Securing Redis Client and Server with Stunnel

Updated 7 January 2020

INTRODUCTION

 

Redis is an open-source key-value data store, using an in-memory storage model with optional disk writes for persistence.

Stunnel is an open-source multi-platform application used to provide a universal TLS/SSL tunneling service. Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. Therefore the stunnel application is a SSL encryption wrapper that can tunnel unencrypted traffic (like redis) through a SSL encrypted tunnel to another server.

 

 

 

 

Setting up the server host :-

 

Step 1: Install the redis-server

Install redis-server. After installation we will change the password in the redis configuration. For better security we will enable password which requires all clients to authenticate before being able to pull or put data from the redis instance.


 

Step 2: Restart the redis service

In order for our configuration changes to take effect we will need to restart the redis service.


 

Step 3: Install Stunnel

Redis is start and running now we will install Stunnel.


 

Step 4: Start Stunnel on boot

Stunnel doesn’t start on boot. To start Stunnel on boot make changes in the below file.


 

Step 5: Creating a self-signed Certificate

Stunnel requires a certificate to use for client to server communication.

 

a) Generating a key:

First we will create a private key. Use openssl to create a 4096 bit RSA key.

 


 

b) Creating the Certificate:

We will now create a certificate. While generating the certificate we will be asked a series of questions; the answers provided are used to prove the validity of the certificate.

 


 

Combine both the key and certificate into a single file for stunnel to use. We will also change the file permissions .

 


 

Step 6: Configure the stunnel

We will create a file named redis-server.confand place our configuration within it.


 

By default redis listens to the localhost IP 127.0.0.1 on port 6379 . Our configuration has stunnel accept connections on the external IP and forward the connections to the redis instance listening on 127.0.0.1

 

Step 7: Starting Stunnel

After the configuration file is in place we will start stunnel.


 

Setting up the client host :-

 

Step 8: Installing redis-cli

Install the redis-cli tool. You would not need to install redis-server.


 

Step 9: Install Stunnel

Install stunnel on the client.


 

Step 10: Start stunnel on boot

To have stunnel start on boot we will need to edit the /etc/default/stunnel4 file.


 

Step 11: Copy the certificate file from server to client

In order to establish an SSL connection we will need the private.pem file that we generated on the server host. Copy the private.pem file from server host to client host.


 

Step 12: Configure the stunnel client

To specify this stunnel instance is a client we will add client=yes to the configuration.


Stunnel listens locally on port 6379 and forward connections to the server host IP with port 6379.

 

Step 13: Start stunnel 

Start stunnel service


 

Step 14: Testing the connection

Both the server and client hosts have stunnel installed and a SSL tunnel established. Test the connection by using the redis-cli command to connect to localhost on the client.


 

As a result when a client on the client host connects to port 6379 locally it will be forwarded through the SSL tunnel that stunnel has created with the server host and redirected to the redis instance running on server. To setup an application to call this instance you would simply install the application on the client host and have it connect to redis on localhost.

 

In case of any help or query, please contact us or raise a ticket.

Category(s) AWS cloud Redis
author
. . .

Leave a Comment

Your email address will not be published. Required fields are marked*


Be the first to comment.

Start a Project




    Message Sent!

    If you have more details or questions, you can reply to the received confirmation email.

    Back to Home