odcs

Clone

#263 Allow using SSL with SNI headers in Celery broker URL.
Merged 5 years ago by jkaluza. Opened 5 years ago by jkaluza.
jkaluza/odcs merge-repo-two-repos  into  master

file modified
+30 
@@ -23,6 +23,7 @@ 
 

  

  import os
 

  from celery import Celery
 

+ from six.moves.urllib.parse import urlparse
 

  

  from odcs.server import conf, db
 

  from odcs.server.backend import (
 
@@ -45,6 +46,35 @@ 
 

      broker_url = conf.celery_broker_url
 

  else:
 

      broker_url = "amqp://localhost"
 

+ 

+ # Although the Celery handles amqps using Kombu Python module,
 

+ # it does not do that correctly.
 

+ #
 

+ # When using "amqps://" protocol, Kombu uses SSLTransport which effectively
 

+ # sets the `amqp.Connection.ssl = True`. This enables SSL, but it does it
 

+ # in a way when we cannot set any other SSL options like client cert/key
 

+ # or for example SNI hostname which needs to be used.
 

+ #
 

+ # This is done in this commit:
 

+ # In the https://github.com/celery/kombu/commit/701672c2ba732883869a42f061a10dbfc8fe2f30
 

+ #
 

+ # To workaround this, we detect "amqps" here and sets the `broker_use_ssl`. This
 

+ # allows us to set any SSL options like client cert/key or SNI header.
 

+ # The `broker_use_ssl` is directly passed to `amqp.Connection.ssl` which handles
 

+ # it.
 

+ #
 

+ # In the end, we change the `broker_url` protocol from "amqps" to "amqp", so
 

+ # the Celery wont' override the `amps.Connection.ssl` with `True`.
 

+ if broker_url.startswith("amqps://"):
 

+     netloc = urlparse(broker_url).netloc
 

+     host_port = netloc.split("@")[-1]
 

+     host = host_port.split(":")[0]
 

+     broker_use_ssl = {
 

+         'server_hostname': host
 

+     }
 

+     conf.celery_config.update({"broker_use_ssl": broker_use_ssl})
 

+     broker_url = broker_url.replace("amqps://", "amqp://")
 

+ 

  celery_app = Celery("backend", broker=broker_url)
 

  celery_app.conf.update(conf.celery_config)

Although the Celery handles amqps using Kombu Python module,
it does not do that correctly.

When using "amqps://" protocol, Kombu uses SSLTransport which effectively
sets the amqp.Connection.ssl = True. This enables SSL, but it does it
in a way when we cannot set any other SSL options like client cert/key
or for example SNI hostname which we want to use by default everytime.

This is done in this commit:
https://github.com/celery/kombu/commit/701672c2ba732883869a42f061a10dbfc8fe2f30

To workaround this, we detect "amqps" in this commit and sets the broker_use_ssl.
This allows us to set any SSL options like client cert/key or SNI header.
The broker_use_ssl is directly passed to amqp.Connection.ssl which handles
it. For more info see:

http://docs.celeryproject.org/en/latest/userguide/configuration.html#std:setting-broker_use_ssl

In the end, we change the broker_url protocol from "amqps" to "amqp", so
the Celery does not override the amps.Connection.ssl with True in mentioned
SSLTransport.

rebased onto 5d175ad
5 years ago

pretty please pagure-ci rebuild
5 years ago

:thumbsup:

Pull-Request has been merged by jkaluza
5 years ago
Changes Summary 1
+30 -0
file changed
server/odcs/server/celery_tasks.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.