Securing Redis Instance over SSL#

Introduction#

Squirro provides for SSL communication between Redis instances and Squirro services. This page documents the necessary steps for such a setup.

Version Check#

Use the following to check the version of Redis and Squirro installed:

# Check the version of redis installed
yum list installed | grep squirro-redis-server

# Check the version of Squirro installed
cat /etc/squirro/version.ini

Redis Setup#

In order to enable SSL, you will need a Server certificate and optionally a root CA certificate (depending on how the server certificate was generated). One example for generating and configuring these certificates on the Redis server side is described here. This page details how to generate certificates, how to configure the certificates in /etc/redis/redis.conf (or /etc/redis/cache.conf for the cache instance) and how to disable the non TLS communication altogether.

Below is a sample diff of a final redis.conf file from one of our internal environments

diff --git a/ci/config/conf/redis.conf b/ci/config/conf/redis.conf
index 11d367b8d..facd492fb 100644
--- a/ci/config/conf/redis.conf
+++ b/ci/config/conf/redis.conf
@@ -135,25 +135,25 @@ tcp-keepalive 300
 # directive can be used to define TLS-listening ports. To enable TLS on the
 # default port, use:
 #
-# port 0
-# tls-port 6379
+port 0
+tls-port 6379

 # Configure a X.509 certificate and private key to use for authenticating the
 # server to connected clients, masters or cluster peers.  These files should be
 # PEM formatted.
 #
-# tls-cert-file redis.crt
-# tls-key-file redis.key
+tls-cert-file /tmp/tls/redis.crt
+tls-key-file /tmp/tls/redis.key

 # Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange:
 #
-# tls-dh-params-file redis.dh
+tls-dh-params-file /tmp/tls/redis.dh

 # Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL
 # clients and peers.  Redis requires an explicit configuration of at least one
 # of these, and will not implicitly use the system wide configuration.
 #
-# tls-ca-cert-file ca.crt
+tls-ca-cert-file /tmp/tls/ca.crt
 # tls-ca-cert-dir /etc/ssl/certs

 # By default, clients (including replica servers) on a TLS port are required
@@ -164,7 +164,7 @@ tcp-keepalive 300
 # valid if provided, but are not required.
 #
 # tls-auth-clients no
-# tls-auth-clients optional
+tls-auth-clients optional

Squirro Config Setup#

After configuring the Redis server, we also need to adapt all of our services to allow them to connect to Redis in a secure fashion.

This is achieved today by setting the following settings in the common.ini. These settings should not have to be defined on every single redis block in every single service. We follow the following rule to resolve the SSL settings.

  1. See if the value is defined in the current configuration block

  2. If it’s not there, see if it’s defined in the [redis] section and the same key name - this allows us to override it globally in /etc/squirro/common.ini and not have to edit every other file too.

Below is a sample example of these settings defined in common.ini.

# common.ini. [redis] section supplies these SSL settings to all [redis_*] sections
# defined across multiple service files

[redis]
ssl_ca_certs = /tmp/tls/ca.crt
ssl_verify = True
ssl = True

A brief description of the settings defined above

  • ssl=[true|false] whether you want certificates (default false)

  • ssl_ca_certs=PATH points to a list of certificates that are trusted. If this is not set, we default to the output of certifi.where().

  • ssl_verify=[true|false] indicates whether SSL certificates should be checked or not (default true)

Redis-cli setup#

Please note that after enabling SSL on the redis-server, you will not be able to connect to redis using the redis-cli without providing TLS specific settings to the redis-cli client. These options are also documented here