- Adaptations to support secure Redis Access

- Redis Connection Pooling set up for Celery, dogpile caching and flask session
2025-08-31 17:43:30 +02:00
parent 25ab9ccf23
commit 35f58f0c57
3 changed files with 129 additions and 137 deletions
--- a/common/utils/cache/regions.py
+++ b/common/utils/cache/regions.py
@@ -21,6 +21,18 @@ def get_redis_config(app):
        'redis_expiration_time': 3600,
        'distributed_lock': True,
        'thread_local_lock': False,
+        # Ingebouwde connection pooling parameters
+        'connection_pool_class': 'redis.BlockingConnectionPool',
+        'connection_pool_class_kwargs': {
+            'max_connections': 20,
+            'timeout': 20,
+            'retry_on_timeout': True,
+            'socket_connect_timeout': 5,
+            'socket_timeout': 5,
+        },
+
+        # Key prefix voor namespace isolation
+        'key_mangler': lambda key: f"cache:workers:{key}"
    }

    # Add authentication if provided
@@ -30,6 +42,27 @@ def get_redis_config(app):
            'password': redis_uri.password
        })

+    # SSL support using Dogpile's built-in mechanism
+    cert_data = app.config.get('REDIS_CERT_DATA')
+    if cert_data and redis_uri.scheme == 'rediss':
+        import ssl
+        import tempfile
+
+        # Create SSL context
+        ssl_context = ssl.create_default_context()
+        ssl_context.verify_mode = ssl.CERT_REQUIRED
+        ssl_context.check_hostname = True
+
+        # Write cert to temp file
+        with tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.pem') as f:
+            f.write(cert_data)
+            ssl_cert_path = f.name
+
+        ssl_context.load_verify_locations(ssl_cert_path)
+
+        # Add SSL to connection pool kwargs
+        config['connection_pool_class_kwargs']['ssl'] = ssl_context
+
    return config