Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.
Redis® also supports TLS by design.
This article shows how to configure TLS in a Redis Cluster
Prerequisites
- You have installed Redis Cluster in accordance with article Setup a Redis Cluster with using Redis Stack
- You have been issued certificates for the servers of your cluster nodes
Configure Redis configuration files
On all nodes add following mandatory settings into redis_7000.conf file:
# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
# directive can be used to define TLS-listening ports. To enable TLS on the default port, use:
#
port 0
tls-port 7000
# The cluster port is the port that the cluster bus will listen for inbound connections on. When set
# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires
# you to specify the cluster bus port when executing cluster meet.
cluster-port 17000
# Configure a X.509 certificate and private key to use for authenticating the
# server to connected clients, masters or cluster peers. These files should be PEM formatted.
#
tls-cert-file redis.crt
tls-key-file redis.key
# Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL clients and peers.
#
tls-ca-cert-dir /etc/ssl/certs
# By default, clients (including replica servers) on a TLS port are required
# to authenticate using valid client side certificates.
# If "no" is specified, client certificates are not required and not accepted.
# If "optional" is specified, client certificates are accepted and must be
# valid if provided, but are not required.
#
tls-auth-clients yes
# By default, a Redis replica does not attempt to establish a TLS connection with its master.
# Use the following directive to enable TLS on replication links.
#
tls-replication yes
# By default, the Redis Cluster bus uses a plain TCP connection. To enable
# TLS for the bus protocol, use the following directive:
#
tls-cluster yes
# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended
# that older formally deprecated versions are kept disabled to reduce the attack surface.
# You can explicitly specify TLS versions to support.
# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2",
# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination.
#
tls-protocols "TLSv1.2"
# Configure allowed ciphers. See the ciphers(1ssl) manpage for more information about the syntax of this string.
# Note: this configuration applies only to <= TLSv1.2.
#
tls-ciphers DEFAULT:!MEDIUM
# When choosing a cipher, use the server's preference instead of the client
# preference. By default, the server follows the client's preference.
#
tls-prefer-server-ciphers yes
# Enable TLS session caching to allow faster and less expensive
# reconnections by clients that support it.
#
tls-session-caching yes
# Change the default number of TLS sessions cached. A zero value sets the cache
# to unlimited size. The default size is 20480.
#
tls-session-cache-size 20480
# Change the default timeout of cached TLS sessions. The default timeout is 300 seconds.
#
tls-session-cache-timeout 300Apply same relevant mandatory settings in redis_7001.conf file:
port 0
tls-port 7001
cluster-port 17001
tls-cert-file redis.crt
tls-key-file redis.key
tls-ca-cert-dir /etc/ssl/certs
tls-auth-clients yes
tls-replication yes
tls-cluster yes
tls-protocols "TLSv1.2"
tls-ciphers DEFAULT:!MEDIUM
tls-prefer-server-ciphers yes
tls-session-caching yes
tls-session-cache-size 20480
tls-session-cache-timeout 300Redis commands with TLS
-
Create a cluster:
$ redis-cli --cluster create \ 10.0.0.124:7000 10.0.0.125:7000 10.0.0.126:7000 \ 10.0.0.124:7001 10.0.0.125:7001 10.0.0.126:7001 \ --cluster-replicas 1 --askpass \ --tls --cert redis.crt --key redis.key -
List the cluster nodes:
$ redis-cli -c -h 10.0.0.124 -p 7000 --askpass \ --tls --cert redis.crt --key redis.key \ cluster nodes -
Check the cluster:
$ redis-cli --cluster check 10.0.0.124:7000 --askpass \ --tls --cert redis.crt --key redis.key -
Interactive mode:
$ redis-cli -c -h 10.0.0.124 -p 7000 --askpass \ --tls --cert redis.crt --key redis.key