SSL configuration in cable.yml

rubyonrails-talk
1

AFAIK when you intend to run a redis connection via SSL you have to overwrite

ActionCable::SubscriptionAdapter::Redis.redis_connector . My current solution

looks something like:

cert = File.read config[:ssl_params][:cert]

key  = File.read config[:ssl_params][:key]

config = config.merge(

  ssl_params: {

    ca_file: config[:ssl_params][:ca_file],

    cert:    OpenSSL::X509::Certificate.new(cert),

    key:     OpenSSL::PKey::RSA.new(key)

  }

)

which lives in an initializer.

I’m wondering if a change to the redis subscription adapter, which would allow a cable.yml configurations like:

production:

  adapter: redis

  url: rediss://redis-cluster

  ssl_params:

    ca_file: /certs/ca.pem

    cert:    /certs/cert.pem

    key:     /certs/key.pem

would be a welcome addition to the rails/action-cable? If that’s the case I’d be happy to start on a patch. If this is more

of an edge case and the change is not welcome, I understand but would appreciate some feedback on my current approach

and would like to submit a patch to at least mention this option in the documentation .

Thanks in advance for solution.

2

IIRC the ActionCable configuration already picks up all options and passes them through to the redis connection. This is the setup we had to do e.g. to work with Heroku Redis, no monkeypatching required:

application.rb

class Application < Rails::Application
  #...
  redis_params = { url: ENV["REDIS_URL"] || 'redis://localhost:6379' }
  redis_params[:ssl_params] = { verify_mode: OpenSSL::SSL::VERIFY_NONE } if ENV['ENABLE_REDIS_TLS']

  config.redis_params = redis_params
  #...
end

cable.yml

default: &default
  adapter: redis
  url: <%= Rails.configuration.redis_params.fetch(:url) %>
  <% if Rails.configuration.redis_params[:ssl_params].present? %>
  ssl_params:
    verify_mode: <%= Rails.configuration.redis_params.dig(:ssl_params, :verify_mode) %>
  <% end %>

production:
  <<: *default
3

You can have HTTP and HTTPS servers in the same server section

server { listen 80; listen [::]:80 ipv6only=on; listen 443 ssl; … }

For complete SSL related configuration I would recommend to use Mozilla generator

Yes, but you shouldn’t. Nginx will match your first server section even if you haven’t set server_name properly, but such configuration is hard to support and troubleshoot.