INTRODUCTION
Redis is an open-source key-value data store, using an in-memory storage model with optional disk writes for persistence.
Stunnel is an open-source multi-platform application used to provide a universal TLS/SSL tunneling service. Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. Therefore the stunnel application is a SSL encryption wrapper that can tunnel unencrypted traffic (like redis) through a SSL encrypted tunnel to another server.
Setting up the server host :-
Step 1: Install the redis-server
Install redis-server. After installation we will change the password in the redis configuration. For better security we will enable password which requires all clients to authenticate before being able to pull or put data from the redis instance.
|
1 2 3 |
apt-get install redis-server vim /etc/redis/redis.conf requirepass <yourpass> |
Step 2: Restart the redis service
In order for our configuration changes to take effect we will need to restart the redis service.
|
1 |
/etc/init.d/redis-server restart |
Step 3: Install Stunnel
Redis is start and running now we will install Stunnel.
|
1 |
apt-get install stunnel4 |
Step 4: Start Stunnel on boot
Stunnel doesn’t start on boot. To start Stunnel on boot make changes in the below file.
|
1 2 |
vim /etc/default/stunnel4 ENABLED=1 |
Step 5: Creating a self-signed Certificate
Stunnel requires a certificate to use for client to server communication.
a) Generating a key:
First we will create a private key. Use openssl to create a 4096 bit RSA key.
|
1 |
openssl genrsa -out /etc/stunnel/key.pem 4096 |
b) Creating the Certificate:
We will now create a certificate. While generating the certificate we will be asked a series of questions; the answers provided are used to prove the validity of the certificate.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
openssl req -new -x509 -key /etc/stunnel/key.pem -out /etc/stunnel/cert.pem -days 1826 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Arizona Locality Name (eg, city) []:Phoenix Organization Name (eg, company) [Internet Widgits Pty Ltd]:cloudkul.com Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:sh.com Email Address []:testing@example.com |
Combine both the key and certificate into a single file for stunnel to use. We will also change the file permissions .
|
1 2 |
cat /etc/stunnel/key.pem /etc/stunnel/cert.pem > /etc/stunnel/private.pem chmod 640 /etc/stunnel/key.pem /etc/stunnel/cert.pem /etc/stunnel/private.pem |
Step 6: Configure the stunnel
We will create a file named redis-server.confand place our configuration within it.
|
1 2 3 4 5 6 7 |
vim /etc/stunnel/redis-server.conf cert = /etc/stunnel/private.pem pid = /var/run/stunnel.pid [redis] accept = <yourexteronalip>:6379 connect = 127.0.0.1:6379 |
By default redis listens to the localhost IP 127.0.0.1 on port 6379 . Our configuration has stunnel accept connections on the external IP and forward the connections to the redis instance listening on 127.0.0.1
Step 7: Starting Stunnel
After the configuration file is in place we will start stunnel.
|
1 |
/etc/init.d/stunnel4 start |
Setting up the client host :-
Step 8: Installing redis-cli
Install the redis-cli tool. You would not need to install redis-server.
|
1 |
apt-get install redis-cli |
Step 9: Install Stunnel
Install stunnel on the client.
|
1 |
apt-get install stunnel4 |
Step 10: Start stunnel on boot
To have stunnel start on boot we will need to edit the /etc/default/stunnel4 file.
|
1 2 3 |
vim /etc/default/stunnel4 ENABLED=1 |
Step 11: Copy the certificate file from server to client
In order to establish an SSL connection we will need the private.pem file that we generated on the server host. Copy the private.pem file from server host to client host.
|
1 |
chmod 640 /etc/stunnel/private.pem |
Step 12: Configure the stunnel client
To specify this stunnel instance is a client we will add client=yes to the configuration.
|
1 2 3 4 5 6 7 8 |
vim /etc/stunnel/redis-client.conf cert = /etc/stunnel/private.pem client = yes pid = /var/run/stunnel.pid [redis] accept = 127.0.0.1:6379 connect = <serverip>:6379 |
Stunnel listens locally on port 6379 and forward connections to the server host IP with port 6379.
Step 13: Start stunnel
Start stunnel service
|
1 |
/etc/init.d/stunnel4 start |
Step 14: Testing the connection
Both the server and client hosts have stunnel installed and a SSL tunnel established. Test the connection by using the redis-cli command to connect to localhost on the client.
|
1 2 3 |
redis-cli -h localhost redis localhost:6379> auth <yourpass> OK |
As a result when a client on the client host connects to port 6379 locally it will be forwarded through the SSL tunnel that stunnel has created with the server host and redirected to the redis instance running on server. To setup an application to call this instance you would simply install the application on the client host and have it connect to redis on localhost.
In case of any help or query, please contact us or raise a ticket.