Node-redis: support tls on redis url
Example :
rediss://:password@rediss:6400/1?rejectUnauthorized=false
https://www.iana.org/assignments/uri-schemes/prov/redis
Apparently named by analogy to HTTPS (RFC 2818), the rediss: URI scheme (yes, two "s"es,
not a typo) has been used by some clients to designate RESP over TLS.
Other than the usage of TLS, the rediss: URI scheme is not known to
have any differences from the redis: URI scheme.
dcharbonnier
All 8 comments
I am against adding this. The reason is that it is not possible to add all tls options with the url. Therefore more options would have to be passed to the client anyway in most cases. It is also difficult to distinguish the tls options from regular options. Thanks for bringing this to my attention though!
BridgeAR
on 20 Sep 2017
Mongodb for example manage it... https://docs.mongodb.com/manual/reference/connection-string/
More over, considering the fact that you already accept to not cover all options through the url I don't see the point of not adding more support.
dcharbonnier
on 20 Sep 2017
I don't see why it's necessary "to add all tls options with the url". From an operations perspective it would be good enough to just enable TLS encryption for the connection – establishing the trust relationship should be handled by the operation system eitherway (installed root/intermediate certificate authorities; see /etc/ssl on Linux). I really don't want to take a deep-dive into each and every programming language's settings in order to "just enable TLS". It basically should be a yes/no thing. This is what the rediss uri scheme provides.
Other client libraries (in other languages) already support this:
- https://github.com/nrk/predis (additionally, DSNs like "tls://127.0.0.1?ssl[cafile]=private.pem&ssl[verify_peer]=1" are supported)
- https://github.com/andymccurdy/redis-py
By not providing this feature it makes it necessary to keep a separate configuration for node.js.
svengerlach
on 14 Nov 2017
Seems like there was enough interest in this feature for me to reconsider this.
BridgeAR
on 9 Jan 2018
Is an NPM release for this feature planned soon? 2.8.0 is the latest, which doesn't have this feature.
dfontenot
on 27 Feb 2018
What about a lesser form of this that does something like set default tls options it _can_ set from the URL without extending the format? Setting servername to the hostname portion of the URL, for example, might be a reasonably safe thing to do.
I don't know about others, but I know that at least compose.io uses SNI for Redis over SSL.
rmg
on 8 Mar 2018
This was partially solved via https://github.com/NodeRedis/node_redis/pull/1282
@BridgeAR It remains unreleased, any hope for a release soon?
calebboyd
on 9 Jul 2018
I've just published v3.0.0 to NPM; https://github.com/NodeRedis/node-redis/releases/tag/v3.0.0 - which includes the change @calebboyd mentioned, can this issue be closed now?
Salakar
on 9 Feb 2020
Related issues
betimer
·
5Comments
abhaygarg
·
5Comments
jackycchen
·
4Comments
dotSlashLu
·
5Comments
twappworld
·
7Comments
Most helpful comment
Seems like there was enough interest in this feature for me to reconsider this.