External redis instance defaulting to insecure SSL behaviour

Technical Help
1

Please fill in the questionnaire below.

Technical Help Questionnaire

Have you read and followed the instructions at: *READ ME FIRST* Technical Help FAQs - #2 by nigel ?

Answer: Yep

How have you self-hosted Baserow.

Running baserow all-in-one image on ECS with external Postgres and Redis instances.

What are the specs of the service or server you are using to host Baserow.

Container Memory Limit: 8GB
Container CPU Request: 4vCPU

Which version of Baserow are you using.

image uri: baserow/baserow:1.25.1

How have you configured your self-hosted installation?

environment={
“DISABLE_VOLUME_CHECK”: “yes”,
“BASEROW_PUBLIC_URL”: f"https://{self._full_name}.{AWS_SUBDOMAIN}",
“DATABASE_HOST”: self.config.db_uri,
“DATABASE_USER”: self.config.db_name,
“DATABASE_PORT”: “5432”,
“DATABASE_NAME”: self.config.db_name,
“REDIS_HOST”: self._redis.attr_primary_end_point_address,
“REDIS_PROTOCOL”: “rediss”,
“REDIS_USER”: self._redis_user.user_name,
“AWS_STORAGE_BUCKET_NAME”: self._bucket.bucket_name,
“DOWNLOAD_FILE_VIA_XHR”: “1”,
},
secrets={
“DATABASE_PASSWORD”: ecs.Secret.from_ssm_parameter(blah),
“REDIS_PASSWORD”: ecs.Secret.from_ssm_parameter(blah),
},

Describe the problem

When specifying the REDIS environment variables and setting REDIS_PROTOCOL to “rediss” the export_worker and celery_worker logs contain the following message:

“”"
WARNING/MainProcess] Secure redis scheme specified (rediss) with no ssl options, defaulting to insecure SSL behaviour.
“”"

Describe, step by step, how to reproduce the error or problem you are encountering.

Run baserow all-in-one image and connect it to an external redis instance similar to the following:

Engine: redis
Engine version: 7.0.7
Cluster mode: Disabled
Encryption in transit: Enabled
Redis AUTH default user access: no
User authentication: RBAC

How many rows in total do you have in your Baserow tables?

New install

Please attach full logs from all of Baserow’s services

Jun 14, 2024 @ 14:23:40.196 e[36m [CELERY_WORKER][2024-06-14 21:23:40] [2024-06-14 21:23:40,149: WARNING/MainProcess] Secure redis scheme specified (rediss) with no ssl options, defaulting to insecure SSL behaviour. e(Be[m

Jun 14, 2024 @ 14:23:40.207 e[36m [CELERY_WORKER][2024-06-14 21:23:40] [2024-06-14 21:23:40,195: WARNING/ForkPoolWorker-1] Not configuring telemetry due to BASEROW_ENABLE_OTEL not being set. e(Be[m

Jun 14, 2024 @ 14:23:40.270 e[36m [CELERY_WORKER][2024-06-14 21:23:40] [2024-06-14 21:23:40,268: INFO/MainProcess] Connected to rediss://baserow-admin:**@:6379/0 e(Be[m

Jun 14, 2024 @ 14:23:40.310 e[36m [CELERY_WORKER][2024-06-14 21:23:40] [2024-06-14 21:23:40,270: WARNING/MainProcess] Secure redis scheme specified (rediss) with no ssl options, defaulting to insecure SSL behaviour. e(Be[m

Jun 14, 2024 @ 14:23:40.313 e[36m [CELERY_WORKER][2024-06-14 21:23:40] [2024-06-14 21:23:40,310: INFO/MainProcess] mingle: searching for neighbors e(Be[m

Jun 14, 2024 @ 14:23:40.314 e[36m [CELERY_WORKER][2024-06-14 21:23:40] [2024-06-14 21:23:40,313: WARNING/MainProcess] Secure redis scheme specified (rediss) with no ssl options, defaulting to insecure SSL behaviour. e(Be[m

2

Hi!

Are you running Redis with self-signed SSL certificates? Also, do you want to use mutual TLS authentication?

Could you try to connect to Redis server using redis CLI client?

3

Good morning @etanjoco, my apologies for the delay in getting this resolved.

To connect to redis over TLS, you will need to set the additional ssl_ query parameters described here.

If I set my REDIS_PROTOCOL=rediss and change nothing, I get your warning:

[2024-06-21 08:57:59,104: WARNING/MainProcess] Secure redis scheme specified (rediss) with no ssl options, defaulting to insecure SSL behaviour.

If I update my REDIS_URL so that it includes the ssl_cert_reqs (I just set mine to required):

REDIS_URL=rediss://:**@redis:6379/0?ssl_cert_reqs=required

I don’t get the warning anymore. If you were intending to connect over TLS, just be sure to set the additional SSL options.

4

Hello!

Thanks for getting back to to me. I agree that setting the REDIS_URL environment variable with the ssl_cert_reqs=required argument will remove the warning message, but I’d like to use the separate environment variables (REDIS_HOST, REDIS_USER, REDIS_PASSWORD) so that I can use AWS ECS secrets to securely pull the password from my secret store. It makes it more complicated and a little less secure to pull the secret at deploy time, build out the host string and set it to the REDIS_URL environment variable. Is there a way to tell Baserow to build the url from the separate environment variables and add the ssl_cert_reqs=required parameter?

5

Good morning @etanjoco!

I’d like to use the separate environment variables (REDIS_HOST, REDIS_USER, REDIS_PASSWORD) so that I can use AWS ECS secrets to securely pull the password from my secret store.

In settings/base.py by default we construct the REDIS_URL like so:

REDIS_URL = os.getenv(
    "REDIS_URL",
    f"{REDIS_PROTOCOL}://{REDIS_USERNAME}:{REDIS_PASSWORD}@{REDIS_HOST}:{REDIS_PORT}/0",
)

All of these REDIS_* env variables are pulled from os.getenv, so you should be able to store the values as AWS ECS secrets.

If you’d like to add the extra SSL options, you could override REDIS_URL in your own settings file and append the querystrings to that URL. Does that help?

Cheers,
Peter

6

Thanks for the reply. I’m wondering if it would make sense to add some logic that checks if the REDIS_PROTOCOL is “rediss” and if so, append the ssl_cert_reqs=required string to the URL? If that makes sense I could work on it, but am I missing a use case where that default doesn’t make sense?

7

Morning @etanjoco! I’ve created an issue for this on Gitlab: #2775.

In the meantime if you wish to use rediss as your REDIS_PROTOCOL I recommend the REDIS_URL append above.

Cheers,
Peter