-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PAPERLESS_REDIS may be set via docker secrets #1405
Conversation
Hello @DennisGaida, thank you very much for submitting this PR to us! This is what will happen next:
Please allow up to 7 days for an initial review. We're all very excited about new pull requests but we only do this as a hobby. |
This is bringing some commits from main over. Could you rebase the branch to dev? |
The change looks simple enough. One other location which should be update is here. If the URL includes a password, it shouldn't be printed. Maybe just a hostname or some other information to show the connection was made. |
I'm having trouble rebasing my branch to Good catch with the URL logging, this could be made safer with something like this regex: |
Best practice is for redis to be at least password protected: https://redis.io/docs/getting-started/. Paperless uses `Redis.from_url` (https://github.com/paperless-ngx/paperless-ngx/blob/5fe435048bc6eb77f9473afc11588427846456ab/docker/wait-for-redis.py#L24) to establish a connection to redis which already enables us to use username/password, e.g. `redis://username:password@redis:6379`. The redis connection string therefore is a secret and needs to be able to leverage docker secrets, hence this PR.
Alright, got the rebase fixed and we're now on I added your suggestion @stumpylog to hide the credentials from the log (if they exist) - though I'm not sure whether this would be the best way/practice to go about things. |
Hm, yeah I'm wondering if it's better to not print out the URL at all, rather than risk exposing a password in the log. Ideally if the connection fails, people would know to look at their Redis config. |
Also good point. You can cherry pick whatever you want. Removed logging the URL in the latest commit. |
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new discussion or issue for related concerns. |
Proposed change
Best practice is for redis to be at least password protected: https://redis.io/docs/getting-started/.
Paperless uses
Redis.from_url
to establish a connection to redis which already enables us to use username/password, e.g.redis://username:password@redis:6379
.paperless-ngx/docker/wait-for-redis.py
Line 24 in 5fe4350
The redis connection string therefore is a secret and needs to be able to leverage docker secrets, hence this PR.
Type of change
Checklist:
pre-commit
hooks, see documentation.