Secure your Redis 7 cluster with TLS encryption, client authentication, and inter-node SSL communication for production environments. Includes certificate generation, authentication setup, and security validation.
Prerequisites
- Redis 7 installed
- OpenSSL tools
- Root or sudo access
- Multiple network interfaces or IPs for cluster nodes
- Basic understanding of Redis clustering
What this solves
This tutorial configures Redis 7 cluster with SSL/TLS encryption and authentication for production security. You'll set up encrypted communication between cluster nodes, secure client connections with certificates, and implement authentication to protect against unauthorized access. Essential for compliance requirements and securing sensitive data in distributed Redis deployments.
Step-by-step configuration
Update system packages and install dependencies
Start by updating your package manager and installing required tools for SSL certificate generation and Redis cluster management.
sudo apt update && sudo apt upgrade -y
sudo apt install -y redis-server redis-tools openssl wget curlCreate SSL certificate directory structure
Set up dedicated directories for SSL certificates with proper permissions for Redis cluster security.
sudo mkdir -p /etc/redis/ssl/ca
sudo mkdir -p /etc/redis/ssl/certs
sudo mkdir -p /etc/redis/ssl/private
sudo chmod 755 /etc/redis/ssl
sudo chmod 700 /etc/redis/ssl/privateGenerate Certificate Authority (CA) for cluster
Create a private CA to sign certificates for Redis cluster nodes and clients. This establishes trust between all cluster components.
cd /etc/redis/ssl/ca
sudo openssl genrsa -out redis-ca-key.pem 4096
sudo openssl req -new -x509 -days 365 -key redis-ca-key.pem -out redis-ca-cert.pem -subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=Redis-CA"Generate server certificates for cluster nodes
Create individual SSL certificates for each Redis cluster node. Replace the IP addresses with your actual Redis cluster node IPs.
cd /etc/redis/ssl
Generate server private key
sudo openssl genrsa -out private/redis-server-key.pem 2048
Create certificate signing request
sudo openssl req -new -key private/redis-server-key.pem -out redis-server.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=redis-cluster"
Create certificate with SAN for cluster IPs
sudo tee server-cert-config.conf > /dev/null << 'EOF'
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = redis-cluster
IP.1 = 127.0.0.1
IP.2 = 203.0.113.10
IP.3 = 203.0.113.11
IP.4 = 203.0.113.12
EOF
Sign the certificate
sudo openssl x509 -req -in redis-server.csr -CA ca/redis-ca-cert.pem -CAkey ca/redis-ca-key.pem -CAcreateserial -out certs/redis-server-cert.pem -days 365 -extensions v3_req -extfile server-cert-config.confGenerate client certificates for authentication
Create client certificates for secure authentication to the Redis cluster. These will be used by applications and Redis CLI tools.
# Generate client private key
sudo openssl genrsa -out private/redis-client-key.pem 2048
Create client certificate signing request
sudo openssl req -new -key private/redis-client-key.pem -out redis-client.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=redis-client"
Sign client certificate
sudo openssl x509 -req -in redis-client.csr -CA ca/redis-ca-cert.pem -CAkey ca/redis-ca-key.pem -CAcreateserial -out certs/redis-client-cert.pem -days 365
Clean up CSR files
sudo rm redis-server.csr redis-client.csr server-cert-config.confSet proper SSL certificate ownership and permissions
Configure secure file permissions for SSL certificates. Redis user needs read access to certificates but private keys must be protected.
sudo chown -R redis:redis /etc/redis/ssl
sudo chmod 644 /etc/redis/ssl/ca/redis-ca-cert.pem
sudo chmod 644 /etc/redis/ssl/certs/*.pem
sudo chmod 600 /etc/redis/ssl/private/*.pem
sudo chmod 600 /etc/redis/ssl/ca/redis-ca-key.pemNever use chmod 777. It gives every user on the system full access to your private keys. Instead, use restrictive permissions (600) for private keys and appropriate ownership with chown.
Configure Redis cluster authentication
Create a strong password for Redis cluster authentication. This will be used for both cluster communication and client connections.
