Securing Redis Client and Server with Stunnel



Redis is an open-source key-value data store, using an in-memory storage model with optional disk writes for persistence.

Stunnel is an open-source multi-platform application used to provide a universal TLS/SSL tunneling service. Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. Therefore the stunnel application is a SSL encryption wrapper that can tunnel unencrypted traffic (like redis) through a SSL encrypted tunnel to another server.





Setting up the server host :-


Step 1: Install the redis-server

Install redis-server. After installation we will change the password in the redis configuration. For better security we will enable password which requires all clients to authenticate before being able to pull or put data from the redis instance.


Step 2: Restart the redis service

In order for our configuration changes to take effect we will need to restart the redis service.


Step 3: Install Stunnel

Redis is start and running now we will install Stunnel.


Step 4: Start Stunnel on boot

Stunnel doesn’t start on boot. To start Stunnel on boot make changes in the below file.


Step 5: Creating a self-signed Certificate

Stunnel requires a certificate to use for client to server communication.


a) Generating a key:

First we will create a private key. Use openssl to create a 4096 bit RSA key.



b) Creating the Certificate:

We will now create a certificate. While generating the certificate we will be asked a series of questions; the answers provided are used to prove the validity of the certificate.



Combine both the key and certificate into a single file for stunnel to use. We will also change the file permissions .



Step 6: Configure the stunnel

We will create a file named redis-server.confand place our configuration within it.


By default redis listens to the localhost IP on port 6379 . Our configuration has stunnel accept connections on the external IP and forward the connections to the redis instance listening on


Step 7: Starting Stunnel

After the configuration file is in place we will start stunnel.


Setting up the client host :-


Step 8: Installing redis-cli

Install the redis-cli tool. You would not need to install redis-server.


Step 9: Install Stunnel

Install stunnel on the client.


Step 10: Start stunnel on boot

To have stunnel start on boot we will need to edit the /etc/default/stunnel4 file.


Step 11: Copy the certificate file from server to client

In order to establish an SSL connection we will need the private.pem file that we generated on the server host. Copy the private.pem file from server host to client host.


Step 12: Configure the stunnel client

To specify this stunnel instance is a client we will add client=yes to the configuration.

Stunnel listens locally on port 6379 and forward connections to the server host IP with port 6379.


Step 13: Start stunnel 

Start stunnel service


Step 14: Testing the connection

Both the server and client hosts have stunnel installed and a SSL tunnel established. Test the connection by using the redis-cli command to connect to localhost on the client.


As a result when a client on the client host connects to port 6379 locally it will be forwarded through the SSL tunnel that stunnel has created with the server host and redirected to the redis instance running on server. To setup an application to call this instance you would simply install the application on the client host and have it connect to redis on localhost.


In case of any help or query, please contact us or raise a ticket.

Category(s) aws cloud Redis
. . .


Add Your Comment

Be the first to comment.