search

benmanns / goworker

goworker is a Go-based background worker that runs 10 to 100,000* times faster than Ruby-based workers.
https://www.goworker.org
Other
2.8k stars 241 forks source link

Add TLS Support To goworker #63

Closed brockwood closed 6 years ago

brockwood commented 6 years ago

Greetings,

This pull request adds support for TLS on the Redis connection. To create a secure connection, use rediss as the URI scheme. It also adds two new flags, one to turn off TLS verification, insecure-tls, and one to pass in a custom CA cert that will be included in the CA pool, tls-cert. I have been testing this via my own fork and it has proven to be pretty solid. If there is interest in this change, please let me know if there's anything this PR is missing and I'll get that in there.

benmanns commented 6 years ago

Thanks for the contribution @brockwood - this looks great.

I don't run Redis with TLS - how would you recommend setting it up to test this PR?

brockwood commented 6 years ago

We use HAProxy in production but stunnel should work as well. Digital Ocean has a nice write up on how to do that: https://www.digitalocean.com/community/tutorials/how-to-encrypt-traffic-to-redis-with-stunnel-on-ubuntu-16-04

Let me know if there's anything I can help out with that.

brockwood commented 6 years ago

I think I have working tests that uses https://github.com/ory/dockertest to setup a TLS Redis instance. This would require that Docker is available when running tests. Would this be acceptable for running tests locally?

benmanns commented 6 years ago

Yes, that would work. I was able to get this running locally with:

mkdir ssl

openssl genrsa -aes256 -passout pass:goworker -out ssl/ca-key.pem 4096
openssl req -new -x509 -days 365 -key ssl/ca-key.pem -sha256 -passin pass:goworker -subj '/CN=test.goworker.org/O=goworker/C=US' -out ssl/ca.pem
openssl genrsa -out ssl/server-key.pem 4096
openssl req -subj "/CN=test.goworker.org" -sha256 -new -key ssl/server-key.pem -out ssl/server.csr
echo subjectAltName = IP:127.0.0.1 > ssl/extfile.cnf
openssl x509 -req -days 365 -sha256 -in ssl/server.csr -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -passin pass:goworker -out ssl/server-cert.pem -extfile ssl/extfile.cnf
cat ssl/server-key.pem ssl/server-cert.pem > ssl/rediscert.pem

docker run --rm --name redis redis

docker run --rm \
  --link redis:redis \
  -v `pwd`/ssl/rediscert.pem:/stunnel/private.pem:ro \
  -p 6380:6380 \
  runnable/redis-stunnel

cat << EOF > work.go
package main

import "github.com/benmanns/goworker"

func work(string, ...interface{}) error {
    return nil
}

func init() {
    goworker.Register("MyClass", work)
}

func main() {
    if err := goworker.Work(); err != nil {
        panic(err)
    }
}
EOF

go run work.go -exit-on-complete -queues default -concurrency 2 -use-number -uri rediss://127.0.0.1:6380 -tls-cert ssl/ca.pem

TODO: Automate 😄

I think this can be merged now, though. Thanks @brockwood!