This diagram was created with https://app.diagrams.net/. To edit it, download the diagram file and edit it with the https://app.diagrams.net/ web application, or you may run the application from source if you wish.
This simple client/server application can act as a general-purpose adapter between unix sockets and TCP server with TLS.
This was created because we wanted a client on a remote machine to connect securely to a Redis server in our datacenter. Redis supports connecting via a Unix socket but it doesn't support TLS. So in order to connect redis clients securely over the internet, you have to use some sort of adapter 😞
Use spiped or another SSL tunneling software in order to encrypt traffic between Redis servers and Redis clients if your environment requires encryption.
In our case we didn't want to use spiped for some reason, so we created our own.
The application tries to read a file called
config.json inside the current working directory. If it exists, it will read that file as config on startup. Otherwise the app will print a warning.
You may also override the values in the config file with Environment Variables, like this:
For example, that would configure the tunnel server to listen on all addresses/interfaces on port 8080.
Here is a list of all the possible configuration values:
DebugLog bool ListenAddress string ServerAddress string UnixSocketPath string TLSKeyFile string TLSCertificateFile string TLSCAFile string TLSRequireClientAuth bool
UnixSocketPath is required.
One or the other of
ServerAddress is required.
TLSCertificateFile are required for server mode.
ONLY if you are using self-signed certificates / Client Auth then
TLSCAFile is required in both modes, otherwise not needed.
The applicaiton has two modes, client mode and server mode.
In order for it to be in client mode, the
ListenAddress setting must be empty and the
ServerAddress setting must be non-empty.
In order for it to be in server mode, the
ListenAddress setting must be non-empty and the
ServerAddress setting must be empty.
In client mode, the application will listen on a unix socket located at
UnixSocketPath and proxy any connections to
ServerAddress via TLS.
In client mode, the application will listen for TLS connections on
ListenAddress and proxy any connections to a unix socket at
1st, we start up an instance of redis. We have to :
Note that the default redis docker container will run its internal process UID=999 by default.
So first we have to create a directory that UID 999 (redis user) can write to:
mkdir -p /tmp/redis-socket chown 999 /tmp/redis-socket
Note that if you have docker user namespaces enabled you will have to do an additional step here to map the UID 999 to the namespaced equivalent UID.
Make sure you are inside the
usage-example folder for this command to work:
docker run --rm \ -v "$(pwd)/redis.conf:/etc/redis.conf" \ -v "/tmp/redis-socket:/tmp/" redis redis-server /etc/redis.conf
Now we have to open a new terminal to start up the tunnel process.
cd ~/Desktop/git/redis-tls-tunnel go build -o usage-example/tunnel cd usage-example sudo ./tunnel
Note we run tunnel as root just to make sure it can access the socket which is owned by the redis user.
Finally, we can connect to our redis instance via TLS:
cd usage-example openssl s_client -connect localhost:6380 -CAfile InternalCA+chain.crt
then if it connects, you should be able to issue redis commands like
PING and recieve