tell us about what you're trying to solve. What challenges are you facing?

We realized while upgrading our redis instances that basic redis plans are not using self signed certificates whereas premium plans are all using SSL and thus requiring in ruby verify_mode: none

I think this is breaking dev/prod parity on review apps. Mini plans should also only provide rediss secured URLS.

Thanks.

Luc

jbrown-heroku · Answer 1 · Sat Jun 17 2023 07:44:16 GMT+0800 (China Standard Time)

@ombr Thank you for logging this!
Basic plans on Heroku Data for Redis allows for SSL connection if you are using REDIS_TLS_URL as documented here: https://devcenter.heroku.com/articles/heroku-redis#security-and-compliance
I hope this helps.

Luc Boissaye · Answer 2 · Sat Jun 17 2023 15:17:35 GMT+0800 (China Standard Time)

Hi @jbrown-heroku yes I got this, but it should be the default for redis_url as it is the default in premium plans!
If I am upgrading to a premium plan my app will crash if I don't change the code to support SSL. (This break dev/prod parity)

Christophe Coevoet · Answer 3 · Wed Jun 12 2024 18:46:36 GMT+0800 (China Standard Time)

@jbrown-heroku the fact that REDIS_TLS_URL is not defined at all for production plans (instead of defining it with the TLS URL, which would be the same than REDIS_URL) makes it hard to use it though, as an app using REDIS_TLS_URL to get TLS in review apps would then crash when being promoted to production because the env variable it uses does not exist.

jbrown-heroku · Answer 4 · Sat Jun 15 2024 08:22:00 GMT+0800 (China Standard Time)

@stof Thank you for clarifying the issue here. That's definitely something we can look into improving. I will take this to discuss internally on how we want to approach this and get back here.

jbrown-heroku · Answer 5 · Thu Jun 27 2024 10:18:44 GMT+0800 (China Standard Time)

Here is the proposed idea:
Make REDIS_URL always TLS, and prepare REDIS_INSECURE_URL as an interim solution for customers that may require non-TLS for now. After some weeks, we want to remove this to uniformly offer TLS across our offerings.
This should resolve the issue as mentioned @stof ; please let us know your thoughts.

Christophe Coevoet · Answer 6 · Fri Jun 28 2024 15:48:54 GMT+0800 (China Standard Time)

Switching to TLS everywhere would make sense to provide uniformity. But then, it would be great to work on #148 to make the TLS work out of the box (right now, using a TLS REDIS_URL without changing the code would lead to connection errors because (almost?) all libraries validate the certificate by default)

jbrown-heroku · Answer 7 · Wed Jul 24 2024 02:07:08 GMT+0800 (China Standard Time)

Thank you @stof @ombr for contributing to this discussion.

We will perform REDIS_URL unification in an effort to close this gap. Upcoming change announcement is here.
This is a two-step process for mini plans in a "musical chair" fashion where we introduced REDIS_TEMPORARY_URL as insecure connection (non-TLS) and we will switch REDIS_URL to TLS on the specified date. At completion, we will remove both REDIS_TEMPORARY_URL and REDIS_TLS_URL. If the library is able to use both redis:// and rediss://, then no change should be necessary.