Redis is an open-source in-memory key-value data store used as a cache, database, and message broker. Vultr Managed Databases for Redis offers high availability, automatic updates, easy operation, and scalability. However, the Redis Command Line Interface (redis-cli) tool does not support TLS connections, which Vultr requires for managed databases.
Stunnel is an open-source proxy tool that creates secure TLS/SSL connection tunnels between servers. It can integrate with redis-cli and offer secure connections to a managed Redis cluster over TLS. Follow this guide to create a secure connection to Redis with Stunnel and redis-cli.
Before you start, you need to:
Deploy a managed Redis cluster.
Deploy a Vultr cloud server.
Install the stunnel4
package.
On Ubuntu/Debian:
$ sudo apt install stunnel4
On CentOS/RockyLinux:
$ sudo dnf install stunnel4
Install the redis-cli tool.
Ubuntu/Debian:
$ sudo apt install redis-tools
CentOS/RockyLinux:
$ sudo dnf install redis-tools
Enable the stunnel service to start at boot time.
$ sudo systemctl enable stunnel4
Start stunnel.
$ sudo systemctl start stunnel4
Verify that the stunnel service is active and running.
$ sudo systemctl status stunnel4
Create a new stunnel process directory in an accessible location such as /tmp
or /var/run
.
$ sudo touch /tmp/stunnel-pid
Change the directory ownership to the user nobody
and group nogroup
.
$ sudo chown -R nobody:nogroup /tmp/stunnel-pid
Create a new configuration file in the /etc/stunnel
directory with a text editor of your choice.
$ sudo nano /etc/stunnel/stunnel.conf
Add the following directives to the file. Replace the connect
example with the address of your Redis cluster.
fips = no
setuid = nobody
setgid = nogroup
pid = /tmp/stunnel-pid/stunnel.pid
debug = 7
delay = no
[redis-cli]
client = yes
accept = 127.0.0.1:4000
connect = example-address-vultr-prod.vultrdb.com:16752
Below is what each configuration line does:
fips
: Enables the stunnel Federal Information Processing Standard (FIPS) mode 140-2.
setuid
: Specifies the User ID stunnel should run as. By default, it runs as root, which is not recommended.
setgid
: Specifies the Group ID stunnel should run as.
pid
: Defines the directory where stunnel should store the process id file.
debug
: Sets the debugging level ranging from 0 to 7. The highest level provides more detailed information in case of any errors.
delay
: yes
enables delays in the DNS lookup process and prevents stunnel from caching IP addresses. no
enables faster DNS lookups to the Vultr Redis cluster.
[redis-cli]
: Declares the client program service name.
client
: yes
instructs stunnel to run in client mode and connect to a TLS server. no
instructs stunnel to run as the TLS server.
accept
: Defines the host and port that stunnel should use to accept and encrypt connections from the client. You can define a custom port that stunnel should listen on. For this article, use port 4000
.
connect
: Defines the Vultr Redis Cluster Host address and port number where stunnel should connect.
Save and close the file.
Restart stunnel to load changes.
$ sudo systemctl restart stunnel4
Verify that the user nobody
owns the running stunnel process.
$ ps aux | grep stunnel
Output:
nobody 2214 0.0 0.1 18224 2364 pts/0 Ssl 22:50 0:00 grep --color=auto stunnel
Stunnel is now actively running and ready to handle connections on port 4000
as defined in your configuration file.
By default, stunnel encrypts all connections over TLS, to connect to your Vultr Redis Cluster, use the redis-cli tool as described in the following steps.
Using the redis-cli
tool, connect to the host 127.0.0.1
and stunnel port 4000
as defined in your configuration file.
$ redis-cli -h 127.0.0.1 -p 4000
Enter auth
, then paste your Vultr Managed Redis password and press enter to access the cluster.
> auth CLUSTER-PASSWORD
Enter ping
to verify that you're connected to the Vultr Redis cluster.
> ping
A successful connection should return the following output:
PONG
If the ping
command returns the following error:
Error: Server closed the connection
First, check your stunnel configuration, and verify that you entered the correct Vultr Managed Redis hostname and port.
$ cat /etc/stunnel/stunnel.conf
Next, verify that you entered your Vultr Redis password correctly.
> auth CLUSTER-PASSWORD
Alternatively, paste your password to the redis-cli
command to log in upon initiating the connection by adding the `-a' flag as below.
$ redis-cli -h 127.0.0.1 -p 4000 -a CLUSTER-PASSWORD
In this article, you have configured stunnel to securely connect to a Vultr Managed Redis cluster using the redis-cli tool. You can also use the tunnel to securely connect your Redis cluster to applications in PHP, GO, NodeJS or Python. For more information on how to use stunnel, please visit its official documentation.