Secure Setup of Redis Server With Stunnel on ubuntu

Redis is open source database using in-memory storage model with optional disk writes for persistence.By default Redis does not provides any encryption capabilities of its own.

we need to encrypt the traffic between redis server and client through secure ssl tunnel called as stunnel.

1.Installing Redis Server

Add the PPA and install the Redis server software on your first machine by typing:

sudo add-apt-repository ppa:chris-lea/redis-server
sudo apt-get update                                                                                                                       
sudo apt-get install redis-server

configure the service to start at boot you must modify the /etc/default/stunnel4 file:

Enable the service to start at boot by setting the ENABLED option to “1”:

ENABLED=1

Save and close the file.

2.Installing Stunnel on Server

sudo apt-get install stunnel4

3.Creating SSL Certificate on Redis Server

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/stunnel/redis-server.key -out /etc/stunnel/redis-server.crt

You will be prompted for information about the certificate you are creating.You can see an example below:

Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Tamil Nadu
Locality Name (eg, city) []:Chennai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:E2E SoftTech
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:redis-server
Email Address []:admin@example.com

Restrict access to the generated .key file.

sudo chmod 600 /etc/stunnel/redis-server.key

4. Create Stunnel Configuration file on Redis  Server

sudo vim /etc/stunnel/redis.conf

Configuration file looks similar to below

pid = /run/stunnel-redis.pid

[redis-server]
cert = /etc/stunnel/redis-server.crt
key = /etc/stunnel/redis-server.key
accept = redis_servers_public_IP:6379
connect = 127.0.0.1:6379

Above, accept is used to listen the encrypted traffic on Redis port 6379 and forward the traffic within localhost on port 6379 using connect.

sudo service stunnel4 restart

if you check the service listening on Redis Server,you should see stunnel listening on port 6379 on public interface, Redis Server listening on same port on local interface.

sudo netstat -nalp

5.Configure firewall to allow traffic on port 6379 using iptables

sudo iptables -A INPUT -p tcp --dport 6379 -j ACCEPT

Configure Redis Client

Install Redis client package and stunnel on client and import Redis server cert into it.

opening the file /etc/stunnel/redis.conf , should see configuration similar to below

pid = /run/stunnel-redis.pid

[redis-client]
client = yes
accept = 127.0.0.1:8000
connect = remote_server_IP_address:6379
CAfile = /etc/stunnel/redis-server.crt
verify = 4

Save and Close the file.

Restart Stunnel Service

sudo service stunnel4 restart

Check that the tunnel on the client was set up properly:

sudo netstat -nalp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      3809/stunnel4   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1714/sshd       
tcp6       0      0 :::22                   :::*                    LISTEN      1714/sshd

you can see, stunnel is listening on local port 8000 for connections.

Test connectivity between Redis server and client

redis-cli -p 8000 ping

Redis client output

PONG

Now we can try to connect to the remote port directly to Redis server without using tunnel.

redis-cli -h redis_server_public_IP -p 6379 ping

Redis client output

Error: Connection reset by peer

As you can see only encrypted traffic is accepted on remote Redis port through the tunnel.

Stay tune for more info…