Feature request: configure SSL settings in CHANNEL_LAYERS

[jray-afk]

Hi, I posted about my adventure trying to configure SSL for Redis in the suggested Google Groups page which has all the requested information prepopulated in the body of this issue form, haven't gotten a response yet: https://groups.google.com/g/django-users/c/S094vik_gW0

After digging into the channels_redis code in this repo I realized that I probably need to submit a new feature request here in order to configure SSL settings in CHANNEL_LAYERS. (Unless, do you know of another way to configure SSL using channels_redis?)

Thank you!

[carltongibson]

So... we'd need to by able to provide an SSLContext when creating connections.

See aioredis.create_connection().

Happy to accept input here.

[jray-afk]

@carltongibson I appreciate the response. Yes that makes sense.

For now I will set up symmetric_encryption_keys to add some level of protection, but ultimately I would prefer setting up SSL if possible.

[carltongibson]

Super! If you get started and need some input, let me know. Thanks! 👍

[skadz]

I was just running in to this issue myself today, so happy to help test!

[jray-afk]

@skadz glad to hear I'm not the only one! Haven't had a chance to fork off of this project and try to implement the changes, but I may have to go rogue and go off of the version I built my project on, 2.3.2

[skadz]

@skadz glad to hear I'm not the only one! Haven't had a chance to fork off of this project and try to implement the changes, but I may have to go rogue and go off of the version I built my project on, 2.3.2

@jray-afk Does this mean you actually have made the changes and got it working and just need to do the fork/submit PR or that you hacked some sort of other "fix" in? I'd like to get this implemented ASAP and if you have something that is working, I'd love to help you get it in to the main code, but also can help test anything you've done so far (or would like to know about how you hacked it in ;)

[nmacianx]

@jray-afk @skadz any updates here? I'm facing the very same issue and help would be much appreciated!!

[carltongibson]

Just awaiting someone to pick it up and submit a pull request I think

[dablak]

When configuring the hosts in the Django settings you can use a dictionary and pass the SSL context option amongst other parameters :

# Mute the Heroku Redis error:
# "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain"
# by disabling hostname check.

ssl_context = ssl.SSLContext()
ssl_context.check_hostname = False

heroku_redis_ssl_host = {
    'address': 'rediss://:password@127.0.0.1:6379/0'  # The 'rediss' schema denotes a SSL connection.
    'ssl': ssl_context
}

CHANNEL_LAYERS = {
    'default': {
        'BACKEND': 'channels_redis.core.RedisChannelLayer',
        'CONFIG': {
            'hosts': (heroku_redis_ssl_host,)
        }
    },
}

[carltongibson]

@dablak Thanks for the comment — should get people going — but if we can ssl_context.check_hostname = False, surely we can configure the SSLContext correctly too? 🤔

Is this just documentation?

[dablak]

I think that the SSLContext can be configured correctly in this way. If you check channels_redis.core.RedisChannelLayer.decode_hosts() you can see that if the hosts in the configuration are a dict then they are used as-is.

for entry in hosts:
    if isinstance(entry, dict):
        result.append(entry)
    else:
        result.append({"address": entry})

The dict items are then used as the parameters passed to aioredis.create_redis() in channels_redis.core.ConnectionPool.pop().

conn = await aioredis.create_redis(**self.host)

This is not in the documentation for channels_redis, but it should be.

[ezeakeal]

In case it helps others;

• I have Redis setup with SSL certs (rediss://...).
• channels==2.1.2
• channels-redis==2.4.2

Here is a snippet from my Django config

redis_backend_url = "rediss://%s:%s/5" % (
    os.environ.get("REDIS_HOST", "redis_int"),
    os.environ.get("REDIS_PORT", 6379)
)
ssl_context = ssl.SSLContext()
ssl_context.load_cert_chain(
    certfile="/opt/redis/certs/client.crt",
    keyfile="/opt/redis/certs/client.key",
)
CHANNEL_LAYERS = {
    "default": {
        "BACKEND": "channels_redis.core.RedisChannelLayer",
        "CONFIG": {
            "hosts": ({
                'address': redis_backend_url,
                'ssl': ssl_context
            },)
        },
    }
}