fix: 支持跳过 Redis TLS 证书验证（自签/共享证书场景）

[Silentely]

Summary

Add support for skipping Redis TLS certificate verification via new REDIS_TLS_REJECT_UNAUTHORIZED environment variable, enabling connections to Redis servers using self-signed or shared certificates.

Problem

使用 rediss:// 连接 Redis 时，如果 Redis 服务使用自签证书或共享证书，会因 TLS 证书验证失败导致连接无法建立。

错误表现：

{"action":"schedule_auto_cleanup_error","error":"Reached the max retries per request limit (which is 20)"}

连接持续重试直到达到最大次数，所有依赖 Redis 的功能（限流、Session、队列）均不可用。

Related Issues/PRs:

• Follow-up to 修复 Redis TLS 连接中的 SNI 配置问题 #93 - Extends the Redis TLS SNI fix to support certificate verification bypass
• Related to redis能否支持tls？ #92 - Original Redis TLS support request
• Related to Fix #19: 修复 Bull Queue Redis 连接配置问题 #20 / 在portainer部署,app服务无法连接到redis #19 - Earlier Bull Queue Redis connection fixes

Solution

新增环境变量 REDIS_TLS_REJECT_UNAUTHORIZED，允许用户在自签证书场景下跳过证书验证。

Key Changes

文件	变更内容
.env.example	新增配置项说明
src/lib/redis/client.ts	主 Redis 客户端支持 rejectUnauthorized，添加 buildTlsConfig() 工具函数
src/lib/log-cleanup/cleanup-queue.ts	Bull 清理队列支持
src/lib/notification/notification-queue.ts	Bull 通知队列支持
scripts/clear-session-bindings.ts	Session 清理脚本支持
README.md / README.en.md	配置表格新增说明

Usage

# .env 配置（仅 rediss:// 协议生效）
REDIS_URL=rediss://user:pass@host:6379
REDIS_TLS_REJECT_UNAUTHORIZED=false

Default Behavior

• true（默认）：验证 TLS 证书，适用于正规 CA 签发的证书
• false：跳过证书验证，适用于自签证书或共享证书场景

Testing

• 本地 TypeScript 类型检查通过
• 使用自签证书的 rediss:// 连接测试通过
• 日志正确输出 rejectUnauthorized 状态

Checklist

• Code follows project conventions
• Self-review completed
• Documentation updated (README.md, README.en.md, .env.example)
• All Redis connection points updated consistently

---

Description enhanced by Claude AI

[gemini-code-assist]

Summary of Changes

Hello @Silentely, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

此拉取请求旨在解决当 Redis 服务使用自签或共享 TLS 证书时，通过 "rediss://" 协议连接 Redis 导致证书验证失败的问题。通过引入 "REDIS_TLS_REJECT_UNAUTHORIZED" 环境变量，用户现在可以灵活地选择跳过 TLS 证书验证，从而确保在非标准证书环境下，依赖 Redis 的各项功能（如限流、Session 和队列）能够正常运行，提高了系统的兼容性和稳定性。

Highlights

• 解决 Redis TLS 证书验证问题: 修复了使用 "rediss://" 连接 Redis 时，因自签或共享证书导致的 TLS 证书验证失败问题，确保服务正常运行。
• 新增环境变量 REDIS_TLS_REJECT_UNAUTHORIZED: 引入了一个新的环境变量，允许用户控制是否跳过 Redis TLS 证书验证，默认值为 "true"（验证）。
• 支持自签/共享证书场景: 通过将 "REDIS_TLS_REJECT_UNAUTHORIZED" 设置为 "false"，可以兼容自签证书或共享证书的 Redis 服务，避免连接失败。
• 影响范围广泛: 此变更应用于主 Redis 客户端、Bull 清理队列、Bull 通知队列以及 Session 清理脚本的 Redis 连接，确保所有相关功能都能正确处理 TLS 证书验证。
• 文档更新: ".env.example"、"README.md" 和 "README.en.md" 已更新，以反映新的配置项及其使用说明。

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

本次 PR 旨在解决 Redis 使用自签证书时 TLS 验证失败的问题，通过引入 REDIS_TLS_REJECT_UNAUTHORIZED 环境变量来允许跳过证书验证，方案是合理的。代码变更清晰地实现了该功能，并且更新了相关文档和示例文件，值得肯定。

重要: 我发现一个新的环境变量 REDIS_TLS_REJECT_UNAUTHORIZED 没有被添加到 src/lib/config/env.schema.ts 的 Zod schema 中。这是一个关键的遗漏，会导致该配置缺少类型验证和自动类型转换（例如，从字符串到布尔值）。请务必将它添加到 EnvSchema 中，以确保配置的健壮性和类型安全。

此外，我的主要反馈集中在代码重用上：

• 您在 src/lib/redis/client.ts 中创建了 buildTlsConfig 函数，这是一个很好的实践。然而，类似的 TLS 配置逻辑在多个文件中仍然存在重复。
• 我建议将 buildTlsConfig 函数导出，并在 scripts/clear-session-bindings.ts、src/lib/log-cleanup/cleanup-queue.ts 和 src/lib/notification/notification-queue.ts 中重用它，以减少代码冗余，提高可维护性。相关的具体建议请见文件评论。

从安全角度看，禁用证书验证会带来中间人攻击的风险。您在文档和日志中对此进行了说明，这很好，能帮助用户意识到该选项的潜在风险。请确保用户了解这只应在受信任的网络环境中使用。

[github-actions]

Code Review Summary

This PR adds support for skipping Redis TLS certificate verification via a new environment variable REDIS_TLS_REJECT_UNAUTHORIZED. The change is well-documented and addresses a real user need for self-signed certificate scenarios.

PR Size: XS

• Lines changed: 63 (43 additions, 20 deletions)
• Files changed: 7

Issues Found

Category	Critical	High	Medium	Low
Logic/Bugs	0	1	0	0
Security	0	0	0	0
Error Handling	0	0	0	0
Types	0	0	0	0
Comments/Docs	0	0	0	0
Tests	0	0	1	0
Simplification	0	0	0	0

High Priority Issues (Should Fix)

1. [LOGIC-BUG] Inconsistent TLS configuration in buildRedisOptionsForUrl

File: src/lib/redis/client.ts:49

Problem: The buildRedisOptionsForUrl function still uses an empty object {} for TLS options:

const tlsOptions = isTLS ? { tls: {} as Record<string, unknown> } : {};

However, getRedisClient now uses the new buildTlsConfig() helper. This inconsistency means any code using buildRedisOptionsForUrl directly will NOT respect the REDIS_TLS_REJECT_UNAUTHORIZED setting.

Suggested fix:

const tlsOptions = isTLS ? { tls: buildTlsConfig(redisUrl) } : {};

Medium Priority Issues (Consider Fixing)

2. [TEST-MISSING-CRITICAL] No unit tests for the new TLS configuration

Problem: The new buildTlsConfig function and the environment variable parsing logic have no automated tests. This makes it harder to verify the behavior and could lead to regressions.

Suggested approach: Add unit tests covering:

• REDIS_TLS_REJECT_UNAUTHORIZED=true (default behavior)
• REDIS_TLS_REJECT_UNAUTHORIZED=false (skip verification)
• URL parsing success and failure scenarios

Review Coverage

• Logic and correctness
• Security (OWASP Top 10) - The security warning about disabling TLS verification is adequately documented
• Error handling - Fallback behavior in catch blocks is consistent with existing patterns
• Type safety
• Documentation accuracy - README and .env.example updates are accurate
• Test coverage - No new tests added (noted above)
• Code clarity - Good

---

Automated review by Claude AI