How to Securely Connect to Vultr Managed Databases for Redis over TLS with Stunnel and Redis-CLI

Updated on December 1, 2022
How to Securely Connect to Vultr Managed Databases for Redis over TLS with Stunnel and Redis-CLI header image

Introduction

Redis is an open-source in-memory key-value data store used as a cache, database, and message broker. Vultr Managed Databases for Redis offers high availability, automatic updates, easy operation, and scalability. However, the Redis Command Line Interface (redis-cli) tool does not support TLS connections, which Vultr requires for managed databases.

Stunnel is an open-source proxy tool that creates secure TLS/SSL connection tunnels between servers. It can integrate with redis-cli and offer secure connections to a managed Redis cluster over TLS. Follow this guide to create a secure connection to Redis with Stunnel and redis-cli.

Prerequisites

Before you start, you need to:

Install Stunnel and Redis-CLI

  1. Install the stunnel4 package.

    On Ubuntu/Debian:

     $ sudo apt install stunnel4

    On CentOS/RockyLinux:

     $ sudo dnf install stunnel4
  2. Install the redis-cli tool.

    Ubuntu/Debian:

     $ sudo apt install redis-tools

    CentOS/RockyLinux:

     $ sudo dnf install redis-tools
  3. Enable the stunnel service to start at boot time.

     $ sudo systemctl enable stunnel4
  4. Start stunnel.

     $ sudo systemctl start stunnel4
  5. Verify that the stunnel service is active and running.

     $ sudo systemctl status stunnel4

Configure Stunnel

  1. Create a new stunnel process directory in an accessible location such as /tmp or /var/run.

     $ sudo touch /tmp/stunnel-pid
  2. Change the directory ownership to the user nobody and group nogroup.

     $ sudo chown -R nobody:nogroup /tmp/stunnel-pid
  3. Create a new configuration file in the /etc/stunnel directory with a text editor of your choice.

     $ sudo nano /etc/stunnel/stunnel.conf
  4. Add the following directives to the file. Replace the connect example with the address of your Redis cluster.

     fips = no
     setuid = nobody
     setgid = nogroup
     pid = /tmp/stunnel-pid/stunnel.pid
     debug = 7
     delay = no
     [redis-cli]
       client = yes
       accept = 127.0.0.1:4000
       connect = example-address-vultr-prod.vultrdb.com:16752

    Below is what each configuration line does:

    • fips: Enables the stunnel Federal Information Processing Standard (FIPS) mode 140-2.
    • setuid: Specifies the User ID stunnel should run as. By default, it runs as root, which is not recommended.
    • setgid: Specifies the Group ID stunnel should run as.
    • pid: Defines the directory where stunnel should store the process id file.
    • debug: Sets the debugging level ranging from 0 to 7. The highest level provides more detailed information in case of any errors.
    • delay: yes enables delays in the DNS lookup process and prevents stunnel from caching IP addresses. no enables faster DNS lookups to the Vultr Redis cluster.
    • [redis-cli]: Declares the client program service name.
    • client: yes instructs stunnel to run in client mode and connect to a TLS server. no instructs stunnel to run as the TLS server.
    • accept: Defines the host and port that stunnel should use to accept and encrypt connections from the client. You can define a custom port that stunnel should listen on. For this article, use port 4000.
    • connect: Defines the Vultr Redis Cluster Host address and port number where stunnel should connect.

    Save and close the file.

  5. Restart stunnel to load changes.

     $ sudo systemctl restart stunnel4
  6. Verify that the user nobody owns the running stunnel process.

     $ ps aux | grep stunnel

    Output:

     nobody      2214  0.0  0.1  18224  2364 pts/0    Ssl   22:50   0:00 grep --color=auto stunnel

Stunnel is now actively running and ready to handle connections on port 4000 as defined in your configuration file.

Connect to the Vultr Managed Redis Cluster over TLS

By default, stunnel encrypts all connections over TLS, to connect to your Vultr Redis Cluster, use the redis-cli tool as described in the following steps.

  1. Using the redis-cli tool, connect to the host 127.0.0.1 and stunnel port 4000 as defined in your configuration file.

     $ redis-cli -h 127.0.0.1 -p 4000
  2. Enter auth, then paste your Vultr Managed Redis password and press enter to access the cluster.

     > auth CLUSTER-PASSWORD
  3. Enter ping to verify that you're connected to the Vultr Redis cluster.

     > ping

    A successful connection should return the following output:

     PONG

Troubleshooting

If the ping command returns the following error:

Error: Server closed the connection

First, check your stunnel configuration, and verify that you entered the correct Vultr Managed Redis hostname and port.

$ cat /etc/stunnel/stunnel.conf

Next, verify that you entered your Vultr Redis password correctly.

> auth CLUSTER-PASSWORD

Alternatively, paste your password to the redis-cli command to log in upon initiating the connection by adding the `-a' flag as below.

$ redis-cli -h 127.0.0.1 -p 4000 -a CLUSTER-PASSWORD

Conclusion

In this article, you have configured stunnel to securely connect to a Vultr Managed Redis cluster using the redis-cli tool. You can also use the tunnel to securely connect your Redis cluster to applications in PHP, GO, NodeJS or Python. For more information on how to use stunnel, please visit its official documentation.