github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

feat: JumpServer支持部署在使用了ssl的redis上,可使用证书连接

pull/7800/head
jiangweidong 2022-03-14 11:35:14 +08:00
parent f04378eaf8
commit 794139782f
5 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apps/common/utils/connection.py
View File

@ -19,6 +19,7 @@ def get_redis_client(db=0):
'password': CONFIG.REDIS_PASSWORD, 'password': CONFIG.REDIS_PASSWORD,
'db': db, 'db': db,
"ssl": is_true(CONFIG.REDIS_USE_SSL), "ssl": is_true(CONFIG.REDIS_USE_SSL),
'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'), 'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'), 'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'), 'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),

1
apps/jumpserver/rewriting/session.py
View File

@ -18,6 +18,7 @@ class RedisServer(RedisRedisServer):
ssl_params = {} ssl_params = {}
if CONFIG.REDIS_USE_SSL: if CONFIG.REDIS_USE_SSL:
ssl_params = { ssl_params = {
'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'), 'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'), 'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'), 'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),

9
apps/jumpserver/settings/base.py
View File

@ -250,8 +250,16 @@ FILE_UPLOAD_DIRECTORY_PERMISSIONS = 0o755
# Cache use redis # Cache use redis
REDIS_SSL_KEYFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.key') REDIS_SSL_KEYFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.key')
if not os.path.exists(REDIS_SSL_KEYFILE):
REDIS_SSL_KEYFILE = None
REDIS_SSL_CERTFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.crt') REDIS_SSL_CERTFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.crt')
if not os.path.exists(REDIS_SSL_CERTFILE):
REDIS_SSL_CERTFILE = None
REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.crt') REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.crt')
if not os.path.exists(REDIS_SSL_CA_CERTS):
REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.pem')
CACHES = { CACHES = {
'default': { 'default': {
@ -267,6 +275,7 @@ CACHES = {
'OPTIONS': { 'OPTIONS': {
"REDIS_CLIENT_KWARGS": {"health_check_interval": 30}, "REDIS_CLIENT_KWARGS": {"health_check_interval": 30},
"CONNECTION_POOL_KWARGS": { "CONNECTION_POOL_KWARGS": {
'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
"ssl_keyfile": REDIS_SSL_KEYFILE, "ssl_keyfile": REDIS_SSL_KEYFILE,
"ssl_certfile": REDIS_SSL_CERTFILE, "ssl_certfile": REDIS_SSL_CERTFILE,
"ssl_ca_certs": REDIS_SSL_CA_CERTS "ssl_ca_certs": REDIS_SSL_CA_CERTS

7
apps/jumpserver/settings/libs.py
View File

@ -89,9 +89,10 @@ if not CONFIG.REDIS_USE_SSL:
context = None context = None
else: else:
context = ssl.SSLContext() context = ssl.SSLContext()
context.check_hostname = False context.check_hostname = bool(CONFIG.REDIS_SSL_REQUIRED)
context.load_verify_locations(REDIS_SSL_CA_CERTS) context.load_verify_locations(REDIS_SSL_CA_CERTS)
context.load_cert_chain(REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE) if REDIS_SSL_CERTFILE and REDIS_SSL_KEYFILE:
context.load_cert_chain(REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE)
CHANNEL_LAYERS = { CHANNEL_LAYERS = {
'default': { 'default': {
@ -139,7 +140,7 @@ CELERY_WORKER_REDIRECT_STDOUTS_LEVEL = "INFO"
CELERY_TASK_SOFT_TIME_LIMIT = 3600 CELERY_TASK_SOFT_TIME_LIMIT = 3600
if CONFIG.REDIS_USE_SSL: if CONFIG.REDIS_USE_SSL:
CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL = { CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL = {
'ssl_cert_reqs': 'required', 'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
'ssl_ca_certs': REDIS_SSL_CA_CERTS, 'ssl_ca_certs': REDIS_SSL_CA_CERTS,
'ssl_certfile': REDIS_SSL_CERTFILE, 'ssl_certfile': REDIS_SSL_CERTFILE,
'ssl_keyfile': REDIS_SSL_KEYFILE 'ssl_keyfile': REDIS_SSL_KEYFILE

9
utils/start_celery_beat.py
View File

@ -19,14 +19,23 @@ if os.getuid() == 0:
os.environ.setdefault('C_FORCE_ROOT', '1') os.environ.setdefault('C_FORCE_ROOT', '1')
REDIS_SSL_KEYFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.key') REDIS_SSL_KEYFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.key')
if not os.path.exists(REDIS_SSL_KEYFILE):
REDIS_SSL_KEYFILE = None
REDIS_SSL_CERTFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.crt') REDIS_SSL_CERTFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.crt')
if not os.path.exists(REDIS_SSL_CERTFILE):
REDIS_SSL_CERTFILE = None
REDIS_SSL_CA_CERTS = os.path.join(BASE_DIR, 'data', 'certs', 'redis_ca.crt') REDIS_SSL_CA_CERTS = os.path.join(BASE_DIR, 'data', 'certs', 'redis_ca.crt')
if not os.path.exists(REDIS_SSL_CA_CERTS):
REDIS_SSL_CA_CERTS = os.path.join(BASE_DIR, 'data', 'certs', 'redis_ca.pem')
params = { params = {
'host': CONFIG.REDIS_HOST, 'host': CONFIG.REDIS_HOST,
'port': CONFIG.REDIS_PORT, 'port': CONFIG.REDIS_PORT,
'password': CONFIG.REDIS_PASSWORD, 'password': CONFIG.REDIS_PASSWORD,
"ssl": CONFIG.REDIS_USE_SSL, "ssl": CONFIG.REDIS_USE_SSL,
'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
"ssl_keyfile": REDIS_SSL_KEYFILE, "ssl_keyfile": REDIS_SSL_KEYFILE,
"ssl_certfile": REDIS_SSL_CERTFILE, "ssl_certfile": REDIS_SSL_CERTFILE,
"ssl_ca_certs": REDIS_SSL_CA_CERTS "ssl_ca_certs": REDIS_SSL_CA_CERTS