Redis 6 : SSL/TLS Setting2022/07/04 |
Configure SSL/TLS Setting on Redis.
|
|
[1] | Create self-signed certificate. If you use valid certificate like Let's Encrypt or others, skip this section. |
[root@dlp ~]# cd /etc/pki/tls/certs [root@dlp certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout redis.pem -out redis.pem -days 3650 Generating a RSA private key ..+++++ .............+++++ writing new private key to 'redis.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP # country code State or Province Name (full name) []:Hiroshima # State Locality Name (eg, city) [Default City]:Hiroshima # city Organization Name (eg, company) [Default Company Ltd]:GTS # company Organizational Unit Name (eg, section) []:Server World # department Common Name (eg, your name or your server's hostname) []:dlp.srv.world # server's FQDN Email Address []:root@srv.world # admin's email[root@dlp certs]# chmod 600 redis.pem [root@dlp certs]# chown redis. redis.pem |
[2] | Configure Redis. |
[root@dlp ~]#
vi /etc/redis/redis.conf # line 98 : change : disable it with [0] port 0
# line 145: uncomment tls-port 6379 # line 151, 152 : uncomment and specify certificate tls-cert-file /etc/pki/tls/certs/redis.pem tls-key-file /etc/pki/tls/certs/redis.pem
# line 187 : uncomment and parent directory of certs tls-ca-cert-dir /etc/pki/tls/certs # line 196 : uncomment tls-auth-clients no systemctl restart redis |
[3] | Connect to Redis with SSL/TLS from clients. If connect from other Hosts, it needs to transfer certificate to them. |
[root@node01 ~]# ll /etc/pki/tls/certs total 4 lrwxrwxrwx. 1 root root 49 Nov 17 2021 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. 1 root root 55 Nov 17 2021 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-------. 1 redis redis 3160 Jul 1 16:28 redis.pem # specify [tls] option and certificate [root@node01 ~]# redis-cli -h dlp.srv.world --tls \ --cert /etc/pki/tls/certs/redis.pem \ --key /etc/pki/tls/certs/redis.pem \ --cacert /etc/pki/tls/certs/redis.pem dlp.srv.world:6379> auth password OK dlp.srv.world:6379> info # Server redis_version:6.2.7 redis_git_sha1:00000000 redis_git_dirty:0 redis_build_id:ec192bdd77ecd321 redis_mode:standalone os:Linux 5.14.0-115.el9.x86_64 x86_64 arch_bits:64 monotonic_clock:POSIX clock_gettime multiplexing_api:epoll atomicvar_api:c11-builtin gcc_version:11.3.1 process_id:1639 process_supervised:systemd run_id:c104db2c6fe39ba6d401f3c092806db345dbe42e tcp_port:6379 server_time_usec:1656660604309166 uptime_in_seconds:150 uptime_in_days:0 ..... ..... |
Sponsored Link |
|