# Generate strong password for Redis authentication
REDIS_PASSWORD=$(openssl rand -base64 32)
echo "Generated Redis password: $REDIS_PASSWORD"
Store password securely for later use
echo "$REDIS_PASSWORD" | sudo tee /etc/redis/redis-auth-password > /dev/null
sudo chmod 600 /etc/redis/redis-auth-password
sudo chown redis:redis /etc/redis/redis-auth-passwordConfigure first Redis cluster node
Set up the primary Redis configuration with SSL encryption, authentication, and cluster settings. This will serve as the template for other nodes.
# Network and cluster configuration
port 0
tls-port 6380
bind 0.0.0.0
protected-mode yes
cluster-enabled yes
cluster-config-file nodes-6380.conf
cluster-node-timeout 5000
cluster-announce-port 6380
cluster-announce-bus-port 16380
SSL/TLS configuration
tls-cert-file /etc/redis/ssl/certs/redis-server-cert.pem
tls-key-file /etc/redis/ssl/private/redis-server-key.pem
tls-ca-cert-file /etc/redis/ssl/ca/redis-ca-cert.pem
tls-dh-params-file /etc/redis/ssl/redis-dh.pem
SSL security settings
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
tls-ciphersuites "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"
tls-prefer-server-ciphers yes
tls-session-caching no
tls-session-cache-size 5000
tls-session-cache-timeout 60
Client authentication
tls-auth-clients yes
tls-cluster yes
Authentication
requirepass REPLACE_WITH_PASSWORD
masterauth REPLACE_WITH_PASSWORD
Security settings
tcp-keepalive 300
timeout 0
maxclients 10000
Persistence
save 900 1
save 300 10
save 60 10000
dir /var/lib/redis
dbfilename dump-6380.rdb
appendonly yes
appendfilename "appendonly-6380.aof"
appendfsync everysec
Logging
loglevel notice
logfile /var/log/redis/redis-server-6380.log
syslog-enabled yes
syslog-ident redis-6380Generate Diffie-Hellman parameters for SSL
Create strong DH parameters for SSL key exchange. This improves the security of TLS connections to the Redis cluster.
sudo openssl dhparam -out /etc/redis/ssl/redis-dh.pem 2048
sudo chown redis:redis /etc/redis/ssl/redis-dh.pem
sudo chmod 644 /etc/redis/ssl/redis-dh.pemApply authentication password to configuration
Replace the password placeholder in the Redis configuration with the generated strong password.
REDIS_PASSWORD=$(cat /etc/redis/redis-auth-password)
sudo sed -i "s/REPLACE_WITH_PASSWORD/$REDIS_PASSWORD/g" /etc/redis/redis-node-1.conf
Set proper ownership and permissions
sudo chown redis:redis /etc/redis/redis-node-1.conf
sudo chmod 640 /etc/redis/redis-node-1.confCreate systemd service for first cluster node
Set up a dedicated systemd service for the first Redis cluster node with proper security settings and resource limits.
[Unit]
Description=Redis Cluster Node 6380
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/redis-server /etc/redis/redis-node-1.conf
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
Security settings
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
ReadWritePaths=/var/lib/redis /var/log/redis
Resource limits
LimitNOFILE=65535
MemoryAccounting=true
MemoryMax=2G
[Install]
WantedBy=multi-user.targetCreate additional cluster node configurations
Set up configurations for additional cluster nodes on different ports. This example creates two more nodes for a minimal 3-node cluster.
# Create second node configuration
sudo cp /etc/redis/redis-node-1.conf /etc/redis/redis-node-2.conf
sudo sed -i 's/6380/6381/g' /etc/redis/redis-node-2.conf
sudo sed -i 's/16380/16381/g' /etc/redis/redis-node-2.conf
sudo sed -i 's/nodes-6380.conf/nodes-6381.conf/g' /etc/redis/redis-node-2.conf
sudo sed -i 's/dump-6380.rdb/dump-6381.rdb/g' /etc/redis/redis-node-2.conf
sudo sed -i 's/appendonly-6380.aof/appendonly-6381.aof/g' /etc/redis/redis-node-2.conf
sudo sed -i 's/redis-server-6380.log/redis-server-6381.log/g' /etc/redis/redis-node-2.conf
sudo sed -i 's/redis-6380/redis-6381/g' /etc/redis/redis-node-2.conf
Create third node configuration
sudo cp /etc/redis/redis-node-1.conf /etc/redis/redis-node-3.conf
sudo sed -i 's/6380/6382/g' /etc/redis/redis-node-3.conf
sudo sed -i 's/16380/16382/g' /etc/redis/redis-node-3.conf
sudo sed -i 's/nodes-6380.conf/nodes-6382.conf/g' /etc/redis/redis-node-3.conf
sudo sed -i 's/dump-6380.rdb/dump-6382.rdb/g' /etc/redis/redis-node-3.conf
sudo sed -i 's/appendonly-6380.aof/appendonly-6382.aof/g' /etc/redis/redis-node-3.conf
sudo sed -i 's/redis-server-6380.log/redis-server-6381.log/g' /etc/redis/redis-node-3.conf
sudo sed -i 's/redis-6380/redis-6382/g' /etc/redis/redis-node-3.confCreate systemd services for additional nodes
Set up systemd services for the remaining cluster nodes with the same security settings.
# Create service for second node
sudo cp /etc/systemd/system/redis-cluster-6380.service /etc/systemd/system/redis-cluster-6381.service
sudo sed -i 's/6380/6381/g' /etc/systemd/system/redis-cluster-6381.service
sudo sed -i 's/redis-node-1.conf/redis-node-2.conf/g' /etc/systemd/system/redis-cluster-6381.service
Create service for third node
sudo cp /etc/systemd/system/redis-cluster-6380.service /etc/systemd/system/redis-cluster-6382.service
sudo sed -i 's/6380/6382/g' /etc/systemd/system/redis-cluster-6382.service
sudo sed -i 's/redis-node-1.conf/redis-node-3.conf/g' /etc/systemd/system/redis-cluster-6382.serviceCreate Redis data and log directories
Set up proper directories for Redis data files and logs with correct ownership and permissions.
sudo mkdir -p /var/lib/redis /var/log/redis
sudo chown redis:redis /var/lib/redis /var/log/redis
sudo chmod 755 /var/lib/redis /var/log/redis
Enable and start all cluster services
sudo systemctl daemon-reload
sudo systemctl enable redis-cluster-6380 redis-cluster-6381 redis-cluster-6382
sudo systemctl start redis-cluster-6380 redis-cluster-6381 redis-cluster-6382Initialize Redis cluster with SSL
Create the Redis cluster using redis-cli with SSL authentication. This establishes the cluster topology and enables distributed operation.
REDIS_PASSWORD=$(cat /etc/redis/redis-auth-password)
Initialize cluster with SSL
redis-cli --tls \
--cert /etc/redis/ssl/certs/redis-client-cert.pem \
--key /etc/redis/ssl/private/redis-client-key.pem \
--cacert /etc/redis/ssl/ca/redis-ca-cert.pem \
--cluster create 127.0.0.1:6380 127.0.0.1:6381 127.0.0.1:6382 \
--cluster-replicas 0 \
-a $REDIS_PASSWORD \
--cluster-yesConfigure Redis CLI for SSL connections
Set up a Redis CLI configuration file to simplify SSL connections to the cluster with authentication.
# Redis CLI SSL Configuration
tls-cert-file /etc/redis/ssl/certs/redis-client-cert.pem
tls-key-file /etc/redis/ssl/private/redis-client-key.pem
tls-ca-cert-file /etc/redis/ssl/ca/redis-ca-cert.pem
tls
port 6380sudo chown redis:redis /etc/redis/redis-cli.conf
sudo chmod 644 /etc/redis/redis-cli.confSet up client authentication script
Create a helper script for connecting to the Redis cluster with SSL and authentication for easier administration.
#!/bin/bash
Redis Cluster SSL Connection Script
REDIS_PASSWORD=$(cat /etc/redis/redis-auth-password 2>/dev/null)
SSL_DIR="/etc/redis/ssl"
if [ -z "$REDIS_PASSWORD" ]; then
echo "Error: Redis password not found"
exit 1
fi
Connect to cluster with SSL and auth
exec redis-cli --tls \
--cert "$SSL_DIR/certs/redis-client-cert.pem" \
--key "$SSL_DIR/private/redis-client-key.pem" \
--cacert "$SSL_DIR/ca/redis-ca-cert.pem" \
-c \
-h 127.0.0.1 \
-p 6380 \
-a "$REDIS_PASSWORD" \
"$@"sudo chmod +x /usr/local/bin/redis-cluster-cliVerify your setup
Test the Redis cluster SSL configuration and authentication to ensure everything is working correctly.
# Check cluster services status
sudo systemctl status redis-cluster-6380 redis-cluster-6381 redis-cluster-6382
Test cluster connectivity and SSL
redis-cluster-cli ping
redis-cluster-cli cluster nodes
redis-cluster-cli cluster info
Test SSL certificate information
echo | openssl s_client -connect 127.0.0.1:6380 -cert /etc/redis/ssl/certs/redis-client-cert.pem -key /etc/redis/ssl/private/redis-client-key.pem -CAfile /etc/redis/ssl/ca/redis-ca-cert.pem 2>/dev/null | openssl x509 -noout -subject -issuer
Test data operations across cluster
redis-cluster-cli set test:ssl:key "SSL encryption working"
redis-cluster-cli get test:ssl:key
Verify authentication is required
redis-cli --tls --cert /etc/redis/ssl/certs/redis-client-cert.pem --key /etc/redis/ssl/private/redis-client-key.pem --cacert /etc/redis/ssl/ca/redis-ca-cert.pem -h 127.0.0.1 -p 6380 pingExpected output: The authenticated connection should return "PONG" while the unauthenticated connection should fail with "NOAUTH Authentication required"
Application connection examples
Configure applications to connect to your secured Redis cluster using SSL and authentication.
Python Redis connection
import redis
import ssl
SSL context configuration
ssl_context = ssl.create_default_context()
ssl_context.check_hostname = False
ssl_context.load_verify_locations('/etc/redis/ssl/ca/redis-ca-cert.pem')
ssl_context.load_cert_chain('/etc/redis/ssl/certs/redis-client-cert.pem',
'/etc/redis/ssl/private/redis-client-key.pem')
Redis cluster connection
from rediscluster import RedisCluster
startup_nodes = [
{"host": "127.0.0.1", "port": "6380"},
{"host": "127.0.0.1", "port": "6381"},
{"host": "127.0.0.1", "port": "6382"}
]
rc = RedisCluster(
startup_nodes=startup_nodes,
password='YOUR_REDIS_PASSWORD',
ssl=True,
ssl_context=ssl_context,
decode_responses=True
)
Test connection
rc.set('python:test', 'SSL connection successful')
print(rc.get('python:test'))Node.js Redis connection
const Redis = require('ioredis');
const fs = require('fs');
const cluster = new Redis.Cluster(
[
{ host: '127.0.0.1', port: 6380 },
{ host: '127.0.0.1', port: 6381 },
{ host: '127.0.0.1', port: 6382 }
],
{
redisOptions: {
password: 'YOUR_REDIS_PASSWORD',
tls: {
ca: fs.readFileSync('/etc/redis/ssl/ca/redis-ca-cert.pem'),
cert: fs.readFileSync('/etc/redis/ssl/certs/redis-client-cert.pem'),
key: fs.readFileSync('/etc/redis/ssl/private/redis-client-key.pem'),
checkServerIdentity: () => undefined
}
}
}
);
// Test connection
cluster.set('nodejs:test', 'SSL connection successful')
.then(() => cluster.get('nodejs:test'))
.then(result => console.log(result))
.catch(err => console.error('Connection failed:', err));Security monitoring and maintenance
Set up monitoring and maintenance procedures for your secured Redis cluster.
Create SSL certificate monitoring script
Monitor SSL certificate expiration to ensure continuous security and prevent connection failures.
#!/bin/bash
Redis SSL Certificate Monitoring Script
SSL_DIR="/etc/redis/ssl"
WARN_DAYS=30
CRIT_DAYS=7
Check certificate expiration
check_cert() {
local cert_file="$1"
local cert_name="$2"
if [ ! -f "$cert_file" ]; then
echo "ERROR: Certificate $cert_name not found at $cert_file"
return 1
fi
local exp_date=$(openssl x509 -enddate -noout -in "$cert_file" | cut -d= -f2)
local exp_epoch=$(date -d "$exp_date" +%s)
local now_epoch=$(date +%s)
local days_left=$(( (exp_epoch - now_epoch) / 86400 ))
if [ $days_left -lt $CRIT_DAYS ]; then
echo "CRITICAL: $cert_name expires in $days_left days"
return 2
elif [ $days_left -lt $WARN_DAYS ]; then
echo "WARNING: $cert_name expires in $days_left days"
return 1
else
echo "OK: $cert_name expires in $days_left days"
return 0
fi
}
Check all certificates
echo "Redis SSL Certificate Status:"
check_cert "$SSL_DIR/ca/redis-ca-cert.pem" "CA Certificate"
check_cert "$SSL_DIR/certs/redis-server-cert.pem" "Server Certificate"
check_cert "$SSL_DIR/certs/redis-client-cert.pem" "Client Certificate"
Test cluster connectivity
echo "\nCluster Connectivity Test:"
REDIS_PASSWORD=$(cat /etc/redis/redis-auth-password 2>/dev/null)
if redis-cli --tls --cert "$SSL_DIR/certs/redis-client-cert.pem" --key "$SSL_DIR/private/redis-client-key.pem" --cacert "$SSL_DIR/ca/redis-ca-cert.pem" -h 127.0.0.1 -p 6380 -a "$REDIS_PASSWORD" ping > /dev/null 2>&1; then
echo "OK: Redis cluster SSL connectivity working"
else
echo "ERROR: Redis cluster SSL connectivity failed"
fisudo chmod +x /usr/local/bin/redis-ssl-monitor
sudo /usr/local/bin/redis-ssl-monitorSet up automated certificate renewal
Create a systemd timer for regular SSL certificate monitoring and renewal planning.
[Unit]
Description=Redis SSL Certificate Monitor
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/redis-ssl-monitor
User=redis
Group=redis[Unit]
Description=Redis SSL Certificate Monitor Timer
Requires=redis-ssl-monitor.service
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.targetsudo systemctl daemon-reload
sudo systemctl enable --now redis-ssl-monitor.timerCommon issues
| Symptom | Cause | Fix |
|---|---|---|
| "SSL connection error" | Certificate path or permissions wrong | Check paths in config, verify chown redis:redis and chmod 600 for private keys |
| "NOAUTH Authentication required" | Missing or incorrect password | Verify password in /etc/redis/redis-auth-password and config files match |
| "Connection refused" | Redis service not running or wrong port | Check sudo systemctl status redis-cluster-* and verify ports in config |
| "certificate verify failed" | CA certificate not trusted | Ensure CA certificate path is correct in client configuration |
| "Cluster state fail" | Nodes cannot communicate | Check firewall rules for cluster ports (16380-16382) and SSL certificates |
| "Permission denied" on SSL files | Incorrect file ownership | Run sudo chown -R redis:redis /etc/redis/ssl and set proper permissions |
Next steps
- Configure Redis cluster monitoring with custom Grafana dashboards for comprehensive observability
- Set up automated encrypted backups for Redis cluster
- Configure Redis Sentinel for automatic failover
- Implement Redis cluster load balancing with HAProxy
- Optimize Redis cluster performance for production workloads
Running this in production?
Want this handled for you? Setting up Redis cluster security once is straightforward. Keeping it patched, monitored, backed up and tuned across environments is the harder part. See how we run infrastructure like this for European SaaS and e-commerce teams.
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# Global variables
REDIS_PASSWORD=""
CLUSTER_IPS=""
TOTAL_STEPS=12
# Usage function
usage() {
echo "Usage: $0 --password PASSWORD --cluster-ips IP1,IP2,IP3 [--redis-port PORT]"
echo ""
echo "Options:"
echo " --password PASSWORD Redis authentication password"
echo " --cluster-ips IPS Comma-separated list of cluster node IPs"
echo " --redis-port PORT Redis TLS port (default: 6380)"
echo ""
echo "Example:"
echo " $0 --password mySecurePass123 --cluster-ips 192.168.1.10,192.168.1.11,192.168.1.12"
exit 1
}
# Error handling and cleanup
cleanup() {
if [ $? -ne 0 ]; then
echo -e "${RED}[ERROR] Installation failed. Check logs above for details.${NC}"
echo -e "${YELLOW}To manually cleanup: sudo systemctl stop redis-server; sudo rm -rf /etc/redis/ssl${NC}"
fi
}
trap cleanup ERR
# Parse arguments
REDIS_PORT=6380
while [[ $# -gt 0 ]]; do
case $1 in
--password)
REDIS_PASSWORD="$2"
shift 2
;;
--cluster-ips)
CLUSTER_IPS="$2"
shift 2
;;
--redis-port)
REDIS_PORT="$2"
shift 2
;;
-h|--help)
usage
;;
*)
echo -e "${RED}Unknown option: $1${NC}"
usage
;;
esac
done
# Validate required arguments
if [[ -z "$REDIS_PASSWORD" || -z "$CLUSTER_IPS" ]]; then
echo -e "${RED}Error: --password and --cluster-ips are required${NC}"
usage
fi
# Check if running as root
if [[ $EUID -eq 0 ]]; then
SUDO=""
else
if ! command -v sudo &> /dev/null; then
echo -e "${RED}Error: This script requires root privileges or sudo${NC}"
exit 1
fi
SUDO="sudo"
fi
# Detect distribution
if [ -f /etc/os-release ]; then
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_INSTALL="apt install -y"
PKG_UPDATE="apt update && apt upgrade -y"
REDIS_SERVICE="redis-server"
REDIS_USER="redis"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_INSTALL="dnf install -y"
PKG_UPDATE="dnf update -y"
REDIS_SERVICE="redis"
REDIS_USER="redis"
;;
amzn)
PKG_MGR="yum"
PKG_INSTALL="yum install -y"
PKG_UPDATE="yum update -y"
REDIS_SERVICE="redis"
REDIS_USER="redis"
;;
*)
echo -e "${RED}Unsupported distribution: $ID${NC}"
exit 1
;;
esac
else
echo -e "${RED}Cannot detect distribution${NC}"
exit 1
fi
echo -e "${GREEN}[1/$TOTAL_STEPS] Updating system packages and installing dependencies...${NC}"
$SUDO $PKG_UPDATE
if [[ "$PKG_MGR" == "apt" ]]; then
$SUDO $PKG_INSTALL redis-server redis-tools openssl wget curl
else
$SUDO $PKG_INSTALL redis redis-tools openssl wget curl
fi
echo -e "${GREEN}[2/$TOTAL_STEPS] Creating SSL certificate directory structure...${NC}"
$SUDO mkdir -p /etc/redis/ssl/{ca,certs,private}
$SUDO chmod 755 /etc/redis/ssl
$SUDO chmod 700 /etc/redis/ssl/private
$SUDO chown -R $REDIS_USER:$REDIS_USER /etc/redis/ssl
echo -e "${GREEN}[3/$TOTAL_STEPS] Generating Certificate Authority (CA)...${NC}"
$SUDO openssl genrsa -out /etc/redis/ssl/ca/redis-ca-key.pem 4096
$SUDO openssl req -new -x509 -days 365 -key /etc/redis/ssl/ca/redis-ca-key.pem \
-out /etc/redis/ssl/ca/redis-ca-cert.pem \
-subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=Redis-CA"
echo -e "${GREEN}[4/$TOTAL_STEPS] Generating server certificates...${NC}"
$SUDO openssl genrsa -out /etc/redis/ssl/private/redis-server-key.pem 2048
$SUDO openssl req -new -key /etc/redis/ssl/private/redis-server-key.pem \
-out /etc/redis/ssl/redis-server.csr \
-subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=redis-cluster"
# Create SAN config for cluster IPs
SAN_IPS=""
IFS=',' read -ra IP_ARRAY <<< "$CLUSTER_IPS"
for i in "${!IP_ARRAY[@]}"; do
if [ $i -eq 0 ]; then
SAN_IPS="IP:${IP_ARRAY[i]}"
else
SAN_IPS="$SAN_IPS,IP:${IP_ARRAY[i]}"
fi
done
$SUDO tee /etc/redis/ssl/server-cert-config.conf > /dev/null << EOF
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = redis-cluster
DNS.2 = localhost
IP.1 = 127.0.0.1
$(for i in "${!IP_ARRAY[@]}"; do echo "IP.$((i+2)) = ${IP_ARRAY[i]}"; done)
EOF
$SUDO openssl x509 -req -in /etc/redis/ssl/redis-server.csr \
-CA /etc/redis/ssl/ca/redis-ca-cert.pem \
-CAkey /etc/redis/ssl/ca/redis-ca-key.pem \
-CAcreateserial -out /etc/redis/ssl/certs/redis-server-cert.pem \
-days 365 -extensions v3_req -extfile /etc/redis/ssl/server-cert-config.conf
echo -e "${GREEN}[5/$TOTAL_STEPS] Generating client certificates...${NC}"
$SUDO openssl genrsa -out /etc/redis/ssl/private/redis-client-key.pem 2048
$SUDO openssl req -new -key /etc/redis/ssl/private/redis-client-key.pem \
-out /etc/redis/ssl/redis-client.csr \
-subj "/C=US/ST=State/L=City/O=Organization/OU=IT/CN=redis-client"
$SUDO openssl x509 -req -in /etc/redis/ssl/redis-client.csr \
-CA /etc/redis/ssl/ca/redis-ca-cert.pem \
-CAkey /etc/redis/ssl/ca/redis-ca-key.pem \
-CAcreateserial -out /etc/redis/ssl/certs/redis-client-cert.pem -days 365
echo -e "${GREEN}[6/$TOTAL_STEPS] Setting certificate permissions...${NC}"
$SUDO chmod 644 /etc/redis/ssl/ca/redis-ca-cert.pem
$SUDO chmod 600 /etc/redis/ssl/ca/redis-ca-key.pem
$SUDO chmod 644 /etc/redis/ssl/certs/*.pem
$SUDO chmod 600 /etc/redis/ssl/private/*.pem
$SUDO chown -R $REDIS_USER:$REDIS_USER /etc/redis/ssl
echo -e "${GREEN}[7/$TOTAL_STEPS] Creating authentication password file...${NC}"
echo "$REDIS_PASSWORD" | $SUDO tee /etc/redis/redis-auth-password > /dev/null
$SUDO chmod 600 /etc/redis/redis-auth-password
$SUDO chown $REDIS_USER:$REDIS_USER /etc/redis/redis-auth-password
echo -e "${GREEN}[8/$TOTAL_STEPS] Generating Diffie-Hellman parameters...${NC}"
$SUDO openssl dhparam -out /etc/redis/ssl/redis-dh.pem 2048
$SUDO chown $REDIS_USER:$REDIS_USER /etc/redis/ssl/redis-dh.pem
$SUDO chmod 644 /etc/redis/ssl/redis-dh.pem
echo -e "${GREEN}[9/$TOTAL_STEPS] Creating Redis cluster configuration...${NC}"
$SUDO tee /etc/redis/redis-cluster.conf > /dev/null << EOF
port 0
tls-port $REDIS_PORT
bind 0.0.0.0
protected-mode yes
cluster-enabled yes
cluster-config-file nodes-$REDIS_PORT.conf
