* When REDIS_URL targets a bare IP over `rediss://` (e.g. trigger.dev's * PrivateLink VPCE IP), default TLS hostname verification fails — the cert * is issued for the ElastiCache DNS name, not the IP. Override SNI with * REDIS_TLS_SERVERNAME (set to the DNS the cert was issued for). * * For DNS
(url: string | undefined)
| 17 | * For DNS hosts: no override needed, default verification works. |
| 18 | */ |
| 19 | function resolveRedisTlsOptions(url: string | undefined): { servername: string } | undefined { |
| 20 | if (!url) return undefined |
| 21 | let parsed: URL |
| 22 | try { |
| 23 | parsed = new URL(url) |
| 24 | } catch { |
| 25 | return undefined |
| 26 | } |
| 27 | if (parsed.protocol !== 'rediss:') return undefined |
| 28 | const hostIsIp = /^\d{1,3}(\.\d{1,3}){3}$/.test(parsed.hostname) |
| 29 | if (!hostIsIp) return undefined |
| 30 | if (!env.REDIS_TLS_SERVERNAME) { |
| 31 | throw new Error( |
| 32 | 'REDIS_TLS_SERVERNAME must be set when REDIS_URL targets an IP over rediss://. ' + |
| 33 | 'TLS cert hostname verification cannot match an IP — set REDIS_TLS_SERVERNAME ' + |
| 34 | 'to the DNS name the cert was issued for (the ElastiCache primary endpoint).' |
| 35 | ) |
| 36 | } |
| 37 | return { servername: env.REDIS_TLS_SERVERNAME } |
| 38 | } |
| 39 | |
| 40 | /** |
| 41 | * Shared connection defaults — keepAlive, connectTimeout, enableOfflineQueue, |
no test coverage detected