feat(api): add TLS support for database, Redis, and RabbitMQ

Author: GenerQAQ

src/server/api/go/configs/config.yaml

@@ -16,16 +16,19 @@ database:
   maxOpen: 20
   maxIdle: 10
   autoMigrate: true
+  enableTLS: ${DATABASE_ENABLE_TLS}
 
 redis:
   addr: "${REDIS_HOST}:${REDIS_EXPORT_PORT}"
   password: "${REDIS_PASSWORD}"
   db: 0
   poolSize: 10
+  enableTLS: ${REDIS_ENABLE_TLS}
 
 rabbitmq:
   url: "amqp://${RABBITMQ_USER}:${RABBITMQ_PASSWORD}@${RABBITMQ_HOST}:${RABBITMQ_EXPORT_PORT}/${RABBITMQ_VHOST_ENCODED}"
   prefetch: 10
+  enableTLS: ${RABBITMQ_ENABLE_TLS}
 
 s3:
   endpoint: "${S3_ENDPOINT}"

src/server/api/go/internal/bootstrap/container.go

@@ -2,6 +2,8 @@ package bootstrap
 
 import (
 	"context"
+	"crypto/tls"
+	"strings"
 	"time"
 
 	"github.com/memodb-io/Acontext/internal/config"
@@ -80,6 +82,23 @@ func BuildContainer() *do.Injector {
 	// RabbitMQ Connection
 	do.Provide(inj, func(i *do.Injector) (*amqp.Connection, error) {
 		cfg := do.MustInvoke[*config.Config](i)
+
+		// Check if TLS is enabled via config or URL protocol
+		useTLS := cfg.RabbitMQ.EnableTLS || strings.HasPrefix(cfg.RabbitMQ.URL, "amqps://")
+
+		if useTLS {
+			// Use TLS configuration with minimum TLS 1.2
+			tlsConfig := &tls.Config{
+				MinVersion: tls.VersionTLS12,
+			}
+			// Convert amqp:// to amqps:// if needed
+			url := cfg.RabbitMQ.URL
+			if strings.HasPrefix(url, "amqp://") {
+				url = strings.Replace(url, "amqp://", "amqps://", 1)
+			}
+			return amqp.DialTLS(url, tlsConfig)
+		}
+
 		return amqp.Dial(cfg.RabbitMQ.URL)
 	})
 

src/server/api/go/internal/config/config.go

@@ -32,13 +32,15 @@ type DBCfg struct {
 	MaxOpen     int
 	MaxIdle     int
 	AutoMigrate bool
+	EnableTLS   bool
 }
 
 type RedisCfg struct {
-	Addr     string
-	Password string
-	DB       int
-	PoolSize int
+	Addr      string
+	Password  string
+	DB        int
+	PoolSize  int
+	EnableTLS bool
 }
 
 type MQExchangeName struct {
@@ -52,6 +54,7 @@ type MQCfg struct {
 	URL          string
 	Queue        string
 	Prefetch     int
+	EnableTLS    bool
 	ExchangeName MQExchangeName
 	RoutingKey   MQRoutingKey
 }
@@ -96,17 +99,20 @@ func setDefaults(v *viper.Viper) {
 	v.SetDefault("root.apiBearerToken", "your-root-api-bearer-token")
 	v.SetDefault("root.projectBearerTokenPrefix", "sk-ac-")
 	v.SetDefault("database.dsn", "host=127.0.0.1 user=acontext password=helloworld dbname=acontext port=15432 sslmode=disable TimeZone=UTC")
+	v.SetDefault("database.enableTLS", false)
 	v.SetDefault("redis.addr", "127.0.0.1:16379")
 	v.SetDefault("redis.password", "helloworld")
 	v.SetDefault("redis.db", 0)
 	v.SetDefault("redis.poolSize", 10)
+	v.SetDefault("redis.enableTLS", false)
 	v.SetDefault("s3.endpoint", "http://127.0.0.1:19000")
 	v.SetDefault("s3.internalEndpoint", "http://127.0.0.1:19000")
 	v.SetDefault("s3.region", "auto")
 	v.SetDefault("s3.accessKey", "acontext")
 	v.SetDefault("s3.secretKey", "helloworld")
 	v.SetDefault("s3.bucket", "acontext-assets")
 	v.SetDefault("rabbitmq.url", "amqp://acontext:[email protected]:15672/%2F")
+	v.SetDefault("rabbitmq.enableTLS", false)
 	v.SetDefault("rabbitmq.exchangeName.sessionMessage", "session.message")
 	v.SetDefault("rabbitmq.routingKey.sessionMessageInsert", "session.message.insert")
 	v.SetDefault("core.baseURL", "http://127.0.0.1:8019")

src/server/api/go/internal/infra/cache/redis.go

@@ -2,19 +2,29 @@ package cache
 
 import (
 	"context"
+	"crypto/tls"
 
 	"github.com/memodb-io/Acontext/internal/config"
 	"github.com/redis/go-redis/extra/redisotel/v9"
 	"github.com/redis/go-redis/v9"
 )
 
 func New(cfg *config.Config) (*redis.Client, error) {
-	rdb := redis.NewClient(&redis.Options{
+	opts := &redis.Options{
 		Addr:     cfg.Redis.Addr,
 		Password: cfg.Redis.Password,
 		DB:       cfg.Redis.DB,
 		PoolSize: cfg.Redis.PoolSize,
-	})
+	}
+
+	// Enable TLS if configured
+	if cfg.Redis.EnableTLS {
+		opts.TLSConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
+	}
+
+	rdb := redis.NewClient(opts)
 
 	if err := rdb.Ping(context.Background()).Err(); err != nil {
 		return nil, err

src/server/api/go/internal/infra/db/gorm.go

@@ -1,6 +1,8 @@
 package db
 
 import (
+	"regexp"
+	"strings"
 	"time"
 
 	"github.com/memodb-io/Acontext/internal/config"
@@ -14,7 +16,26 @@ func New(cfg *config.Config) (*gorm.DB, error) {
 	gcfg := &gorm.Config{
 		Logger: logger.Default.LogMode(logger.Warn),
 	}
-	db, err := gorm.Open(postgres.Open(cfg.Database.DSN), gcfg)
+
+	// Adjust DSN sslmode based on EnableTLS configuration
+	dsn := cfg.Database.DSN
+	if cfg.Database.EnableTLS {
+		// Replace sslmode=disable with sslmode=require when TLS is enabled
+		// Use regex to handle various formats (sslmode=disable, sslmode=disable, etc.)
+		sslmodeRegex := regexp.MustCompile(`(?i)\bsslmode\s*=\s*\w+`)
+		if sslmodeRegex.MatchString(dsn) {
+			// Replace existing sslmode
+			dsn = sslmodeRegex.ReplaceAllString(dsn, "sslmode=require")
+		} else {
+			// Append sslmode if not present
+			if !strings.HasSuffix(dsn, " ") {
+				dsn += " "
+			}
+			dsn += "sslmode=require"
+		}
+	}
+
+	db, err := gorm.Open(postgres.Open(dsn), gcfg)
 	if err != nil {
 		return nil, err
 	}