Overview

Recently we faced an issue with an AWS ElastiCache Redis instance when trying to test the connections from EC2 Instance using Redis CLI, we faced the following error

$ ./redis-cli -c -h my-redis-server -p 6379 my-redis-server:6379> set a “hello” Error: Connection reset by peer

 

 

Problem

On investigation, we found that the ElastiCache Redis Instance is using Encryption in-transit and Encryption at-rest and by design, the Redis CLI is not compatible with the encryption.

 

 

 

 

 

 

Solution

The solution to test the connectivity and to use the Redis CLI with ElastiCache In-Transit encryption,  we needed to configure ‘stunnel

Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs’ code

With stunnel client would create a SSL tunnel to the Redis nodes and use redis-cli to connect through the tunnel to access data from encrypted redis nodes.

Here is how to setup everything, we are using Amazon Linux in this example but same steps should work on Redhat Linux

1. Install stunnel


$ sudo yum install stunnel  -y

2. Configure SSL tunnel for redis-cli


$ sudo vi /etc/stunnel/redis-cli.conf
 Set the following properties in redis-cli.conf file 
fips = no
setuid = root
setgid = root
pid = /var/run/stunnel.pid
debug = 7
options = NO_SSLv2
options = NO_SSLv3
[redis-cli]
client = yes
accept = 127.0.0.1:6379
connect = my-redis-server:6379

3. Start Stunnel


$ sudo stunnel /etc/stunnel/redis-cli.conf

4. Verify the tunnel is running


$ sudo netstat -tulnp | grep -i stunnel
 You might see following output from the above command 
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1314 stunnel

5. Last is to connect to Redis cluster using Redis CLI using SSL tunnel (Yes it is connecting using localhost tunnel)


redis-cli -h localhost -p 6379

Note: To install Redis CLI on Linux check this AWS documentation

6. Run few Redis commands to see if it works



$ ./redis-cli -h localhost -p 6379
localhost:6379> set a hello
OK
localhost:6379> get a
"hello"
localhost:6379>

Hope you find this post useful, please leave a comment and let us know what topics you would like to see.

Leave a comment

Your email address will not be published. Required fields are marked *

Blue Captcha Image
Refresh

*

Protected by WP Anti Spam

Hit Counter provided by dental implants orange county