如何使用 ssl 设置 Docker redis 容器
How to set up a Docker redis container with ssl
我正在学习 this 教程。
就我而言,我在 Docker 环境中操作,并且我有一个安全站点(即 https://localhost)。这需要安全的 SSL 通信。
我为安全连接调整了 web 和 celery 容器。
但是我不知道如何配置 Redis 容器以与 ssl
安全连接
请注意,当我 运行 在 web 和 celery 容器中没有 ssl 连接时,连接正常。
如何使用 ssl 配置和 运行 redis?
谢谢
编辑:
我按照 this tutorial to set redis with ssl and this 教程在 Docker 容器中通过 stunnel 使用 ssl 设置 redis。
我成功测试了从我的本地主机到 redis docker 容器的连接,方法是使用以下调用从本地主机(通过 stunnel)调用 redis-cli 到 redis docker 容器来自本地主机:
redis-cli -h 127.0.0.1 -p 6381
127.0.0.1:6381> auth foobared
OK
127.0.0.1:6381>
redis服务器Docker端的相关文件:
docker-compose file(我的 webapp 包括多个服务,但为了简化我删除了除 redis 容器之外的所有服务):
version: '3'
services:
redis:
build:
context: ./redis
dockerfile: Dockerfile
restart: always
command: sh -c "stunnel /stunnel_take2.conf && /usr/local/bin/redis-server /etc/redis/redis.conf"
expose:
- '6379'
ports:
- "6379:6379"
volumes:
- /home/avner/avner/certs:/etc/certs
- /home/avner/avner/redis/conf:/etc/redis
redis容器Docker文件
FROM redis:5-alpine
RUN apk add --no-cache \
stunnel~=5.56 \
python3~=3.8
COPY stunnel-redis-server.conf /
WORKDIR /
ENV PYTHONUNBUFFERED=1
redis 服务器 redis 配置文件 - redis/conf/redis.conf
...
requirepass foobared
...
redis 服务器 stunnel 配置文件 - redis/stunnel-redis-server.conf
cert = /etc/certs/private.pem
pid = /var/run/stunnel.pid
[redis]
accept = 172.19.0.2:6380
connect = 127.0.0.1:6379
客户端(localhost)相关文件:
redis 客户端 stunnel 配置文件 - /etc/stunnel/redis-client.conf
cert = /etc/cert/private.pem
client = yes
pid = /var/run/stunnel.pid
[redis]
accept = 127.0.0.1:6381
connect = 172.19.0.2:6380
Redis 本身不提供SSL,你必须自己做。有一个 in-depth post about it which you can read and follow. Or, if you want to use a Dockerized solution, you can use ready images like this one or this one. When it comes to setting up Celery to work with Redis over SSL, just follow the documentation.
我创建了一个示例存储库,用于说明如何设置 docker 容器以使用新的 redis v6+ ssl:
docker-compose.yml
version: "3"
volumes:
redis:
services:
redis:
image: "example/redis:v6.0.13"
command: ["/app/docker-redis-entrypoint.sh"]
container_name: redis
ports:
- 6379:6379
volumes:
- redis:/data
- ./:/app
Docker 文件:
FROM redis:6.0.13 as base
COPY ./redis/tls /tls
entrypoint.sh
#!/bin/sh
set -e
redis-server --tls-port 6379 --port 0 \
--tls-cert-file /tls/redis.crt \
--tls-key-file /tls/redis.key \
--tls-ca-cert-file /tls/ca.crt
gen-redi-certs.sh
#!/bin/bash
# COPIED/MODIFIED from the redis server gen-certs util
# Generate some test certificates which are used by the regression test suite:
#
# tls/ca.{crt,key} Self signed CA certificate.
# tls/redis.{crt,key} A certificate with no key usage/policy restrictions.
# tls/client.{crt,key} A certificate restricted for SSL client usage.
# tls/server.{crt,key} A certificate restricted for SSL server usage.
# tls/redis.dh DH Params file.
generate_cert() {
local name=
local cn=""
local opts=""
local keyfile=tls/${name}.key
local certfile=tls/${name}.crt
[ -f $keyfile ] || openssl genrsa -out $keyfile 2048
openssl req \
-new -sha256 \
-subj "/O=Redis Test/CN=$cn" \
-key $keyfile | \
openssl x509 \
-req -sha256 \
-CA tls/ca.crt \
-CAkey tls/ca.key \
-CAserial tls/ca.txt \
-CAcreateserial \
-days 365 \
$opts \
-out $certfile
}
mkdir -p tls
[ -f tls/ca.key ] || openssl genrsa -out tls/ca.key 4096
openssl req \
-x509 -new -nodes -sha256 \
-key tls/ca.key \
-days 3650 \
-subj '/O=Redis Test/CN=Certificate Authority' \
-out tls/ca.crt
cat > tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
_END_
generate_cert server "Server-only" "-extfile tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tls/openssl.cnf -extensions client_cert"
generate_cert redis "Generic-cert"
[ -f tls/redis.dh ] || openssl dhparam -out tls/redis.dh 2048
我正在学习 this 教程。
就我而言,我在 Docker 环境中操作,并且我有一个安全站点(即 https://localhost)。这需要安全的 SSL 通信。
我为安全连接调整了 web 和 celery 容器。
但是我不知道如何配置 Redis 容器以与 ssl
安全连接
请注意,当我 运行 在 web 和 celery 容器中没有 ssl 连接时,连接正常。
如何使用 ssl 配置和 运行 redis?
