From 0bb22dee0c9bc68e216fb2f40ee9a1a9bd587bed Mon Sep 17 00:00:00 2001 From: Arthur Hanson Date: Thu, 12 Feb 2026 05:35:20 -0800 Subject: [PATCH] Allow REDIS KWARGS to be set in configuration.py (#21377) * Allow REDIS KWARGS to be set in configuration.py * cleanup * cleanup * cleanup * Update netbox/netbox/settings.py Co-authored-by: Jeremy Stretch * Update netbox/netbox/settings.py Co-authored-by: Jeremy Stretch * document in REDIS config section --------- Co-authored-by: Jeremy Stretch --- docs/configuration/required-parameters.md | 42 +++++++++++++++++++++++ netbox/netbox/settings.py | 10 ++++++ 2 files changed, 52 insertions(+) diff --git a/docs/configuration/required-parameters.md b/docs/configuration/required-parameters.md index cced030b1..72573afad 100644 --- a/docs/configuration/required-parameters.md +++ b/docs/configuration/required-parameters.md @@ -200,6 +200,48 @@ REDIS = { !!! note It is permissible to use Sentinel for only one database and not the other. +### SSL Configuration + +If you need to configure SSL/TLS for Redis beyond the basic `SSL`, `CA_CERT_PATH`, and `INSECURE_SKIP_TLS_VERIFY` options (for example, client certificates, a specific TLS version, or custom ciphers), you can pass additional parameters via the `KWARGS` key in either the `tasks` or `caching` subsection. + +NetBox already maps `CA_CERT_PATH` to `ssl_ca_certs` and (for caching) `INSECURE_SKIP_TLS_VERIFY` to `ssl_cert_reqs`; only add `KWARGS` when you need to override or extend those settings (for example, to supply client certificates or restrict TLS version or ciphers). + +* `KWARGS` - Optional dictionary of additional SSL/TLS (or other) parameters passed to the Redis client. These are passed directly to the underlying Redis client: for `tasks` to [redis-py](https://redis-py.readthedocs.io/en/stable/connections.html), and for `caching` to the [django-redis](https://github.com/jazzband/django-redis#configure-as-cache-backend) connection pool. + +Example: + +```python +REDIS = { + 'tasks': { + 'HOST': 'redis.example.com', + 'PORT': 1234, + 'SSL': True, + 'CA_CERT_PATH': '/etc/ssl/certs/ca.crt', + 'KWARGS': { + 'ssl_certfile': '/path/to/client-cert.pem', + 'ssl_keyfile': '/path/to/client-key.pem', + 'ssl_min_version': ssl.TLSVersion.TLSv1_2, + 'ssl_ciphers': 'HIGH:!aNULL', + }, + }, + 'caching': { + 'HOST': 'redis.example.com', + 'PORT': 1234, + 'SSL': True, + 'CA_CERT_PATH': '/etc/ssl/certs/ca.crt', + 'KWARGS': { + 'ssl_certfile': '/path/to/client-cert.pem', + 'ssl_keyfile': '/path/to/client-key.pem', + 'ssl_min_version': ssl.TLSVersion.TLSv1_2, + 'ssl_ciphers': 'HIGH:!aNULL', + }, + } +} +``` + +!!! note + If you use `ssl.TLSVersion` in your configuration (e.g. `ssl_min_version`), add `import ssl` at the top of your configuration file. + --- ## SECRET_KEY diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py index ac4c86414..c98d3f8d0 100644 --- a/netbox/netbox/settings.py +++ b/netbox/netbox/settings.py @@ -408,6 +408,11 @@ if CACHING_REDIS_CA_CERT_PATH: CACHES['default']['OPTIONS'].setdefault('CONNECTION_POOL_KWARGS', {}) CACHES['default']['OPTIONS']['CONNECTION_POOL_KWARGS']['ssl_ca_certs'] = CACHING_REDIS_CA_CERT_PATH +# Merge in KWARGS for additional parameters +if caching_redis_kwargs := REDIS['caching'].get('KWARGS'): + CACHES['default']['OPTIONS'].setdefault('CONNECTION_POOL_KWARGS', {}) + CACHES['default']['OPTIONS']['CONNECTION_POOL_KWARGS'].update(caching_redis_kwargs) + # # Sessions @@ -817,6 +822,11 @@ if TASKS_REDIS_CA_CERT_PATH: RQ_PARAMS.setdefault('REDIS_CLIENT_KWARGS', {}) RQ_PARAMS['REDIS_CLIENT_KWARGS']['ssl_ca_certs'] = TASKS_REDIS_CA_CERT_PATH +# Merge in KWARGS for additional parameters +if tasks_redis_kwargs := TASKS_REDIS.get('KWARGS'): + RQ_PARAMS.setdefault('REDIS_CLIENT_KWARGS', {}) + RQ_PARAMS['REDIS_CLIENT_KWARGS'].update(tasks_redis_kwargs) + # Define named RQ queues RQ_QUEUES = { RQ_QUEUE_HIGH: RQ_PARAMS,