update readme diagram
rename to redis-tls-tunnel
tweak readme
This diagram was created with https://app.diagrams.net/. To edit it, download the diagram file and edit it with the https://app.diagrams.net/ web application, or you may run the application from source if you wish.
This simple client/server application can act as a general-purpose adapter between unix sockets and TCP server with TLS.
This was created because we wanted a client on a remote machine to connect securely to a Redis server in our datacenter. Redis supports connecting via a Unix socket but it doesn't support TLS. So in order to connect redis clients securely over the internet, you have to use some sort of adapter 😞
See: https://redis.io/topics/quickstart#securing-redis
Use spiped or another SSL tunneling software in order to encrypt traffic between Redis servers and Redis clients if your environment requires encryption.
In our case we didn't want to use spiped for some reason, so we created our own.
The application tries to read a file called config.json
inside the current working directory. If it exists, it will read that file as config on startup. Otherwise the app will print a warning.
You may also override the values in the config file with Environment Variables, like this:
RTUNNEL_LISTENADDRESS=":8080"
For example, that would configure the tunnel server to listen on all addresses/interfaces on port 8080.
Here is a list of all the possible configuration values:
DebugLog bool
ListenAddress string
ServerAddress string
UnixSocketPath string
TLSKeyFile string
TLSCertificateFile string
TLSCAFile string
TLSRequireClientAuth bool
UnixSocketPath
is required.
One or the other of ListenAddress
and ServerAddress
is required.
TLSKeyFile
and TLSCertificateFile
are required for server mode.
ONLY if you are using self-signed certificates / Client Auth then TLSCAFile
is required in both modes, otherwise not needed.
The applicaiton has two modes, client mode and server mode.
In order for it to be in client mode, the
ListenAddress
setting must be empty and the ServerAddress
setting must be non-empty.
In order for it to be in server mode, the
ListenAddress
setting must be non-empty and the ServerAddress
setting must be empty.
In client mode, the application will listen on a unix socket located at UnixSocketPath
and proxy any connections to ServerAddress
via TLS.
In client mode, the application will listen for TLS connections on ListenAddress
and proxy any connections to a unix socket at UnixSocketPath
.
1st, we start up an instance of redis. We have to :
Note that the default redis docker container will run its internal process UID=999 by default.
So first we have to create a directory that UID 999 (redis user) can write to:
mkdir -p /tmp/redis-socket
chown 999 /tmp/redis-socket
Note that if you have docker user namespaces enabled you will have to do an additional step here to map the UID 999 to the namespaced equivalent UID.
Make sure you are inside the usage-example
folder for this command to work:
docker run --rm \
-v "$(pwd)/redis.conf:/etc/redis.conf" \
-v "/tmp/redis-socket:/tmp/" redis redis-server /etc/redis.conf
Now we have to open a new terminal to start up the tunnel process.
cd ~/Desktop/git/redis-tls-tunnel
go build -o usage-example/tunnel
cd usage-example
sudo ./tunnel
Note we run tunnel as root just to make sure it can access the socket which is owned by the redis user.
Finally, we can connect to our redis instance via TLS:
cd usage-example
openssl s_client -connect localhost:6380 -CAfile InternalCA+chain.crt
then if it connects, you should be able to issue redis commands like PING
and recieve +PONG
.