mirror of
https://github.com/lukaszraczylo/traefikoidc.git
synced 2026-06-05 22:44:17 +00:00
lukaszraczylo
68c150eba4
The redis.enableTLS / redis.tlsSkipVerify settings were accepted by the config layer but silently dropped before reaching the connection pool, so the plugin always dialed Redis in plaintext. This blocked TLS-only Redis deployments such as AWS ElastiCache with in-transit encryption. - Add EnableTLS, TLSSkipVerify, TLSServerName to backends.Config and PoolConfig and forward them through universal_cache_singleton -> backends.Config -> PoolConfig. - In the connection pool, dial via tls.Dialer.DialContext (TLS 1.2 minimum) with SNI defaulting to the host part of the configured Address when TLSServerName is empty, so ElastiCache cluster endpoints validate out of the box. Plain dial path now also propagates ctx. - Add regression tests covering successful TLS negotiation with skip- verify, rejection of self-signed certs without skip-verify, rejection of plain TCP servers when EnableTLS=true, and unaffected plaintext behavior. - Document maxRefreshTokenAgeSeconds (added in1b6c861) and the implicit SSE / WebSocket auth bypass (added in684a990) in README.md, docs/CONFIGURATION.md and docs/index.html. - Add the missing redis.tlsSkipVerify row to docs/index.html and clarify the redis.enableTLS description. patch-release
83 lines
2.2 KiB
Go
83 lines
2.2 KiB
Go
package backends
|
|
|
|
import "time"
|
|
|
|
// BackendType represents the type of cache backend
|
|
type BackendType string
|
|
|
|
const (
|
|
BackendTypeMemory BackendType = "memory"
|
|
BackendTypeRedis BackendType = "redis"
|
|
BackendTypeHybrid BackendType = "hybrid"
|
|
|
|
// Aliases for backward compatibility
|
|
TypeMemory BackendType = "memory"
|
|
TypeRedis BackendType = "redis"
|
|
TypeHybrid BackendType = "hybrid"
|
|
)
|
|
|
|
// Config provides common configuration for cache backends
|
|
type Config struct {
|
|
L2Config *Config
|
|
L1Config *Config
|
|
RedisPrefix string
|
|
Type BackendType
|
|
RedisAddr string
|
|
RedisPassword string
|
|
TLSServerName string
|
|
PoolSize int
|
|
RedisDB int
|
|
CleanupInterval time.Duration
|
|
MaxMemoryBytes int64
|
|
MaxSize int
|
|
HealthCheckInterval time.Duration
|
|
AsyncWrites bool
|
|
EnableCircuitBreaker bool
|
|
EnableHealthCheck bool
|
|
EnableMetrics bool
|
|
EnableTLS bool
|
|
TLSSkipVerify bool
|
|
}
|
|
|
|
// DefaultConfig returns a default configuration for in-memory caching
|
|
func DefaultConfig() *Config {
|
|
return &Config{
|
|
Type: BackendTypeMemory,
|
|
MaxSize: 1000,
|
|
MaxMemoryBytes: 50 * 1024 * 1024, // 50MB
|
|
CleanupInterval: 5 * time.Minute,
|
|
EnableMetrics: true,
|
|
}
|
|
}
|
|
|
|
// DefaultRedisConfig returns a default configuration for Redis caching
|
|
func DefaultRedisConfig(addr string) *Config {
|
|
return &Config{
|
|
Type: BackendTypeRedis,
|
|
RedisAddr: addr,
|
|
RedisDB: 0,
|
|
RedisPrefix: "traefikoidc:",
|
|
PoolSize: 10,
|
|
EnableCircuitBreaker: true,
|
|
EnableHealthCheck: true,
|
|
HealthCheckInterval: 30 * time.Second,
|
|
EnableMetrics: true,
|
|
}
|
|
}
|
|
|
|
// DefaultHybridConfig returns a default configuration for hybrid caching
|
|
func DefaultHybridConfig(redisAddr string) *Config {
|
|
return &Config{
|
|
Type: BackendTypeHybrid,
|
|
L1Config: &Config{
|
|
Type: BackendTypeMemory,
|
|
MaxSize: 500,
|
|
MaxMemoryBytes: 10 * 1024 * 1024, // 10MB for L1
|
|
CleanupInterval: 1 * time.Minute,
|
|
},
|
|
L2Config: DefaultRedisConfig(redisAddr),
|
|
AsyncWrites: true,
|
|
EnableMetrics: true,
|
|
}
|
|
}
|