Redis 6 : SSL/TLS Setting2021/06/28 |
Configure SSL/TLS Setting on Redis.
|
|
[1] | Create self-signed certificate. If you use valid certificate like Let's Encrypt or others, skip this section. |
[root@www ~]# cd /etc/pki/tls/certs [root@www certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout redis.pem -out redis.pem -days 3650 Generating a RSA private key ..+++++ .............+++++ writing new private key to 'redis.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP # country code State or Province Name (full name) []:Hiroshima # State Locality Name (eg, city) [Default City]:Hiroshima # city Organization Name (eg, company) [Default Company Ltd]:GTS # company Organizational Unit Name (eg, section) []:Server World # department Common Name (eg, your name or your server's hostname) []:www.srv.world # server's FQDN Email Address []:root@srv.world # admin's email[root@www certs]# chmod 600 redis.pem [root@www certs]# chown redis. redis.pem |
[2] | Configure Redis. |
[root@www ~]#
vi /etc/redis.conf # line 91 : change : disable it with [0] port 0
# line 138: uncomment tls-port 6379 # line 144,145 : uncomment and specify certificate tls-cert-file /etc/pki/tls/certs/redis.pem tls-key-file /etc/pki/tls/certs/redis.pem
# line 156 : uncomment and parent directory of certs tls-ca-cert-dir /etc/pki/tls/certs # line 165 : uncomment tls-auth-clients no systemctl restart redis |
[3] | Connect to Redis with SSL/TLS from clients. If connect from other Hosts, it needs to transfer certificate to them. |
[root@node01 ~]# ll /etc/pki/tls/certs total 4 lrwxrwxrwx. 1 root root 49 Jun 17 00:06 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. 1 root root 55 Jun 17 00:06 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-------. 1 redis redis 3164 Jun 25 01:39 redis.pem # specify [tls] option and certificate [root@node01 ~]# redis-cli -h www.srv.world --tls \ --cert /etc/pki/tls/certs/redis.pem \ --key /etc/pki/tls/certs/redis.pem \ --cacert /etc/pki/tls/certs/redis.pem www.srv.world:6379> auth password OK www.srv.world:6379> info # Server redis_version:6.0.9 redis_git_sha1:00000000 redis_git_dirty:0 redis_build_id:aff2285c2ffdf166 redis_mode:standalone os:Linux 4.18.0-310.el8.x86_64 x86_64 arch_bits:64 multiplexing_api:epoll atomicvar_api:atomic-builtin gcc_version:8.4.1 process_id:3804 run_id:38d1d7f3c1749bab861e1262b64e64aef6e918b0 tcp_port:6379 ..... ..... |
Sponsored Link |
|