Improve teh securty of teh DB

2025-10-19 19:22:37 +02:00
parent 62971c07d7
commit 05da20357d
87 changed files with 7998 additions and 932 deletions
--- a/shared/config/base.py
+++ b/shared/config/base.py
@@ -58,26 +58,40 @@ class BaseServiceSettings(BaseSettings):

    @property
    def REDIS_URL(self) -> str:
-        """Build Redis URL from secure components"""
+        """Build Redis URL from secure components with TLS support"""
        # Try complete URL first (for backward compatibility)
        complete_url = os.getenv("REDIS_URL")
        if complete_url:
+            # Upgrade to TLS if not already
+            if complete_url.startswith("redis://") and "tls" not in complete_url.lower():
+                complete_url = complete_url.replace("redis://", "rediss://", 1)
            return complete_url

-        # Build from components (secure approach)
+        # Build from components (secure approach with TLS)
        password = os.getenv("REDIS_PASSWORD", "")
        host = os.getenv("REDIS_HOST", "redis-service")
        port = os.getenv("REDIS_PORT", "6379")
+        use_tls = os.getenv("REDIS_TLS_ENABLED", "true").lower() == "true"
+
+        # Use rediss:// for TLS, redis:// for non-TLS
+        protocol = "rediss" if use_tls else "redis"

        # DEBUG: print what we're using
        import sys
-        print(f"[DEBUG REDIS_URL] password={repr(password)}, host={host}, port={port}", file=sys.stderr)
+        print(f"[DEBUG REDIS_URL] password={repr(password)}, host={host}, port={port}, tls={use_tls}", file=sys.stderr)

        if password:
-            url = f"redis://:{password}@{host}:{port}"
-            print(f"[DEBUG REDIS_URL] Returning URL with auth: {url}", file=sys.stderr)
+            url = f"{protocol}://:{password}@{host}:{port}"
+            if use_tls:
+                # Use ssl_cert_reqs=none for self-signed certs in internal cluster
+                # Still encrypted, just skips cert validation
+                url += "?ssl_cert_reqs=none"
+            print(f"[DEBUG REDIS_URL] Returning URL with auth and TLS: {url}", file=sys.stderr)
            return url
-        url = f"redis://{host}:{port}"
+        url = f"{protocol}://{host}:{port}"
+        if use_tls:
+            # Use ssl_cert_reqs=none for self-signed certs in internal cluster
+            url += "?ssl_cert_reqs=none"
        print(f"[DEBUG REDIS_URL] Returning URL without auth: {url}", file=sys.stderr)
        return url