文章目录
应用场景
redis服务不能直接通过客户端访问,而是通过有相应的证书才能连接。
Openssl证书生成
mkdir -p tests/tls
openssl genrsa -out tests/tls/ca.key 4096
openssl req
-x509 -new -nodes -sha256
-key tests/tls/ca.key
-days 3650
-subj '/O=Redis Test/CN=Certificate Authority'
-out tests/tls/ca.crt
openssl genrsa -out tests/tls/redis.key 2048
openssl req
-new -sha256
-key tests/tls/redis.key
-subj '/O=Redis Test/CN=Server' |
openssl x509
-req -sha256
-CA tests/tls/ca.crt
-CAkey tests/tls/ca.key
-CAserial tests/tls/ca.txt
-CAcreateserial
-days 365
-out tests/tls/redis.crt
openssl dhparam -out tests/tls/redis.dh 2048
下载并安装Redis
$ wget https://download.redis.io/releases/redis-6.0.8.tar.gz
$ tar xzf redis-6.0.8.tar.gz
$ cd redis-6.0.8
# 注意这里make的时候,需要开启TLS。
$ make BUILD_TLS=yes
通过证书运行redis
./src/redis-server --tls-port 6379 --port 0
--tls-cert-file ./tests/tls/redis.crt
--tls-key-file ./tests/tls/redis.key
--tls-ca-cert-file ./tests/tls/ca.crt
验证TSL是否生效
首先不通过证书连接,连接后set值时,直接提示失败。
./src/redis-cli
127.0.0.1:6379> set key 1
Error: Connection reset by peer
然后我们通过证书链接,set key 1 ,成功。
./src/redis-cli --tls
--cert ./tests/tls/redis.crt
--key ./tests/tls/redis.key
--cacert ./tests/tls/ca.crt
127.0.0.1:6379> set key 1
OK
参考地址