Redis
 sql >> Database >  >> NoSQL >> Redis

Come configurare un container Redis Docker con ssl

Ho creato un repository di esempio, per come si potrebbe configurare un contenitore docker per utilizzare il nuovo redis v6+ ssl:

  • https://github.com/allen-munsch/docker-redis-ssl-example

docker-compose.yml

version: "3"

volumes:
  redis:

services:
  redis:
    image: "example/redis:v6.0.13"
    command: ["/app/docker-redis-entrypoint.sh"]
    container_name: redis
    ports:
      - 6379:6379
    volumes:
      - redis:/data
      - ./:/app

File Docker:

FROM redis:6.0.13 as base
COPY ./redis/tls /tls

entrypoint.sh


#!/bin/sh
set -e

redis-server --tls-port 6379 --port 0 \
    --tls-cert-file /tls/redis.crt \
    --tls-key-file /tls/redis.key \
    --tls-ca-cert-file /tls/ca.crt

gen-redi-certs.sh


#!/bin/bash

# COPIED/MODIFIED from the redis server gen-certs util

# Generate some test certificates which are used by the regression test suite:
#
#   tls/ca.{crt,key}          Self signed CA certificate.
#   tls/redis.{crt,key}       A certificate with no key usage/policy restrictions.
#   tls/client.{crt,key}      A certificate restricted for SSL client usage.
#   tls/server.{crt,key}      A certificate restricted for SSL server usage.
#   tls/redis.dh              DH Params file.

generate_cert() {
    local name=$1
    local cn="$2"
    local opts="$3"

    local keyfile=tls/${name}.key
    local certfile=tls/${name}.crt

    [ -f $keyfile ] || openssl genrsa -out $keyfile 2048
    openssl req \
        -new -sha256 \
        -subj "/O=Redis Test/CN=$cn" \
        -key $keyfile | \
        openssl x509 \
            -req -sha256 \
            -CA tls/ca.crt \
            -CAkey tls/ca.key \
            -CAserial tls/ca.txt \
            -CAcreateserial \
            -days 365 \
            $opts \
            -out $certfile
}

mkdir -p tls
[ -f tls/ca.key ] || openssl genrsa -out tls/ca.key 4096
openssl req \
    -x509 -new -nodes -sha256 \
    -key tls/ca.key \
    -days 3650 \
    -subj '/O=Redis Test/CN=Certificate Authority' \
    -out tls/ca.crt

cat > tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
_END_

generate_cert server "Server-only" "-extfile tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tls/openssl.cnf -extensions client_cert"
generate_cert redis "Generic-cert"

[ -f tls/redis.dh ] || openssl dhparam -out tls/redis.dh 2048