At Amazon ElastiCache for Redis, we can enable in-transit encryption (TLS) while creating a Redis replication group. The engine version must be 3.2.6, 4.0.10 or later. This is the only requirement. But the fun fact is, it isn’t possible to access the Redis through redis-cli. To access the data in Redis, we have to use clients that work with Secure Socket Layer (SSL) or Transport Layer Security (TLS). But redis-cli neither supports SSL nor TLS.
However, a quick solution is to create an SSL tunnel to the redis using stunnel. This program is designed to work as an SSL encryption wrapper between remote client and local/remote server. We can use it to add SSL functionality to almost any daemon without any changes in its code.
That’s the theoretical part. We will setup SSL tunnel to access Redis on an Ubuntu server. Let’s install some necessary packages:
$ sudo apt update $ sudo apt install redis stunnel -y
Now we will write a configuration file for stunnel. Let’s create a file:
$ sudo touch /etc/stunnel/stunnel.conf
Please paste the following lines at this file. Here we are mapping our local 6379 port to the Redis node’s 6379 port. Please don’t forget to do the necessary changes.
[redis-cli] client = yes accept = localhost:6379 connect = <aws_redis_master_host>:6379
Finally, we will start stunnel with our configuration file to take effect, using this command:
$ sudo stunnel /etc/stunnel/stunnel.conf
If everything is fine, then we should see a successful message.
stunnel: LOG5[ui]: stunnel 5.44 on x86_64-pc-linux-gnu platform stunnel: LOG5[ui]: Compiled/running with OpenSSL 1.1.0g 2 Nov 2017 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP stunnel: LOG5[ui]: Reading configuration from file /stunnel.conf stunnel: LOG5[ui]: UTF-8 byte order mark not detected stunnel: LOG5[ui]: FIPS mode disabled stunnel: LOG4[ui]: Service [redis-cli] needs authentication to prevent MITM attacks stunnel: LOG5[ui]: Configuration successful
That’s all. Let’s connect to the Redis with the following command:
$ redis-cli -c -h localhost -p 6379 -a <SomeSecretPassword>
Let’s try to access our data.
localhost:6379> PING PONG localhost:6379> SET mykey "Hello" OK localhost:6379> GET mykey "Hello" localhost:6379> quit
That’s the quick workaround of turning any insecure TCP port into a