应用场景
redis服务不能直接通过客户端访问,而是通过有相应的证书才能连接。
Openssl证书生成
mkdir -p tests/tls
openssl genrsa -out tests/tls/ca.key 4096
openssl req \
-x509 -new -nodes -sha256 \
-key tests/tls/ca.key \
-days 3650 \
-subj '/O=Redis Test/CN=Certificate Authority' \
-out tests/tls/ca.crt
openssl genrsa -out tests/tls/redis.key 2048
openssl req \
-new -sha256 \
-key tests/tls/redis.key \
-subj '/O=Redis Test/CN=Server' | \
openssl x509 \
-req -sha256 \
-CA tests/tls/ca.crt \
-CAkey tests/tls/ca.key \
-CAserial tests/tls/ca.txt \
-CAcreateserial \
-days 365 \
-out tests/tls/redis.crt
openssl dhparam -out tests/tls/redis.dh 2048
下载并安装Redis
$ wget https://download.redis.io/releases/redis-6.0.8.tar.gz
$ tar xzf redis-6.0.8.tar.gz
$ cd redis-6.0.8
# 注意这里make的时候,需要开启TLS。
$ make BUILD_TLS=yes
通过证书运行redis
./src/redis-server --tls-port 6379 --port 0 \
--tls-cert-file ./tests/tls/redis.crt \
--tls-key-file ./tests/tls/redis.key \
--tls-ca-cert-file ./tests/tls/ca.crt
验证TSL是否生效
首先不通过证书连接,连接后set值时,直接提示失败。
./src/redis-cli
127.0.0.1:6379> set key 1
Error: Connection reset by peer
然后我们通过证书链接,set key 1 ,成功。
./src/redis-cli --tls \
--cert ./tests/tls/redis.crt \
--key ./tests/tls/redis.key \
--cacert ./tests/tls/ca.crt
127.0.0.1:6379> set key 1
OK
参考地址