You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ensure that all instances of ssl_secure_skip_verify have been correctly replaced with ssl_insecure_skip_verify throughout the documentation, and no references to the old flag remain.
-`storage.use_ssl`: Set this to true to enable TLS encryption for the connection.
-`storage.ssl_insecure_skip_verify`: A flag that, when set to true, instructs the application not to verify the Redis server's TLS certificate. This is not recommended for production due to the risk of `man-in-the-middle` attacks.
From **Tyk 5.3**, additional options are available for more granular control:
-`storage.ca_file`: Path to the Certificate Authority (CA) file for verifying the Redis server's certificate.
-`storage.cert_file` and `storage.key_file`: Paths to your application's certificate and private key files, necessary for mTLS where both parties verify each other's identity.
-`storage.max_version` and `storage.min_version`: Define the acceptable range of TLS versions, enhancing security by restricting connections to secure TLS protocols (1.2 or 1.3).
**Setting up an Insecure TLS Connection**-**Enable TLS**: By setting `"use_ssl": true`, you encrypt the connection.
-**Skip Certificate Verification**: Setting `"ssl_insecure_skip_verify": true` bypasses the server's certificate verification, suitable only for non-production environments.
**Setting up a Secure TLS Connection**- Ensure `use_ssl` is set to `true`.
- Set `ssl_insecure_skip_verify` to `false` to enforce certificate verification against the CA specified in `ca_file`.
- Specify the path to the CA file in `ca_file` for server certificate verification.
- Adjust `min_version` and `max_version` to secure TLS versions, ideally 1.2 and 1.3.
**Setting up a Mutual TLS (mTLS) Connection**- Follow the steps for a secure TLS connection.
- Provide paths for `cert_file` and `key_file` for your application's TLS certificate and private key, enabling Redis server to verify your application's identity.
**Example Gateway Configuration**```json"storage": {
"type": "redis",
"addrs": [
"server1:6379",
"server2:6380",
"server3:6381"
],
"use_ssl": true,
"ssl_insecure_skip_verify": false,
"ca_file": "/path/to/ca.crt",
"cert_file": "/path/to/client.crt",
"key_file": "/path/to/client.key",
"max_version": "1.3",
"min_version": "1.2",
"enable_cluster": true,
"optimisation_max_idle": 2000,
"optimisation_max_active": 4000
}
Troubleshooting Redis Cluster
If you find that Tyk components fail to initialise when using Redis clustering, for example the application does not start and the last log file entry shows a message such as Using clustered mode, try setting the environment variable REDIGOCLUSTER_SHARDCOUNT to 128 on all hosts which connect to the Redis Cluster i.e. Gateway, Dashboard, Pump, MDCB. E.g.
REDIGOCLUSTER_SHARDCOUNT=128
If setting to 128 does not resolve the issue, try 256 instead.
Configure Redis Sentinel
From v2.9.3 Redis Sentinel is supported.
Similar to Redis Cluster, our Gateway, Dashboard and Pump all support integration with Redis Sentinel.
To configure Tyk to work with Redis Sentinel, list your servers under addrs and set the master name in your Gateway, Dashboard, Pump and MDCB config. Unlike Redis Cluster, enable_cluster should not be set. Indicative config snippets as follows:
Supported Versions
Tyk 5.3 supports Redis 6.2.x, 7.0.x, and 7.2.x
Tyk 5.2.x and earlier supports Redis 6.0.x and Redis 6.2.x only.
When using Bitnami charts to install Redis Sentinel in k8s, a Redis service is exposed, which means that standard Redis config is required instead of the above setup, i.e. a single server in addrs and master_name is not required.
{{< /warning >}}
Support for Redis Sentinel AUTH
To support the use of Redis Sentinel AUTH (introduced in Redis 5.0.1) we have added the following global config settings in Tyk v3.0.2:
In the Tyk Gateway config file - sentinel_password
In the Tyk Dashboard config file - redis_sentinel_password
In the Tyk Pump config file - sentinel_password
In the Tyk Identity Broker config file - SentinelPassword
In the Tyk Synk config file - sentinel_password
These settings allow you to support Sentinel password-only authentication in Redis version 5.0.1 and above.
See the Redis and Sentinel authentication section of the Redis Sentinel docs for more details.
Configure Redis TLS Encryption
Redis supports SSL/TLS encryption from version 6 as an optional feature, enhancing the security of data in transit. To configure TLS or mTLS connections between an application and Redis, consider the following settings in Tyk's configuration files:
storage.use_ssl: Set this to true to enable TLS encryption for the connection.
storage.ssl_insecure_skip_verify: A flag that, when set to true, instructs the application not to verify the Redis server's TLS certificate. This is not recommended for production due to the risk of man-in-the-middle attacks.
From Tyk 5.3, additional options are available for more granular control:
storage.ca_file: Path to the Certificate Authority (CA) file for verifying the Redis server's certificate.
storage.cert_file and storage.key_file: Paths to your application's certificate and private key files, necessary for mTLS where both parties verify each other's identity.
storage.max_version and storage.min_version: Define the acceptable range of TLS versions, enhancing security by restricting connections to secure TLS protocols (1.2 or 1.3).
