Nextcloud, Redis and TLS

sunflower · February 2, 2021, 9:56am

Hello community, hoping someone has faced this problem already:

I have an item with nextcloud and encrypted redis (tls):

We have a cluster with 3 nextcloud nodes. These use redis as distributed memcache. Now the demand is that the connection has to be encrypted.
How can I configure this in the nextcloud? In the docu* I don’t see a parameter for tls.

The memcache has also to be enabled in the php-fpm config. At the moment it looks like that:

session.save_handler = redis
session.save_path = "tcp://redis.nextcloud.our.domain:6379?auth=mypassword

How to do this in tls?

Any suggestion would be appreciated. Thanks already for helping.

*Memory caching — Nextcloud latest Administration Manual latest documentation

Nextcloud version: 20.0.5
Operating system and version: Debian buster
Apache or nginx version: 2.4.46
PHP version: 7.3

The output of your Nextcloud log in Admin > Logging:

  Error    core               RedisException: read error on connection at lib/private/Memcache/Redis.php line 55                          2021-02-02T10:50:41+01:00 
                                                                                                                                                                    
                               0. lib/private/Memcache/Redis.php line 55                                                                                            
                                  Redis->get("83b9a4e050fb77760eab5258e89000ad\/JS-74b07fdfdead7b086d03920074347d7ecore-merged- ... s")                             
                               1. lib/private/Template/JSCombiner.php line 123                                                                                      
                                  OC\Memcache\Redis->get("core-merged-template-prepend.js.deps")                                                                    
                               2. lib/private/Template/JSCombiner.php line 103                                                                                      
                                  OC\Template\JSCombiner->isCached(                                                                                                 
                                    "merged-template-prepend.js.deps",                                                                                              
                                    OC\Files\SimpleFS\SimpleFolder {}                                                                                               
                                  )                                                                                                                                 
                               3. lib/private/Template/JSResourceLocator.php line 116                                                                               
                                  OC\Template\JSCombiner->process(                                                                                                  
                                    "\/srv\/node1.web.nextcloud-test....\/nextcloud",                                                                       
                                    "core\/js\/merged-template-prepend.json",                                                                                       
                                    "core"                                                                                                                          
                                  )                                                                                                                                 
                               4. .../JSResourceLocator.php line 72                                                                                                 
                                  OC\Template\JSResourceLocator->cacheAndAppendCombineJsonIfExist(                                                                  
                                    "\/srv\/node1.web.nextcloud-t ... d",                                                                                           
                                    "core\/js\/merged-template-pr ... n"                                                                                            
                                  )                                                                                                                                 
                               5. lib/private/Template/ResourceLocator.php line 79                                                                                  
                                  OC\Template\JSResourceLocator->doFind("js\/merged-template-prepend")                                                              
                               6. lib/private/TemplateLayout.php line 364                                                                                           
                                  OC\Template\ResourceLocator->find(["core\/js\/dist\/main","js\/dist\/files_fileinfo","js\/dis ... "])                             
                               7. lib/private/TemplateLayout.php line 194                                                                                           
                                  OC\TemplateLayout::findJavascriptFiles(["core\/js\/dist\/main","js\/dist\/files_fileinfo","js ... "])                             
                               8. lib/private/legacy/OC_Template.php line 183                                                                                       
                                  OC\TemplateLayout->__construct("error", "")                                                                                       
                               9. lib/private/Template/Base.php line 132                                                                                            
                                  OC_Template->fetchPage(                                                                                                           
                                                                                                                                                                    
                                  )                                                                                                                                 
                              10. lib/private/legacy/OC_Template.php line 332                                                                                       
                                  OC\Template\Base->printPage(                                                                                                      
                                                                                                                                                                    
                                  )                                                                                                                                 
                              11. lib/base.php line 434                                                                                                             
                                  OC_Template::printExceptionErrorPage(Exception {}, 500)                                                                           
                              12. lib/base.php line 649                                                                                                             
                                  OC::initSession(                                                                                                                  
                                                                                                                                                                    
                                  )                                                                                                                                 
                              13. lib/base.php line 1091                                                                                                            
                                  OC::init(                                                                                                                         
                                                                                                                                                                    
                                  )                                                                                                                                 
                              14. status.php line 37                                                                                                                
                                  require_once("\/srv\/node1.web.nextcloud-test....\/nextcloud\/lib\/base.php")

(when tls is activated on redis)

sunflower · February 9, 2021, 10:51am

Meanwhile we helped ourselves by installing a local haproxy on each web server which connects with tls to the redis cluster. The config within nextcloud can easily be done with redis on localhost (which is in fact the haproxy instance):
‘redis’ =>
array (
‘host’ => ‘127.0.0.1’,
‘port’ => ‘6379’,
‘password’ => ‘topsecret’
),
But it is not possible to configure redis as session cache in the php-fpm config. In the log we get the error:
Error: session_write_close(): Failed to write session data (redis). Please verify that the current setting of session.save_path is correct (tcp://127.0.0.1:6379?auth=topsecret)
Therefore we did not configure redis in php at all and keep the local session cache (which only contains encrypted dession data, all other cache data are in redis).

devnull · February 9, 2021, 12:27pm

Perhaps you can use a ssh tunnel. But a ssh tunnel is not TLS. Sorry.
Redis SSH Tunnels
Connecting to redis via SSH tunneling | by Alexander Presber | momolog | Medium

sunflower · February 10, 2021, 7:18am

Thanks, but an haproxy connection seems a bit more robust to us, because it is done on demand while ssh, stunnel o.s. have to be kept open all the time.

CJ056 · August 26, 2023, 4:59am

This helped me with redis tls.

https://geek2gether.com/topic/nextcloud-remote-redis-connection-and-tls/

Try this and maybe remove the params you don’t need.