To establish encrypted communication between Redis masters and slaves, we recommend using stunnel. Stunnel serves as a TLS encryption wrapper between the client and server.
This tutorial provides a detailed explanation of installing and configuring stunnel proxies on both the FreeBSD client and server.
If you are using DigitalOcean’s managed Redis, there is a community tutorial available as an alternative.
Although the configuration procedures for other operating systems are quite similar, this tutorial focuses on replication to a single client host to simplify the process. This configuration does not require individual pre-shared keys for each client.
Assuming we have 3 Redis instances on both server and client, listening sockets on the server (master side):
| instance | Redis socket | stunnel socket |
|---|---|---|
redis |
localhost:6379 | - |
bayes |
localhost:6378 | master.example.com:6478 |
fuzzy |
localhost:6377 | master.example.com:6477 |
Since the redis instance should not be mirrored, we will replicate the fuzzy and bayes instances. Consequently, we need to set up two TLS tunnels.
First install the security/stunnel package:
# pkg install stunnel
Create pid-file directory:
# mkdir /var/run/stunnel && chown stunnel:stunnel /var/run/stunnel
To enable stunnel add the following lines to the /etc/rc.conf:
stunnel_enable="YES"
stunnel_pidfile="/var/run/stunnel/stunnel.pid"
/usr/local/etc/stunnel/stunnel.conf:
setuid = stunnel
setgid = nogroup
pid = /var/run/stunnel/stunnel.pid
[bayes]
accept = 6478
connect = 6378
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt
[fuzzy]
accept = 6477
connect = 6377
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt
/usr/local/etc/stunnel/stunnel.conf:
setuid = stunnel
setgid = nogroup
pid = /var/run/stunnel/stunnel.pid
[bayes]
client = yes
accept = localhost:6478
connect = master.example.com:6478
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt
[fuzzy]
client = yes
accept = localhost:6477
connect = master.example.com:6477
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt
Create /usr/local/etc/stunnel/psk.txt .
The psk.txt file contains one line for each client:
test1:oaP4EishaeSaishei6rio6xeeph3az
Do not use example passwords.
Since both the bayes and fuzzy Redis instances are located on the same host, we can use the same key for both of them.
Considering that this file contains sensitive information, it is crucial to maintain its secrecy by setting secure permissions on it:
# chmod 600 /usr/local/etc/stunnel/psk.txt
# service stunnel start
From the client host use the redis-cli utility to connect to the remote instances:
# redis-cli -p 6477
# redis-cli -p 6478
Now that the connection is established, you are ready to proceed with configuring replication between the Redis instances. You can follow the instructions provided in the Redis replication configuration guide.