How to Securely Connect to Vultr Managed Database for Caching over TLS with Stunnel and Redis-CLI

Introduction

Redis® is an open-source in-memory key-value data store used as a cache, database, and message broker. Vultr Managed Database for Caching offers high availability, automatic updates, easy operation, and scalability. However, the Redis® Command Line Interface (redis-cli) tool does not support TLS connections, which Vultr requires for managed databases.

Stunnel is an open-source proxy tool that creates secure TLS/SSL connection tunnels between servers. It can integrate with redis-cli and offer secure connections to Vultr Managed Databases for Caching cluster over TLS. Follow this guide to create a secure connection to Redis® with Stunnel and redis-cli.

Prerequisites

Before you start, you need to:

• Deploy a Vultr Managed Database for Caching cluster.
• Deploy a Vultr cloud server.
• Use SSH to access the server as a non-root sudo user.
• Update the server.

Install Stunnel and Redis-CLI

1. Install the stunnel4 package.

   On Ubuntu/Debian:

    $ sudo apt install stunnel4

   On CentOS/RockyLinux:

    $ sudo dnf install stunnel4

2. Install the redis-cli tool.

   Ubuntu/Debian:

    $ sudo apt install redis-tools

   CentOS/RockyLinux:

    $ sudo dnf install redis-tools

3. Enable the stunnel service to start at boot time.

    $ sudo systemctl enable stunnel4

4. Start stunnel.

    $ sudo systemctl start stunnel4

5. Verify that the stunnel service is active and running.

    $ sudo systemctl status stunnel4

Configure Stunnel

1. Create a new stunnel process directory in an accessible location such as /tmp or /var/run.

    $ sudo touch /tmp/stunnel-pid

2. Change the directory ownership to the user nobody and group nogroup.

    $ sudo chown -R nobody:nogroup /tmp/stunnel-pid

3. Create a new configuration file in the /etc/stunnel directory with a text editor of your choice.

    $ sudo nano /etc/stunnel/stunnel.conf

4. Add the following directives to the file. Replace the connect value with the address of your Vultr Managed Database for Caching cluster.

    fips = no
    setuid = nobody
    setgid = nogroup
    pid = /tmp/stunnel-pid/stunnel.pid
    debug = 7
    delay = no
    [redis-cli]
      client = yes
      accept = 127.0.0.1:4000
      connect = example-address-vultr-prod.vultrdb.com:16752

   Below is what each configuration line does:

   • fips: Enables the stunnel Federal Information Processing Standard (FIPS) mode 140-2.
   • setuid: Specifies the User ID stunnel should run as. By default, it runs as root, which is not recommended.
   • setgid: Specifies the Group ID stunnel should run as.
   • pid: Defines the directory where stunnel should store the process id file.
   • debug: Sets the debugging level ranging from 0 to 7. The highest level provides more detailed information in case of any errors.
   • delay: yes enables delays in the DNS lookup process and prevents stunnel from caching IP addresses. no enables faster DNS lookups to the Vultr Managed Database for Caching cluster.
   • [redis-cli]: Declares the client program service name.
   • client: yes instructs stunnel to run in client mode and connect to a TLS server. no instructs stunnel to run as the TLS server.
   • accept: Defines the host and port that stunnel should use to accept and encrypt connections from the client. You can define a custom port that stunnel should listen on. For this article, use port 4000.
   • connect: Defines the Vultr Managed Database for Caching Cluster Host address and port number where stunnel should connect.

   Save and close the file.

5. Restart stunnel to load changes.

    $ sudo systemctl restart stunnel4

6. Verify that the user nobody owns the running stunnel process.

    $ ps aux | grep stunnel

   Output:

    nobody      2214  0.0  0.1  18224  2364 pts/0    Ssl   22:50   0:00 grep --color=auto stunnel

Stunnel is now actively running and ready to handle connections on port 4000 as defined in your configuration file.

Connect to the Vultr Managed Database for Caching Cluster over TLS

By default, stunnel encrypts all connections over TLS, to connect to your Vultr Managed Database for Caching Cluster, use the redis-cli tool as described in the following steps.

1. Using the redis-cli tool, connect to the host 127.0.0.1 and stunnel port 4000 as defined in your configuration file.

    $ redis-cli -h 127.0.0.1 -p 4000

2. Enter auth, then paste your Vultr Managed Database for Caching password and press Enter to access the cluster.

    > auth CLUSTER-PASSWORD

3. Enter ping to verify that you're connected to the Vultr Managed Database for Caching cluster.

    > ping

   A successful connection should return the following output:

    PONG

Troubleshooting

If the ping command returns the following error:

Error: Server closed the connection

First, check your stunnel configuration, and verify that you entered the correct Vultr Managed Database for Caching hostname and port.

$ cat /etc/stunnel/stunnel.conf

Next, verify that you entered your Vultr Managed Database for Caching password correctly.

> auth CLUSTER-PASSWORD

Alternatively, paste your password to the redis-cli command to log in upon initiating the connection by adding the `-a' flag as below.

$ redis-cli -h 127.0.0.1 -p 4000 -a CLUSTER-PASSWORD

Conclusion

In this article, you have configured stunnel to securely connect to a Vultr Managed Database for Caching cluster using the redis-cli tool. You can also use the tunnel to securely connect your Vultr Managed Database for Caching cluster to applications in PHP, GO, NodeJS or Python.. For more information on how to use stunnel, please visit its official documentation.