How to enable tls/ ssl in Redis 6 docker library?

Asked 16/7, 2020 at 6:45 Answered 1/2, 2023 at 10:21

The latest version of Redis Docker has introduced TLS/ SSL features. But I am not able to figure out how to enable it for Redis Docker of the latest version.

Further, I would also like to know, how to modify the number of IO threads, for multithreading, also introduced in Redis 6, for a Docker environment?

Perpetuity answered 16/7, 2020 at 6:45 Comment(4)

For TLS, you have checked this? redis.io/topics/encryption For IO, you just find the redis.conf , in it, search io-threads option, and modify the number of threads. For docker, you'll have to save the modified config file, and make an image based on it yourself. – Likeness 16/7, 2020 at 8:51

Hunter. Thanks for your reply. I have looked at the link you had mentioned, where it is mentioned to enable an option during build. How do i do it incase of redis docker, or is the docker version BUILD_TLS enabled? – Perpetuity 16/7, 2020 at 16:27

About the number of io-threads, I need to do a benchmarking for my application, so it is difficult to create a docker for each thread count, instead is it possible to specify the io thread count during the start of the docker? – Perpetuity 16/7, 2020 at 16:31

Sorry I can't help. I have limited experience with Docker – Likeness 16/7, 2020 at 17:14

BUILD_TLS is enabled for Docker's Redis v6 image.

Configuring the Redis server in the container is done by:

Create a config file on the host, e.g. /my/redis.conf
Mount the file and give as an argument when launching the container: docker -v /my/redis.conf:/redis.conf ... redis:6.0 /redis.conf

Wohlen answered 16/7, 2020 at 18:47 Comment(2)

Thanks @Itamar. I would like to know how to generate certificates on redis in docker setup and how to associate them with redis server and client again in docker environment? – Perpetuity 20/7, 2020 at 7:53

I'd recommend generating the certs on your host, then mount/copy to the relevant containers. – Wohlen 20/7, 2020 at 16:40

2023 update

If you just want a Docker container that has redis on it with SSL enabled here is what you need

Dockerfile

# https://www.appsloveworld.com/docker/100/19/how-to-set-up-a-docker-redis-container-with-ssl
# https://redis.io/docs/management/security/encryption/
# https://spin.atomicobject.com/2021/08/05/configuring-redis-tls/
# Plain redis-cli command will not work
# redis-cli --tls --cert tests/tls/redis.crt --key tests/tls/redis.key --cacert tests/tls/ca.crt

FROM redis:7 as base
RUN apt-get update && apt-get install openssl
USER redis
COPY --chown=redis:redis ./.docker/dev/redis/generate_certificates.sh ./
RUN chmod +x ./generate_certificates.sh
RUN ./generate_certificates.sh
CMD ["redis-server", "--tls-port", "6379", "--port", "0", "--tls-cert-file", "tests/tls/redis.crt", "--tls-key-file", "tests/tls/redis.key", "--tls-ca-cert-file", "tests/tls/ca.crt"]

The generate_certificates.sh file simply uses openssl to generate all the required crt and key files

generate_certificates.sh

#!/bin/bash

# https://github.com/redis/redis/blob/unstable/utils/gen-test-certs.sh
# Generate some test certificates which are used by the regression test suite:
#
#   tests/tls/ca.{crt,key}          Self signed CA certificate.
#   tests/tls/redis.{crt,key}       A certificate with no key usage/policy restrictions.
#   tests/tls/client.{crt,key}      A certificate restricted for SSL client usage.
#   tests/tls/server.{crt,key}      A certificate restricted for SSL server usage.
#   tests/tls/redis.dh              DH Params file.

generate_cert() {
    local name=$1
    local cn="$2"
    local opts="$3"

    local keyfile=tests/tls/${name}.key
    local certfile=tests/tls/${name}.crt

    [ -f $keyfile ] || openssl genrsa -out $keyfile 2048
    openssl req \
        -new -sha256 \
        -subj "/O=Redis Test/CN=$cn" \
        -key $keyfile | \
        openssl x509 \
            -req -sha256 \
            -CA tests/tls/ca.crt \
            -CAkey tests/tls/ca.key \
            -CAserial tests/tls/ca.txt \
            -CAcreateserial \
            -days 365 \
            $opts \
            -out $certfile
}

mkdir -p tests/tls
[ -f tests/tls/ca.key ] || openssl genrsa -out tests/tls/ca.key 4096
openssl req \
    -x509 -new -nodes -sha256 \
    -key tests/tls/ca.key \
    -days 3650 \
    -subj '/O=Redis Test/CN=Certificate Authority' \
    -out tests/tls/ca.crt

cat > tests/tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
_END_

generate_cert server "Server-only" "-extfile tests/tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tests/tls/openssl.cnf -extensions client_cert"
generate_cert redis "Generic-cert"

[ -f tests/tls/redis.dh ] || openssl dhparam -out tests/tls/redis.dh 2048

To run it just do

docker build -t ssl_redis_image -f ...Dockerfile .
docker run -p 6379:6379 --name ssl_redis_container ssl_redis_image
docker exec -it ssl_redis_container sh

Once you are inside the shell of the redis container you can try redis-cli and enter a simple command like

SET val 1

It ll immediately give you an error You will need to run redis-cli with the certificates as

redis-cli --tls --cert tests/tls/redis.crt --key tests/tls/redis.key --cacert tests/tls/ca.crt

And try setting a value again and you should be able to get it to work now

Stoner answered 1/2, 2023 at 10:21 Comment(0)

Recommended topics

Hot tags