谢谢
编辑:
我按照 this tutorial to set redis with ssl and this 教程在 Docker 容器中通过 stunnel 使用 ssl 设置 redis。
我成功测试了从我的本地主机到 redis docker 容器的连接,方法是使用以下调用从本地主机(通过 stunnel)调用 redis-cli 到 redis docker 容器来自本地主机:
redis-cli -h 127.0.0.1 -p 6381
127.0.0.1:6381> auth foobared
OK
127.0.0.1:6381>
redis服务器Docker端的相关文件:
docker-compose file(我的 webapp 包括多个服务,但为了简化我删除了除 redis 容器之外的所有服务):
version: '3'
services:
redis:
build:
context: ./redis
dockerfile: Dockerfile
restart: always
command: sh -c "stunnel /stunnel_take2.conf && /usr/local/bin/redis-server /etc/redis/redis.conf"
expose:
- '6379'
ports:
- "6379:6379"
volumes:
- /home/avner/avner/certs:/etc/certs
- /home/avner/avner/redis/conf:/etc/redis
redis容器Docker文件
FROM redis:5-alpine
RUN apk add --no-cache \
stunnel~=5.56 \
python3~=3.8
COPY stunnel-redis-server.conf /
WORKDIR /
ENV PYTHONUNBUFFERED=1
redis 服务器 redis 配置文件 - redis/conf/redis.conf
...
requirepass foobared
...
redis 服务器 stunnel 配置文件 - redis/stunnel-redis-server.conf
cert = /etc/certs/private.pem
pid = /var/run/stunnel.pid
[redis]
accept = 172.19.0.2:6380
connect = 127.0.0.1:6379
客户端(localhost)相关文件:
redis 客户端 stunnel 配置文件 - /etc/stunnel/redis-client.conf
cert = /etc/cert/private.pem
client = yes
pid = /var/run/stunnel.pid
[redis]
accept = 127.0.0.1:6381
connect = 172.19.0.2:6380
Redis 本身不提供SSL,你必须自己做。有一个 in-depth post about it which you can read and follow. Or, if you want to use a Dockerized solution, you can use ready images like this one or this one. When it comes to setting up Celery to work with Redis over SSL, just follow the documentation.
我创建了一个示例存储库,用于说明如何设置 docker 容器以使用新的 redis v6+ ssl:
docker-compose.yml
version: "3"
volumes:
redis:
services:
redis:
image: "example/redis:v6.0.13"
command: ["/app/docker-redis-entrypoint.sh"]
container_name: redis
ports:
- 6379:6379
volumes:
- redis:/data
- ./:/app
Docker 文件:
FROM redis:6.0.13 as base
COPY ./redis/tls /tls
entrypoint.sh
#!/bin/sh
set -e
redis-server --tls-port 6379 --port 0 \
--tls-cert-file /tls/redis.crt \
--tls-key-file /tls/redis.key \
--tls-ca-cert-file /tls/ca.crt
gen-redi-certs.sh
#!/bin/bash
# COPIED/MODIFIED from the redis server gen-certs util
# Generate some test certificates which are used by the regression test suite:
#
# tls/ca.{crt,key} Self signed CA certificate.
# tls/redis.{crt,key} A certificate with no key usage/policy restrictions.
# tls/client.{crt,key} A certificate restricted for SSL client usage.
# tls/server.{crt,key} A certificate restricted for SSL server usage.
# tls/redis.dh DH Params file.
generate_cert() {
local name=
local cn=""
local opts=""
local keyfile=tls/${name}.key
local certfile=tls/${name}.crt
[ -f $keyfile ] || openssl genrsa -out $keyfile 2048
openssl req \
-new -sha256 \
-subj "/O=Redis Test/CN=$cn" \
-key $keyfile | \
openssl x509 \
-req -sha256 \
-CA tls/ca.crt \
-CAkey tls/ca.key \
-CAserial tls/ca.txt \
-CAcreateserial \
-days 365 \
$opts \
-out $certfile
}
mkdir -p tls
[ -f tls/ca.key ] || openssl genrsa -out tls/ca.key 4096
openssl req \
-x509 -new -nodes -sha256 \
-key tls/ca.key \
-days 3650 \
-subj '/O=Redis Test/CN=Certificate Authority' \
-out tls/ca.crt
cat > tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
_END_
generate_cert server "Server-only" "-extfile tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tls/openssl.cnf -extensions client_cert"
generate_cert redis "Generic-cert"
[ -f tls/redis.dh ] || openssl dhparam -out tls/redis.dh 2048