Setting up an Insecure TLS Connection
Enable TLS: By setting "use_ssl": true, you encrypt the connection.
Skip Certificate Verification: Setting "ssl_insecure_skip_verify": true bypasses the server's certificate verification, suitable only for non-production environments.
Setting up a Secure TLS Connection
Ensure use_ssl is set to true.
Set ssl_insecure_skip_verify to false to enforce certificate verification against the CA specified in ca_file.
Specify the path to the CA file in ca_file for server certificate verification.
Adjust min_version and max_version to secure TLS versions, ideally 1.2 and 1.3.
Setting up a Mutual TLS (mTLS) Connection
Follow the steps for a secure TLS connection.
Provide paths for cert_file and key_file for your application's TLS certificate and private key, enabling Redis server to verify your application's identity.
Verify that the examples provided for TLS configuration reflect the intended behavior of the ssl_insecure_skip_verify flag and are accurate for both insecure and secure setups.
-`storage.use_ssl`: Set this to true to enable TLS encryption for the connection.
-`storage.ssl_insecure_skip_verify`: A flag that, when set to true, instructs the application not to verify the Redis server's TLS certificate. This is not recommended for production due to the risk of `man-in-the-middle` attacks.
From **Tyk 5.3**, additional options are available for more granular control:
-`storage.ca_file`: Path to the Certificate Authority (CA) file for verifying the Redis server's certificate.
-`storage.cert_file` and `storage.key_file`: Paths to your application's certificate and private key files, necessary for mTLS where both parties verify each other's identity.
-`storage.max_version` and `storage.min_version`: Define the acceptable range of TLS versions, enhancing security by restricting connections to secure TLS protocols (1.2 or 1.3).
**Setting up an Insecure TLS Connection**-**Enable TLS**: By setting `"use_ssl": true`, you encrypt the connection.
-**Skip Certificate Verification**: Setting `"ssl_insecure_skip_verify": true` bypasses the server's certificate verification, suitable only for non-production environments.
**Setting up a Secure TLS Connection**- Ensure `use_ssl` is set to `true`.
- Set `ssl_insecure_skip_verify` to `false` to enforce certificate verification against the CA specified in `ca_file`.
- Specify the path to the CA file in `ca_file` for server certificate verification.
- Adjust `min_version` and `max_version` to secure TLS versions, ideally 1.2 and 1.3.
**Setting up a Mutual TLS (mTLS) Connection**- Follow the steps for a secure TLS connection.
- Provide paths for `cert_file` and `key_file` for your application's TLS certificate and private key, enabling Redis server to verify your application's identity.
**Example Gateway Configuration**```json"storage": {
"type": "redis",
"host": "server1",
"port": 6379,
"use_ssl": true,
"ssl_insecure_skip_verify": false,
"ca_file": "/path/to/ca.crt",
"cert_file": "/path/to/client.crt",
"key_file": "/path/to/client.key",
Emphasize that ssl_insecure_skip_verify should not be used in production environments and provide a brief explanation of the security implications, such as vulnerability to man-in-the-middle attacks.
-- **Skip Certificate Verification**: Setting `"ssl_insecure_skip_verify": true` bypasses the server's certificate verification, suitable only for non-production environments.+- **Skip Certificate Verification**: Setting `"ssl_insecure_skip_verify": true` bypasses the server's certificate verification. This should never be used in production environments as it makes the connection vulnerable to man-in-the-middle attacks.
Suggestion importance[1-10]: 9
Why: The suggestion effectively emphasizes the security risks of using ssl_insecure_skip_verify in production environments, providing a clear explanation of the vulnerability to man-in-the-middle attacks. This is a crucial addition to ensure users understand the implications of insecure TLS configurations.
9
Add cautionary note for insecure TLS
Clarify that setting ssl_insecure_skip_verify to true should only be used temporarily for debugging or testing purposes, as it exposes the connection to potential security risks.
-- **Skip Certificate Verification**: Setting `"ssl_insecure_skip_verify": true` bypasses the server's certificate verification, suitable only for non-production environments.+- **Skip Certificate Verification**: Setting `"ssl_insecure_skip_verify": true` bypasses the server's certificate verification. This should only be used temporarily for debugging or testing purposes, as it exposes the connection to potential security risks.
Suggestion importance[1-10]: 8
Why: The suggestion adds a critical security warning about the risks of using ssl_insecure_skip_verify in non-production environments, emphasizing its temporary use for debugging or testing. This improves the documentation's clarity and helps prevent potential misuse.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
https://tyktech.atlassian.net/browse/TT-13914
PR Type
Documentation
Description
Corrected a typo in the configuration flag name.
Updated all instances of
ssl_secure_skip_verifytossl_insecure_skip_verify.Ensured consistency in documentation for TLS configuration examples.
Changes walkthrough 📝
tyk-open-source.md
Corrected TLS flag typo in open-source documentationtyk-docs/content/tyk-open-source.md
ssl_secure_skip_verifywithssl_insecure_skip_verify.tyk-self-managed.md
Corrected TLS flag typo in self-managed documentationtyk-docs/content/tyk-self-managed.md
ssl_secure_skip_verifywithssl_insecure_skip_verify.