- Adaptations to support secure Redis Access

- Redis Connection Pooling set up for Celery, dogpile caching and flask session
2025-08-31 17:43:30 +02:00
parent 25ab9ccf23
commit 35f58f0c57
3 changed files with 129 additions and 137 deletions
--- a/common/utils/cache/regions.py
+++ b/common/utils/cache/regions.py
@@ -21,6 +21,18 @@ def get_redis_config(app):
        'redis_expiration_time': 3600,
        'distributed_lock': True,
        'thread_local_lock': False,
+        # Ingebouwde connection pooling parameters
+        'connection_pool_class': 'redis.BlockingConnectionPool',
+        'connection_pool_class_kwargs': {
+            'max_connections': 20,
+            'timeout': 20,
+            'retry_on_timeout': True,
+            'socket_connect_timeout': 5,
+            'socket_timeout': 5,
+        },
+
+        # Key prefix voor namespace isolation
+        'key_mangler': lambda key: f"cache:workers:{key}"
    }

    # Add authentication if provided
@@ -30,6 +42,27 @@ def get_redis_config(app):
            'password': redis_uri.password
        })

+    # SSL support using Dogpile's built-in mechanism
+    cert_data = app.config.get('REDIS_CERT_DATA')
+    if cert_data and redis_uri.scheme == 'rediss':
+        import ssl
+        import tempfile
+
+        # Create SSL context
+        ssl_context = ssl.create_default_context()
+        ssl_context.verify_mode = ssl.CERT_REQUIRED
+        ssl_context.check_hostname = True
+
+        # Write cert to temp file
+        with tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.pem') as f:
+            f.write(cert_data)
+            ssl_cert_path = f.name
+
+        ssl_context.load_verify_locations(ssl_cert_path)
+
+        # Add SSL to connection pool kwargs
+        config['connection_pool_class_kwargs']['ssl'] = ssl_context
+
    return config


--- a/common/utils/celery_utils.py
+++ b/common/utils/celery_utils.py
@@ -1,3 +1,5 @@
+import tempfile
+
 from celery import Celery
 from kombu import Queue
 from werkzeug.local import LocalProxy
@@ -6,6 +8,16 @@ from redbeat import RedBeatScheduler
 celery_app = Celery()


+def _create_ssl_cert_file(cert_data: str) -> str:
+    """Create temporary certificate file for Celery SSL"""
+    if not cert_data:
+        return None
+
+    with tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.pem') as cert_file:
+        cert_file.write(cert_data)
+        return cert_file.name
+
+
 def init_celery(celery, app, is_beat=False):
    celery_app.main = app.name

@@ -19,6 +31,32 @@ def init_celery(celery, app, is_beat=False):
        'enable_utc': app.config.get('CELERY_ENABLE_UTC', True),
    }

+    # Add broker transport options for SSL and connection pooling
+    broker_transport_options = {
+        'master_name': None,
+        'max_connections': 20,
+        'retry_on_timeout': True,
+        'socket_connect_timeout': 5,
+        'socket_timeout': 5,
+    }
+
+    cert_data = app.config.get('REDIS_CERT_DATA')
+    if cert_data:
+        try:
+            ssl_cert_file = _create_ssl_cert_file(cert_data)
+            if ssl_cert_file:
+                broker_transport_options.update({
+                    'ssl_cert_reqs': 'required',
+                    'ssl_ca_certs': ssl_cert_file,
+                    'ssl_check_hostname': True,
+                })
+                app.logger.info("SSL configured for Celery Redis connection")
+        except Exception as e:
+            app.logger.error(f"Failed to configure SSL for Celery: {e}")
+
+    celery_config['broker_transport_options'] = broker_transport_options
+    celery_config['result_backend_transport_options'] = broker_transport_options
+
    if is_beat:
        # Add configurations specific to Beat scheduler
        celery_config['beat_scheduler'] = 'redbeat.RedBeatScheduler'