feat: JumpServer支持部署在使用了ssl的redis上，可使用证书连接

apps/common/utils/connection.py

@@ -19,6 +19,7 @@ def get_redis_client(db=0):
         'password': CONFIG.REDIS_PASSWORD,
         'db': db,
         "ssl": is_true(CONFIG.REDIS_USE_SSL),
+        'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
         'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
         'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
         'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),

apps/jumpserver/rewriting/session.py

@@ -18,6 +18,7 @@ class RedisServer(RedisRedisServer):
         ssl_params = {}
         if CONFIG.REDIS_USE_SSL:
             ssl_params = {
+                'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
                 'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
                 'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
                 'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),

apps/jumpserver/settings/base.py

@@ -250,8 +250,16 @@ FILE_UPLOAD_DIRECTORY_PERMISSIONS = 0o755
 
 # Cache use redis
 REDIS_SSL_KEYFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.key')
+if not os.path.exists(REDIS_SSL_KEYFILE):
+    REDIS_SSL_KEYFILE = None
+
 REDIS_SSL_CERTFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.crt')
+if not os.path.exists(REDIS_SSL_CERTFILE):
+    REDIS_SSL_CERTFILE = None
+
 REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.crt')
+if not os.path.exists(REDIS_SSL_CA_CERTS):
+    REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.pem')
 
 CACHES = {
     'default': {
@@ -267,6 +275,7 @@ CACHES = {
         'OPTIONS': {
             "REDIS_CLIENT_KWARGS": {"health_check_interval": 30},
             "CONNECTION_POOL_KWARGS": {
+                'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
                 "ssl_keyfile": REDIS_SSL_KEYFILE,
                 "ssl_certfile": REDIS_SSL_CERTFILE,
                 "ssl_ca_certs": REDIS_SSL_CA_CERTS

apps/jumpserver/settings/libs.py

@@ -89,9 +89,10 @@ if not CONFIG.REDIS_USE_SSL:
     context = None
 else:
     context = ssl.SSLContext()
-    context.check_hostname = False
+    context.check_hostname = bool(CONFIG.REDIS_SSL_REQUIRED)
     context.load_verify_locations(REDIS_SSL_CA_CERTS)
-    context.load_cert_chain(REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE)
+    if REDIS_SSL_CERTFILE and REDIS_SSL_KEYFILE:
+        context.load_cert_chain(REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE)
 
 CHANNEL_LAYERS = {
     'default': {
@@ -139,7 +140,7 @@ CELERY_WORKER_REDIRECT_STDOUTS_LEVEL = "INFO"
 CELERY_TASK_SOFT_TIME_LIMIT = 3600
 if CONFIG.REDIS_USE_SSL:
     CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL = {
-        'ssl_cert_reqs': 'required',
+        'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
         'ssl_ca_certs': REDIS_SSL_CA_CERTS,
         'ssl_certfile': REDIS_SSL_CERTFILE,
         'ssl_keyfile': REDIS_SSL_KEYFILE

utils/start_celery_beat.py

@@ -19,14 +19,23 @@ if os.getuid() == 0:
     os.environ.setdefault('C_FORCE_ROOT', '1')
 
 REDIS_SSL_KEYFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.key')
+if not os.path.exists(REDIS_SSL_KEYFILE):
+    REDIS_SSL_KEYFILE = None
+
 REDIS_SSL_CERTFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.crt')
+if not os.path.exists(REDIS_SSL_CERTFILE):
+    REDIS_SSL_CERTFILE = None
+
 REDIS_SSL_CA_CERTS = os.path.join(BASE_DIR, 'data', 'certs', 'redis_ca.crt')
+if not os.path.exists(REDIS_SSL_CA_CERTS):
+    REDIS_SSL_CA_CERTS = os.path.join(BASE_DIR, 'data', 'certs', 'redis_ca.pem')
 
 params = {
     'host': CONFIG.REDIS_HOST,
     'port': CONFIG.REDIS_PORT,
     'password': CONFIG.REDIS_PASSWORD,
     "ssl": CONFIG.REDIS_USE_SSL,
+    'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
     "ssl_keyfile": REDIS_SSL_KEYFILE,
     "ssl_certfile": REDIS_SSL_CERTFILE,
     "ssl_ca_certs": REDIS_SSL_CA_CERTS