~forest/redis-tls-tunnel

Connect to a remote redis server securely
update readme diagram
rename to redis-tls-tunnel
tweak readme

refs

master
browse  log 

clone

read-only
https://giit.cyberia.club/~forest/redis-tls-tunnel
read/write
git@giit.cyberia.club:~forest/redis-tls-tunnel

You can also use your local clone with git send-email.

#redis-tls-tunnel

diagram

This diagram was created with https://app.diagrams.net/. To edit it, download the diagram file and edit it with the https://app.diagrams.net/ web application, or you may run the application from source if you wish.


This simple client/server application can act as a general-purpose adapter between unix sockets and TCP server with TLS.

This was created because we wanted a client on a remote machine to connect securely to a Redis server in our datacenter. Redis supports connecting via a Unix socket but it doesn't support TLS. So in order to connect redis clients securely over the internet, you have to use some sort of adapter 😞

See: https://redis.io/topics/quickstart#securing-redis

Use spiped or another SSL tunneling software in order to encrypt traffic between Redis servers and Redis clients if your environment requires encryption.

In our case we didn't want to use spiped for some reason, so we created our own.

#configuration

The application tries to read a file called config.json inside the current working directory. If it exists, it will read that file as config on startup. Otherwise the app will print a warning.

You may also override the values in the config file with Environment Variables, like this:

RTUNNEL_LISTENADDRESS=":8080"

For example, that would configure the tunnel server to listen on all addresses/interfaces on port 8080.

Here is a list of all the possible configuration values:

	DebugLog             bool
	ListenAddress        string
	ServerAddress        string
	UnixSocketPath       string
	TLSKeyFile           string
	TLSCertificateFile   string
	TLSCAFile            string
	TLSRequireClientAuth bool

UnixSocketPath is required.

One or the other of ListenAddress and ServerAddress is required.

TLSKeyFile and TLSCertificateFile are required for server mode.

ONLY if you are using self-signed certificates / Client Auth then TLSCAFile is required in both modes, otherwise not needed.

#client mode vs server mode

The applicaiton has two modes, client mode and server mode.

In order for it to be in client mode, the ListenAddress setting must be empty and the ServerAddress setting must be non-empty.

In order for it to be in server mode, the ListenAddress setting must be non-empty and the ServerAddress setting must be empty.

In client mode, the application will listen on a unix socket located at UnixSocketPath and proxy any connections to ServerAddress via TLS.

In client mode, the application will listen for TLS connections on ListenAddress and proxy any connections to a unix socket at UnixSocketPath.

#usage example

1st, we start up an instance of redis. We have to :

  1. configure redis to listen on a unix socket
  2. mount the folder containing that unix socket to the host so we can access it
  3. make sure that the docker container process will be allowed to access the folder on the host which we mounted it to.

Note that the default redis docker container will run its internal process UID=999 by default.

So first we have to create a directory that UID 999 (redis user) can write to:

mkdir -p /tmp/redis-socket
chown 999 /tmp/redis-socket

Note that if you have docker user namespaces enabled you will have to do an additional step here to map the UID 999 to the namespaced equivalent UID.

Make sure you are inside the usage-example folder for this command to work:

docker run --rm   \
   -v "$(pwd)/redis.conf:/etc/redis.conf"  \
   -v "/tmp/redis-socket:/tmp/"   redis redis-server /etc/redis.conf

Now we have to open a new terminal to start up the tunnel process.

cd ~/Desktop/git/redis-tls-tunnel
go build -o usage-example/tunnel
cd usage-example
sudo ./tunnel

Note we run tunnel as root just to make sure it can access the socket which is owned by the redis user.

Finally, we can connect to our redis instance via TLS:

cd usage-example
openssl s_client -connect localhost:6380 -CAfile InternalCA+chain.crt

then if it connects, you should be able to issue redis commands like PING and recieve +PONG.