Redis is open source database using in-memory storage model with optional disk writes for persistence.By default Redis does not provides any encryption capabilities of its own.
we need to encrypt the traffic between redis server and client through secure ssl tunnel called as stunnel.
1.Installing Redis Server
Add the PPA and install the Redis server software on your first machine by typing:
sudo add-apt-repository ppa:chris-lea/redis-server sudo apt-get update sudo apt-get install redis-server
configure the service to start at boot you must modify the /etc/default/stunnel4
file:
Enable the service to start at boot by setting the ENABLED
option to “1”:
ENABLED=1
Save and close the file.
2.Installing Stunnel on Server
sudo apt-get install stunnel4
3.Creating SSL Certificate on Redis Server
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/stunnel/redis-server.key -out /etc/stunnel/redis-server.crt
You will be prompted for information about the certificate you are creating.You can see an example below:
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Tamil Nadu
Locality Name (eg, city) []:Chennai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:E2E SoftTech
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:redis-server
Email Address []:admin@example.com
Restrict access to the generated .key
file.
sudo chmod 600 /etc/stunnel/redis-server.key
4. Create Stunnel Configuration file on Redis Server
sudo vim /etc/stunnel/redis.conf
Configuration file looks similar to below
pid = /run/stunnel-redis.pid
[redis-server]
cert = /etc/stunnel/redis-server.crt
key = /etc/stunnel/redis-server.key
accept = redis_servers_public_IP:6379
connect = 127.0.0.1:6379
Above, accept is used to listen the encrypted traffic on Redis port 6379 and forward the traffic within localhost on port 6379 using connect.
sudo service stunnel4 restart
if you check the service listening on Redis Server,you should see stunnel listening on port 6379 on public interface, Redis Server listening on same port on local interface.
sudo netstat -nalp
5.Configure firewall to allow traffic on port 6379 using iptables
sudo iptables -A INPUT -p tcp --dport 6379 -j ACCEPT
Configure Redis Client
Install Redis client package and stunnel on client and import Redis server cert into it.
opening the file /etc/stunnel/redis.conf , should see configuration similar to below
pid = /run/stunnel-redis.pid
[redis-client]
client = yes
accept = 127.0.0.1:8000
connect = remote_server_IP_address:6379
CAfile = /etc/stunnel/redis-server.crt
verify = 4
Save and Close the file.
Restart Stunnel Service
sudo service stunnel4 restart
Check that the tunnel on the client was set up properly:
sudo netstat -nalp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 3809/stunnel4
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1714/sshd
tcp6 0 0 :::22 :::* LISTEN 1714/sshd
you can see, stunnel
is listening on local port 8000 for connections.
Test connectivity between Redis server and client
redis-cli -p 8000 ping
PONG
Now we can try to connect to the remote port directly to Redis server without using tunnel.
redis-cli -h redis_server_public_IP -p 6379 ping
Error: Connection reset by peer
As you can see only encrypted traffic is accepted on remote Redis port through the tunnel.
Stay tune for more info…