[4] Redis – SSL/TLS
28 stycznia 2022Skonfigurujemy teraz SSL/TLS dla bazy Redis.
[1] Stwórz własny certyfikat. Jeśli posiadasz certyfikaty z Let’s Encrypt, możesz pominąć ten krok.
[root@vlsr01 ~]# cd /etc/pki/tls/certs/ [root@vlsr01 certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout redis.pem -out redis.pem -days 3650 Generating a RSA private key ......+++++ ................................................................................+++++ writing new private key to 'redis.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:PL State or Province Name (full name) []:Slask Locality Name (eg, city) [Default City]:Rybnik Organization Name (eg, company) [Default Company Ltd]:ZICHER.LAB Organizational Unit Name (eg, section) []:zicher.LAB DB REDIS Common Name (eg, your name or your server's hostname) []:vlsr01.zicher.lab Email Address []:root@zicher.lab [root@vlsr01 certs]# chmod 600 redis.pem [root@vlsr01 certs]# chown redis. redis.pem
[2] Skonfiguruj Redis.
[root@vlsr01 ~]# mcedit /etc/redis.conf #linia 91: zmień port 0 #linia 138: odkomentuj tls-port 6379 #linie 144,145: odkomentuj i wpisz ścieżki do certyfikatów tls-cert-file /etc/pki/tls/certs/redis.pem tls-key-file /etc/pki/tls/certs/redis.pem #linia 156: odkomentuj i wpisz ścieżkę katalogu nadrzędnego certyfikatów tls-ca-cert-dir /etc/pki/tls/certs #linia 165: odkomentuj tls-auth-clients no [root@vlsr01 ~]# systemctl restart redis
[3] Połącz się z Redis za pomocą SSL/TLS z innych hostów. Jeśli łączysz się z innych hostów, musi przesłać im certyfikat [redis.pem].
[root@vlsr02 ~]# ll /etc/pki/tls/certs/ razem 4 lrwxrwxrwx. 1 root root 49 2021-06-17 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. 1 root root 55 2021-06-17 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-r--r--. 1 redis redis 3193 01-28 11:50 redis.pem #wpisz opcję [tls] i certyfikaty [root@vlsr02 ~]# redis-cli -h vlsr01.zicher.lab --tls --cert /etc/pki/tls/certs/redis.pem --key /etc/pki/tls/certs/redis.pem --cacert /etc/pki/tls/certs/redis.pem vlsr01.zicher.lab:6379> auth TajneHasło OK vlsr01.zicher.lab:6379> info # Server redis_version:6.0.9 redis_git_sha1:00000000 redis_git_dirty:0 redis_build_id:e4ff3471ca3afc0 redis_mode:standalone os:Linux 4.18.0-358.el8.x86_64 x86_64 arch_bits:64 multiplexing_api:epoll atomicvar_api:atomic-builtin gcc_version:8.4.1 process_id:1883 run_id:17fafea5c03dfdfda773343b32cc4185c64bebeb tcp_port:6379 . . . . .