feat: add Redis SSL/TLS certificate authentication support (#23624)

2025-08-18 10:59:07 +08:00
parent fa4d3bba86
commit 052d0e059e
7 changed files with 351 additions and 71 deletions
--- a/api/extensions/ext_celery.py
+++ b/api/extensions/ext_celery.py
@@ -1,4 +1,6 @@
+import ssl
 from datetime import timedelta
+from typing import Any, Optional

 import pytz
 from celery import Celery, Task  # type: ignore
@@ -8,6 +10,40 @@ from configs import dify_config
 from dify_app import DifyApp


+def _get_celery_ssl_options() -> Optional[dict[str, Any]]:
+    """Get SSL configuration for Celery broker/backend connections."""
+    # Use REDIS_USE_SSL for consistency with the main Redis client
+    # Only apply SSL if we're using Redis as broker/backend
+    if not dify_config.REDIS_USE_SSL:
+        return None
+
+    # Check if Celery is actually using Redis
+    broker_is_redis = dify_config.CELERY_BROKER_URL and (
+        dify_config.CELERY_BROKER_URL.startswith("redis://") or dify_config.CELERY_BROKER_URL.startswith("rediss://")
+    )
+
+    if not broker_is_redis:
+        return None
+
+    # Map certificate requirement strings to SSL constants
+    cert_reqs_map = {
+        "CERT_NONE": ssl.CERT_NONE,
+        "CERT_OPTIONAL": ssl.CERT_OPTIONAL,
+        "CERT_REQUIRED": ssl.CERT_REQUIRED,
+    }
+
+    ssl_cert_reqs = cert_reqs_map.get(dify_config.REDIS_SSL_CERT_REQS, ssl.CERT_NONE)
+
+    ssl_options = {
+        "ssl_cert_reqs": ssl_cert_reqs,
+        "ssl_ca_certs": dify_config.REDIS_SSL_CA_CERTS,
+        "ssl_certfile": dify_config.REDIS_SSL_CERTFILE,
+        "ssl_keyfile": dify_config.REDIS_SSL_KEYFILE,
+    }
+
+    return ssl_options
+
+
 def init_app(app: DifyApp) -> Celery:
    class FlaskTask(Task):
        def __call__(self, *args: object, **kwargs: object) -> object:
@@ -33,14 +69,6 @@ def init_app(app: DifyApp) -> Celery:
        task_ignore_result=True,
    )

-    # Add SSL options to the Celery configuration
-    ssl_options = {
-        "ssl_cert_reqs": None,
-        "ssl_ca_certs": None,
-        "ssl_certfile": None,
-        "ssl_keyfile": None,
-    }
-
    celery_app.conf.update(
        result_backend=dify_config.CELERY_RESULT_BACKEND,
        broker_transport_options=broker_transport_options,
@@ -51,9 +79,13 @@ def init_app(app: DifyApp) -> Celery:
        timezone=pytz.timezone(dify_config.LOG_TZ or "UTC"),
    )

-    if dify_config.BROKER_USE_SSL:
+    # Apply SSL configuration if enabled
+    ssl_options = _get_celery_ssl_options()
+    if ssl_options:
        celery_app.conf.update(
-            broker_use_ssl=ssl_options,  # Add the SSL options to the broker configuration
+            broker_use_ssl=ssl_options,
+            # Also apply SSL to the backend if it's Redis
+            redis_backend_use_ssl=ssl_options if dify_config.CELERY_BACKEND == "redis" else None,
        )

    if dify_config.LOG_FILE: