Write by lyc at 2022-4-11Redis TLS redis6.2 使用 TLS 的部署(三种高可用模式)
CentOS7 编译安装 Redis-6.2.6 并启用TLS 1.编译安装 Redis-6.2.6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 cd /usr/local /srcwget https://download.redis.io/releases/redis-6.2.6.tar.gz tar xvf redis-6.2.6.tar.gz && cd redis-6.2.6 make BUILD_TLS=yes MALLOC=libc make PREFIX=/usr/local /redis-6.2.6 install ln -s /usr/local /redis-6.2.6 /usr/local /redis echo "vm.overcommit_memory = 1" >>/etc/sysctl.conf sysctl -p echo 'export PATH=/usr/local/redis/bin:$PATH' >> /etc/profilesource /etc/profilemkdir -p /usr/local /redis/conf mkdir -p /usr/local /redis/ssl/6379 mkdir -p /var/log /redis mkdir -p /data/redis_data/6379 mkdir -p /data/redis_log
2.创建 TLS 证书 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 cd /usr/local /redis/ssl/6379/usr/local /src/redis-6.2.6/utils/gen-test-certs.sh mv tests/tls/* ./ && rm -rf tests/ $ tree /usr/local /redis/ssl/6379 /usr/local /redis/ssl/6379 ├── ca.crt ├── ca.key ├── ca.txt ├── client.crt ├── client.key ├── openssl.cnf ├── redis.crt ├── redis.dh ├── redis.key ├── server.crt └── server.key
3.编写配置文件 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 $ vim /usr/local /redis/conf/redis-6379.conf bind 0.0.0.0protected-mode no port 0 tls-port 6379 tcp-backlog 511 unixsocket /tmp/redis.sock unixsocketperm 700 timeout 0 tcp-keepalive 300 daemonize yes supervised no pidfile /var/run/redis-6379.pid loglevel notice logfile /var/log /redis/redis-6379.log databases 16 always-show-logo yes save 900 1 save 300 10 save 60 10000 stop-writes-on-bgsave-error yes rdbcompression yes rdbchecksum yes dbfilename dump.rdb dir /data/redis_data/6379 appendonly no appendfilename appendonly.aof appendfsync everysec no-appendfsync-on-rewrite no auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb aof-load-truncated yes aof-use-rdb-preamble yes aof-rewrite-incremental-fsync yes replica-serve-stale-data no replica-read-only yes repl-diskless-sync no repl-diskless-sync-delay 5 repl-disable-tcp-nodelay no repl-backlog-size 10mb repl-backlog-ttl 3600 requirepass 123456 rename-command CONFIG b840fc02d524045429941cc43f59e41cb7be6c52 tls-cert-file /usr/local /redis/ssl/6379/redis.crt tls-key-file /usr/local /redis/ssl/6379/redis.key tls-ca-cert-file /usr/local /redis/ssl/6379/ca.crt tls-dh-params-file /usr/local /redis/ssl/6379/redis.dh tls-auth-clients yes tls-replication yes maxclients 10000 lazyfree-lazy-eviction no lazyfree-lazy-expire no lazyfree-lazy-server-del no replica-lazy-flush no lua-time-limit 5000 slowlog-log-slower-than 10000 slowlog-max-len 128 activerehashing yes client-output-buffer-limit normal 0 0 0 client-output-buffer-limit slave 1024mb 256mb 300 client-output-buffer-limit pubsub 32mb 8mb 60 client-query-buffer-limit 1gb aof-rewrite-incremental-fsync yes rdb-save-incremental-fsync yes
4.systemd 管理 1 2 3 4 5 6 7 8 9 10 11 12 13 14 $ vim /etc/systemd/system/redis.service [Unit] Description=redis After=network.target remote-fs.target nss-lookup.target [Service] Type=forking ExecStart=/usr/local /redis/bin/redis-server /usr/local /redis/conf/redis-6379.conf ExecReload=/bin/kill -s HUP $MAINPID ExecStop=/usr/bin/redis-cli -p 6379 -a 123456 shutdown PrivateTmp=true [Install] WantedBy=multi-user.target
开机自启动
1 2 3 systemctl daemon-reload systemctl start redis.service systemctl enable redis.service
5.测试连接 因为我们启用了 TLS 设置,客户端连接时也必须带上证书,否则就不能认证登录来操作 Redis。如果服务端有配置密码,连接上仍然需要认证密码。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $ /usr/local /redis/bin/redis-cli -h 192.168.100.93 -p 6379 --tls \ --cert /usr/local /redis/ssl/6379/redis.crt \ --key /usr/local /redis/ssl/6379/redis.key \ --cacert /usr/local /redis/ssl/6379/ca.crt 127.0.0.1:6379> info NOAUTH Authentication required. 127.0.0.1:6379> auth 123456 OK 127.0.0.1:6379> set k1 123456 OK 127.0.0.1:6379> get k1 "123456" 127.0.0.1:6379> quit
