12

I'm following this tutorial.

In my case I am operating in a Docker environment, and I have a secured site (i.e. https://localhost). which requires secured ssl communication.

I adjusted the web, and celery containers for secure connection.
But I don't know how to configure the Redis container for secure connection with ssl
Note that when I run without ssl connection in the web and celery containers, the connection is fine.

How do I configure and run redis with ssl?

Thanks

EDIT:

I followed this tutorial to set redis with ssl and this tutorial to set redis with ssl via stunnel in Docker container.

I successfully tested the connection from my localhost to the redis docker container, by invoking redis-cli from localhost (via stunnel) to the redis docker container, using the following call from the localhost:

redis-cli -h 127.0.0.1 -p 6381 127.0.0.1:6381> auth foobared OK 127.0.0.1:6381>

Related files on the redis server Docker side:

docker-compose file (my webapp includes multiple services, but to for simplification I removed all services except for the redis container):

version: '3' services: redis: build: context: ./redis dockerfile: Dockerfile restart: always command: sh -c "stunnel /stunnel_take2.conf && /usr/local/bin/redis-server /etc/redis/redis.conf" expose: - '6379' ports: - "6379:6379" volumes: - /home/avner/avner/certs:/etc/certs - /home/avner/avner/redis/conf:/etc/redis

redis container Dockerfile

FROM redis:5-alpine RUN apk add --no-cache \ stunnel~=5.56 \ python3~=3.8 COPY stunnel-redis-server.conf / WORKDIR / ENV PYTHONUNBUFFERED=1

redis server redis conf file - redis/conf/redis.conf

... requirepass foobared ...

redis server stunnel conf file - redis/stunnel-redis-server.conf

cert = /etc/certs/private.pem pid = /var/run/stunnel.pid [redis] accept = 172.19.0.2:6380 connect = 127.0.0.1:6379

Related files on the client side (localhost):

redis client stunnel conf file - /etc/stunnel/redis-client.conf

cert = /etc/cert/private.pem client = yes pid = /var/run/stunnel.pid [redis] accept = 127.0.0.1:6381 connect = 172.19.0.2:6380
Improve this question
1
  • if you dont want docker-compose but just a container capable of running redis on SSL check this answer stackoverflow.com/a/75308711/5371505 Commented Feb 1, 2023 at 10:22

3 Answers 3

Reset to default
10

I've created an example repo, for how one might setup a docker container to use the new redis v6+ ssl:

docker-compose.yml

version: "3" volumes: redis: services: redis: image: "example/redis:v6.0.13" command: ["/app/docker-redis-entrypoint.sh"] container_name: redis ports: - 6379:6379 volumes: - redis:/data - ./:/app

Dockerfile:

FROM redis:6.0.13 as base COPY ./redis/tls /tls

entrypoint.sh

 #!/bin/sh set -e redis-server --tls-port 6379 --port 0 \ --tls-cert-file /tls/redis.crt \ --tls-key-file /tls/redis.key \ --tls-ca-cert-file /tls/ca.crt

gen-redi-certs.sh

 #!/bin/bash # COPIED/MODIFIED from the redis server gen-certs util # Generate some test certificates which are used by the regression test suite: # # tls/ca.{crt,key} Self signed CA certificate. # tls/redis.{crt,key} A certificate with no key usage/policy restrictions. # tls/client.{crt,key} A certificate restricted for SSL client usage. # tls/server.{crt,key} A certificate restricted for SSL server usage. # tls/redis.dh DH Params file. generate_cert() { local name=$1 local cn="$2" local opts="$3" local keyfile=tls/${name}.key local certfile=tls/${name}.crt [ -f $keyfile ] || openssl genrsa -out $keyfile 2048 openssl req \ -new -sha256 \ -subj "/O=Redis Test/CN=$cn" \ -key $keyfile | \ openssl x509 \ -req -sha256 \ -CA tls/ca.crt \ -CAkey tls/ca.key \ -CAserial tls/ca.txt \ -CAcreateserial \ -days 365 \ $opts \ -out $certfile } mkdir -p tls [ -f tls/ca.key ] || openssl genrsa -out tls/ca.key 4096 openssl req \ -x509 -new -nodes -sha256 \ -key tls/ca.key \ -days 3650 \ -subj '/O=Redis Test/CN=Certificate Authority' \ -out tls/ca.crt cat > tls/openssl.cnf <<_END_ [ server_cert ] keyUsage = digitalSignature, keyEncipherment nsCertType = server [ client_cert ] keyUsage = digitalSignature, keyEncipherment nsCertType = client _END_ generate_cert server "Server-only" "-extfile tls/openssl.cnf -extensions server_cert" generate_cert client "Client-only" "-extfile tls/openssl.cnf -extensions client_cert" generate_cert redis "Generic-cert" [ -f tls/redis.dh ] || openssl dhparam -out tls/redis.dh 2048
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

how can I do this inside a plain Dockerfile without compose
@PirateApp you can mount the tls directory, and do something like this: stackoverflow.com/questions/45141402/… I think its the -v flag with docker to mount a volume docs.docker.com/storage/volumes
3

Redis doesn't provide SSL by itself, you have to do it yourself. There's an in-depth post about it which you can read and follow. Or, if you want to use a Dockerized solution, you can use ready images like this one or this one. When it comes to setting up Celery to work with Redis over SSL, just follow the documentation.

Improve this answer

2 Comments

thanks @Tomas I followed the links that you suggested and was able to create a redis with ssl Docker container. I edited my steps above.
Redis 6.0 comes with SSL. No idea yet though on how to use it in docker. Probably mount your certificate data into the container.
2

I tried a way without creating an own Dockerfile with docker-compose and it worked for me.

version: "3" services: redis: image: "redis:7.4.1" command: [ "--port 0", "--tls-port 6379", "--tls-cert-file /certs/redis.crt", "--tls-key-file /certs/redis.key", "--tls-ca-cert-file /certs/ca.crt", ] ports: - 6379:6379 volumes: - ./certs:/certs

It's important to set --port 0, otherwise redis will create two channels, one with tls and one without. If you want that, then you need different ports for each.

You can find out how to create certificates in the other answer. Add these required certificates in a ./certs directory related to your compose file.

Improve this answer

2 Comments

It is missing the ports property: ports: -"6379:6379"
@jordiburgos Well, it depends on if you need to expose the port to different networks. If you just want to make redis accessible inside the same compose, exposing is not necessary. But I added it for simplification.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.