cluster-node-timeout 5000
cluster-announce-port $REDIS_PORT
cluster-announce-bus-port $((REDIS_PORT + 10000))
tls-cert-file /etc/redis/ssl/certs/redis-server-cert.pem
tls-key-file /etc/redis/ssl/private/redis-server-key.pem
tls-ca-cert-file /etc/redis/ssl/ca/redis-ca-cert.pem
tls-dh-params-file /etc/redis/ssl/redis-dh.pem
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
tls-prefer-server-ciphers yes
tls-session-caching no
tls-auth-clients yes
tls-cluster yes
requirepass $REDIS_PASSWORD
masterauth $REDIS_PASSWORD
tcp-keepalive 300
timeout 0
maxclients 10000
save 900 1
save 300 10
save 60 10000
dir /var/lib/redis
dbfilename dump-$REDIS_PORT.rdb
appendonly yes
appendfilename "appendonly-$REDIS_PORT.aof"
appendfsync everysec
loglevel notice
logfile /var/log/redis/redis-server-$REDIS_PORT.log
syslog-enabled yes
syslog-ident redis-$REDIS_PORT
EOF
echo -e "${GREEN}[10/$TOTAL_STEPS] Configuring firewall rules...${NC}"
if command -v firewall-cmd &> /dev/null && systemctl is-active --quiet firewalld; then
$SUDO firewall-cmd --permanent --add-port=$REDIS_PORT/tcp
$SUDO firewall-cmd --permanent --add-port=$((REDIS_PORT + 10000))/tcp
$SUDO firewall-cmd --reload
elif command -v ufw &> /dev/null; then
$SUDO ufw allow $REDIS_PORT/tcp
$SUDO ufw allow $((REDIS_PORT + 10000))/tcp
fi
echo -e "${GREEN}[11/$TOTAL_STEPS] Starting Redis service...${NC}"
$SUDO systemctl stop $REDIS_SERVICE || true
if [[ "$PKG_MGR" == "apt" ]]; then
$SUDO cp /etc/redis/redis-cluster.conf /etc/redis/redis.conf
else
$SUDO cp /etc/redis/redis-cluster.conf /etc/redis.conf
fi
$SUDO systemctl enable $REDIS_SERVICE
$SUDO systemctl start $REDIS_SERVICE
echo -e "${GREEN}[12/$TOTAL_STEPS] Verifying installation...${NC}"
sleep 3
if systemctl is-active --quiet $REDIS_SERVICE; then
echo -e "${GREEN}✓ Redis service is running${NC}"
else
echo -e "${RED}✗ Redis service failed to start${NC}"
exit 1
fi
# Test SSL connection
if redis-cli --tls --cert /etc/redis/ssl/certs/redis-client-cert.pem \
--key /etc/redis/ssl/private/redis-client-key.pem \
--cacert /etc/redis/ssl/ca/redis-ca-cert.pem \
-p $REDIS_PORT -a "$REDIS_PASSWORD" ping | grep -q PONG; then
echo -e "${GREEN}✓ SSL connection test successful${NC}"
else
echo -e "${YELLOW}⚠ SSL connection test failed - check configuration${NC}"
fi
echo -e "${GREEN}Redis cluster SSL setup completed successfully!${NC}"
echo -e "${YELLOW}Next steps:${NC}"
echo "1. Copy SSL certificates to other cluster nodes"
echo "2. Configure other nodes with similar redis.conf"
echo "3. Initialize cluster: redis-cli --cluster create --cluster-replicas 1 ${CLUSTER_IPS/,/:$REDIS_PORT }"
echo "4. Connect using: redis-cli --tls --cert /etc/redis/ssl/certs/redis-client-cert.pem --key /etc/redis/ssl/private/redis-client-key.pem --cacert /etc/redis/ssl/ca/redis-ca-cert.pem -p $REDIS_PORT -a '$REDIS_PASSWORD'"Review the script before running. Execute with: bash install.sh