From 3d3c0828a9198b2b0c923d5818f1d3a26f2b7dd2 Mon Sep 17 00:00:00 2001 From: Marvin Mall Date: Tue, 5 Nov 2024 18:04:58 +0100 Subject: [PATCH 1/2] Add support for SSL options --- README.md | 14 ++++++++++++++ src/Connectors/PhpRedisSentinelConnector.php | 5 +++++ 2 files changed, 19 insertions(+) diff --git a/README.md b/README.md index 0f3368e..17a33a9 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,20 @@ Noteworthy is the `sentinel_service`, which represents the instance name of the All other options are the same for the Redis Sentinel driver, except that `url` is not supported and `host` and `port` are ignored. +### SSL Support + +If you want to use SSL to connect to Redis Sentinel, you need to add an additional configuration option 'sentinel_ssl' next to the other 'sentinel_*' settings: + +```php +'sentinel_ssl' => [ + // ... ssl settings ... +], +``` + +Available SSL context options can be found in the [official PHP documentation](https://www.php.net/manual/en/context.ssl.php). + +NOTE: The SSL options only work for the `phpredis` extension starting from version 6.1.0. + ### How does it work? An additional Laravel Redis driver is added (`phpredis-sentinel`), which resolves the currently declared master instance of a replication diff --git a/src/Connectors/PhpRedisSentinelConnector.php b/src/Connectors/PhpRedisSentinelConnector.php index 26f4a42..468782f 100644 --- a/src/Connectors/PhpRedisSentinelConnector.php +++ b/src/Connectors/PhpRedisSentinelConnector.php @@ -91,6 +91,7 @@ private function connectToSentinel(array $config): RedisSentinel $readTimeout = $config['sentinel_read_timeout'] ?? 0; $username = $config['sentinel_username'] ?? ''; $password = $config['sentinel_password'] ?? ''; + $ssl = $config['sentinel_ssl'] ?? null; if (strlen(trim($host)) === 0) { throw new ConfigurationException('No host has been specified for the Redis Sentinel connection.'); @@ -117,6 +118,10 @@ private function connectToSentinel(array $config): RedisSentinel $options['auth'] = $auth; } + if (version_compare(phpversion('redis'), '6.1', '>=') && $ssl !== null) { + $options['ssl'] = $ssl; + } + return new RedisSentinel($options); } From c27779f6bbfd42252ae74ddbeff00c06222ed77c Mon Sep 17 00:00:00 2001 From: Marvin Mall Date: Tue, 5 Nov 2024 21:00:00 +0100 Subject: [PATCH 2/2] Add SSL documentation --- README.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 50 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 17a33a9..ad613b0 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,6 @@ To use the Redis Sentinel driver, the `redis` section in `config/database.php` n ```php 'redis' => [ - 'client' => env('REDIS_CLIENT', 'phpredis-sentinel'), 'default' => [ @@ -70,19 +69,64 @@ Noteworthy is the `sentinel_service`, which represents the instance name of the All other options are the same for the Redis Sentinel driver, except that `url` is not supported and `host` and `port` are ignored. -### SSL Support +### SSL/TLS Support -If you want to use SSL to connect to Redis Sentinel, you need to add an additional configuration option 'sentinel_ssl' next to the other 'sentinel_*' settings: +If you want to use SSL/TLS to connect to Redis Sentinel, you need to add an additional configuration option `sentinel_ssl` next to the other `sentinel_*` settings: ```php 'sentinel_ssl' => [ - // ... ssl settings ... + // ... SSL settings ... +], +``` + +Available SSL context options can be found in the [official PHP documentation](https://www.php.net/manual/en/context.ssl.php). Please note that SSL support for the Sentinel connection was added to the `phpredis` extension starting in version 6.1. + +Also note that if your Redis Sentinel resolves SSL connections to Redis, you potentially need to add additional context options for your Redis connection: + +```php +'context' => [ + 'stream' => [ + // ... SSL settings ... + ] ], +'scheme' => 'tls', +``` + +A full configuration example using SSL for Redis Sentinel as well as Redis looks like this if authentication is also enabled (environment variables omitted for clarity): + +```php +'redis' => [ + 'client' => 'phpredis-sentinel', + + 'redis_with_tls' => [ + 'sentinel_host' => 'tls://sentinel_host', + 'sentinel_port' => 26379, + 'sentinel_service' => 'mymaster', + 'sentinel_timeout' => 0, + 'sentinel_persistent' => false, + 'sentinel_retry_interval' => 0, + 'sentinel_read_timeout' => 0, + 'sentinel_username' => 'sentinel_username', + 'sentinel_password' => 'sentinel_password', + 'sentinel_ssl' => [ + 'cafile' => '/path/to/sentinel_ca.crt', + ], + 'context' => [ + 'stream' => [ + 'cafile' => '/path/to/redis_ca.crt', + ], + ], + 'scheme' => 'tls', + 'username' => 'redis_username', + 'password' => 'redis_password', + 'database' => 1, + ] +] ``` -Available SSL context options can be found in the [official PHP documentation](https://www.php.net/manual/en/context.ssl.php). +The important parts are the `tls://` protocol in `sentinel_host` as well as the `tls` in `scheme`, plus the `sentinel_ssl` and `context.stream` options. -NOTE: The SSL options only work for the `phpredis` extension starting from version 6.1.0. +Because Redis Sentinel resolves Redis instances by IP and port, your Redis certificate needs to have the IP as SAN. Alternatively, you can set `verify_peer` and maybe also `verify_peer_name` to `false`. ### How does it work?