This document describes the steps required to install and configure stunnel – an open-source, secure proxy – to connect to an SSL-enabled Redis Labs resource, e.g. Redise Pack, Redise Cloud.

To use SSL/TLS with your Redis Labs resource, it must belong to a plan that supports SSL. If your subscription is to a plan with SSL support, it should be indicated in your plan’s name, e.g. ‘1 GB SSL’. Using SSL requires setup of both your Redis Labs resource as well as your application, as described below.

Setting Up Your Resource

  1. Login to your account and navigate to the details page of your resource and click the Edit button.
  2. Under the Access Control & Security section, make sure that the SSL Client Authentication box is checked.
  3. Set the resource’s client certificate using one of the following ways.
    1. Bring Your Own Key:
      1. If you have your own X.509-compliant certificate, simply paste it to the textbox with the ‘Enter Client Certificate’ comment.
      2. Click the Download Redis Labs’ Certification Authority link to obtain the service certification authority.
    2. Generate a Certificate:
      1. Use the Generate Client Certificate button to generate a client certificate.
      2. The generated certificate’s public key will be displayed in the textbox.
      3. This will also trigger an automatic download of a zip archive with the following contents:
        1. garantia_user.crt – the certificate’s public key.
        2. garantia_user_private.key – the certificate’s private key.
        3. garantia_ca.pem – the service’s certification authority.
  4. Click the Update button to apply the changes to your resource.

Important: Once SSL is enabled, your resource will not accept regular, non-SSL connections.

Setting Up Your Application

Connect to your client, set up and start stunnel as described in the section below that’s relevant to your client’s OS. Once done, configure your client to connect to stunnel (i.e. 127.0.0.1:6379 in the examples below) instead of your resource’s endpoint.

Testing Secure Connectivity to a Redis Cloud Resource

You can test the connection from your client using redis-cli, for example::

$ redis-cli PING

OS-Specific Instructions for Setting Up stunnel

Ubuntu 12.04

  1. Install stunnel:

$ apt-get install stunnel

  1. Copy all certificate files to /etc/stunnel.
  2. Change the permissions of the private key:

$ chown root:root /etc/stunnel/garantia_user_private.key
$ chmod 0600 /etc/stunnel/garantia_user_private.key

  1. Create a configuration file named /etc/stunnel/redislabs.conf as shown in the sample below – make sure that you replace host and port in the last line with your resource’s respective attributes.
  2. Enable the stunnel service by editing /etc/default/stunnel4 and changing the line that says ENABLED=0 to ENABLED=1.
  3. Start the stunnel service:

$ service stunnel4 start

CentOS 6.5

  1. Install stunnel:

$ yum install stunnel

  1. Copy all certificate files to /etc/stunnel.
  2. Change the permissions of the private key:

$ chown root:root /etc/stunnel/garantia_user_private.key
$ chmod 0600 /etc/stunnel/garantia_user_private.key

  1. Create a configuration file named /etc/stunnel/stunnel.conf as shown in the sample below – make sure that you replace host and port in the last line with your resource’s respective attributes.
  2. Configure stunnel to run as a daemon by creating the following /etc/init.d/stunnel file:

#!/bin/bash
#
# stunnel Starts/stop the "at" daemon
#
# chkconfig:   345 95 5
# description: Provides SSL client/server tunneling

### BEGIN INIT INFO
# Provides: stunnel
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 345
# Default-Stop: 95
# Short-Description: Starts/stop the "stunnel" daemon
# Description:       Provides SSL client/server tunneling
### END INIT INFO

. /etc/init.d/functions
test -x /usr/bin/stunnel || exit 0

RETVAL=0
prog="stunnel"

start() {
if [ ! -f /var/lock/subsys/stunnel ]; then
echo -n $"Starting $prog: "
daemon /usr/bin/stunnel
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/stunnel
echo
fi
return $RETVAL
}

stop() {
echo -n $"Stopping $prog: "
killproc /usr/bin/stunnel
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/stunnel
echo
return $RETVAL
}

restart() {
stop
start
}

case "$1" in
start)
start
;;
stop)
stop
;;
reload|restart)
restart
;;
condrestart)
if [ -f /var/lock/subsys/stunnel ]; then
restart
fi
;;
status)
status /usr/sbin/stunnel
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL

  1. chown root:root /etc/init.d/stunnel
  2. chmod 0755 /etc/init.d/stunnel
  3. chkconfig –add /etc/init.d/stunnel
  4. stunnel /etc/stunnel/redislabs.conf
  5. service stunnel start

 

Sample stunnel Configuration File

Use the following stunnel configuration file to have your client open secure connections to your Redis Labs resources via port 6379 of your localhost:

cert = /etc/stunnel/garantia_user.crt
key = /etc/stunnel/garantia_user_private.key
cafile = /etc/stunnel/garantia_ca.pem
verify = 2
delay = yes

[redislabs]
client = yes
accept = 127.0.0.1:6379
connect = host:port