Question posted in
The official documentation can be found here.

How to set up a Docker redis container with ssl

I’m following this tutorial.

In my case I am operating in a Docker environment, and I have a secured site (i.e. https://localhost). which requires secured ssl communication.

I adjusted the web, and celery containers for secure connection.
But I don’t know how to configure the Redis container for secure connection with ssl
Note that when I run without ssl connection in the web and celery containers, the connection is fine.

How do I configure and run redis with ssl?

Thanks

EDIT:

I followed this tutorial to set redis with ssl and this tutorial to set redis with ssl via stunnel in Docker container.

I successfully tested the connection from my localhost to the redis docker container, by invoking redis-cli from localhost (via stunnel) to the redis docker container, using the following call from the localhost:

redis-cli -h 127.0.0.1 -p 6381
127.0.0.1:6381> auth foobared
OK
127.0.0.1:6381>

Related files on the redis server Docker side:

docker-compose file (my webapp includes multiple services, but to for simplification I removed all services except for the redis container):

version: '3'

services:
  redis:
    build:
      context: ./redis
      dockerfile: Dockerfile
    restart: always
    command: sh -c "stunnel /stunnel_take2.conf && /usr/local/bin/redis-server /etc/redis/redis.conf"
    expose:
      - '6379'
    ports:
     - "6379:6379"
    volumes:
      - /home/avner/avner/certs:/etc/certs
      - /home/avner/avner/redis/conf:/etc/redis

redis container Dockerfile

FROM redis:5-alpine

RUN apk add --no-cache 
    stunnel~=5.56 
    python3~=3.8

COPY stunnel-redis-server.conf /

WORKDIR /

ENV PYTHONUNBUFFERED=1

redis server redis conf file – redis/conf/redis.conf

...
requirepass foobared
...

redis server stunnel conf file – redis/stunnel-redis-server.conf

cert = /etc/certs/private.pem
pid = /var/run/stunnel.pid

[redis]
accept = 172.19.0.2:6380
connect = 127.0.0.1:6379

Related files on the client side (localhost):

redis client stunnel conf file – /etc/stunnel/redis-client.conf

cert = /etc/cert/private.pem
client = yes
pid = /var/run/stunnel.pid
[redis]
accept = 127.0.0.1:6381
connect = 172.19.0.2:6380
Tags:

2

Answers


  1. 0

    Redis doesn’t provide SSL by itself, you have to do it yourself. There’s an in-depth post about it which you can read and follow. Or, if you want to use a Dockerized solution, you can use ready images like this one or this one. When it comes to setting up Celery to work with Redis over SSL, just follow the documentation.

    Login or Signup to reply.
  2. 0

    I’ve created an example repo, for how one might setup a docker container to use the new redis v6+ ssl:

    docker-compose.yml

    version: "3"

volumes:
  redis:

services:
  redis:
    image: "example/redis:v6.0.13"
    command: ["/app/docker-redis-entrypoint.sh"]
    container_name: redis
    ports:
      - 6379:6379
    volumes:
      - redis:/data
      - ./:/app

    Dockerfile:

    FROM redis:6.0.13 as base
COPY ./redis/tls /tls

    entrypoint.sh

    
#!/bin/sh
set -e

redis-server --tls-port 6379 --port 0 
    --tls-cert-file /tls/redis.crt 
    --tls-key-file /tls/redis.key 
    --tls-ca-cert-file /tls/ca.crt

    gen-redi-certs.sh

    
#!/bin/bash

# COPIED/MODIFIED from the redis server gen-certs util

# Generate some test certificates which are used by the regression test suite:
#
#   tls/ca.{crt,key}          Self signed CA certificate.
#   tls/redis.{crt,key}       A certificate with no key usage/policy restrictions.
#   tls/client.{crt,key}      A certificate restricted for SSL client usage.
#   tls/server.{crt,key}      A certificate restricted for SSL server usage.
#   tls/redis.dh              DH Params file.

generate_cert() {
    local name=$1
    local cn="$2"
    local opts="$3"

    local keyfile=tls/${name}.key
    local certfile=tls/${name}.crt

    [ -f $keyfile ] || openssl genrsa -out $keyfile 2048
    openssl req 
        -new -sha256 
        -subj "/O=Redis Test/CN=$cn" 
        -key $keyfile | 
        openssl x509 
            -req -sha256 
            -CA tls/ca.crt 
            -CAkey tls/ca.key 
            -CAserial tls/ca.txt 
            -CAcreateserial 
            -days 365 
            $opts 
            -out $certfile
}

mkdir -p tls
[ -f tls/ca.key ] || openssl genrsa -out tls/ca.key 4096
openssl req 
    -x509 -new -nodes -sha256 
    -key tls/ca.key 
    -days 3650 
    -subj '/O=Redis Test/CN=Certificate Authority' 
    -out tls/ca.crt

cat > tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
_END_

generate_cert server "Server-only" "-extfile tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tls/openssl.cnf -extensions client_cert"
generate_cert redis "Generic-cert"

[ -f tls/redis.dh ] || openssl dhparam -out tls/redis.dh 2048
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search