Set up a production-grade Redis Sentinel cluster with SSL/TLS encryption, authentication, and automatic failover for high availability. This tutorial covers certificate generation, security configuration, and monitoring setup.
Prerequisites
- Root or sudo access
- At least 4GB RAM
- Basic understanding of Redis
- Network access between Redis instances
- OpenSSL for certificate generation
What this solves
Redis Sentinel provides high availability for Redis deployments by monitoring master and replica instances, performing automatic failover when the master fails, and providing service discovery for clients. Without proper SSL/TLS encryption and authentication, Redis communications are vulnerable to interception and unauthorized access.
This tutorial configures a secure, production-ready Redis Sentinel cluster with SSL encryption for all communications, authentication mechanisms, and monitoring capabilities to ensure your Redis infrastructure remains highly available and secure.
Step-by-step configuration
Install Redis and required packages
Install Redis server and SSL tools needed for certificate generation and secure communications.
sudo apt update
sudo apt install -y redis-server openssl ca-certificates
sudo systemctl stop redis-serverCreate Redis user and directories
Create dedicated directories for Redis data, certificates, and configuration files with proper ownership and permissions.
sudo mkdir -p /etc/redis/{certs,conf.d}
sudo mkdir -p /var/lib/redis/{master,replica1,replica2,sentinel}
sudo mkdir -p /var/log/redis
sudo chown -R redis:redis /var/lib/redis /var/log/redis /etc/redis
sudo chmod 755 /var/lib/redis /var/log/redis
sudo chmod 750 /etc/redisGenerate SSL/TLS certificates
Create a Certificate Authority and generate SSL certificates for secure Redis communications between all components.
cd /etc/redis/certs
Generate CA private key
sudo openssl genrsa -out ca.key 4096
Generate CA certificate
sudo openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/C=US/ST=State/L=City/O=Organization/CN=Redis-CA"
Generate Redis server private key
sudo openssl genrsa -out redis.key 2048
Generate Redis server certificate signing request
sudo openssl req -new -key redis.key -out redis.csr -subj "/C=US/ST=State/L=City/O=Organization/CN=redis-server"
Generate Redis server certificate
sudo openssl x509 -req -in redis.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out redis.crt -days 365 -sha256
Generate DH parameters for forward secrecy
sudo openssl dhparam -out redis-dh.pem 2048Set certificate permissions
Configure secure file permissions for SSL certificates, ensuring only Redis processes can access private keys.
sudo chown redis:redis /etc/redis/certs/*
sudo chmod 644 /etc/redis/certs/*.crt
sudo chmod 600 /etc/redis/certs/*.key
sudo chmod 644 /etc/redis/certs/*.pem
sudo rm /etc/redis/certs/*.csrNever use chmod 777. Private keys must be readable only by the Redis user to prevent unauthorized access to your SSL certificates.
Configure Redis master instance
Set up the Redis master with SSL encryption, authentication, and security hardening.
port 0
tls-port 6380
tls-cert-file /etc/redis/certs/redis.crt
tls-key-file /etc/redis/certs/redis.key
tls-ca-cert-file /etc/redis/certs/ca.crt
tls-dh-params-file /etc/redis/certs/redis-dh.pem
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256
tls-prefer-server-ciphers yes
tls-session-caching no
tls-session-cache-timeout 60
bind 127.0.0.1 203.0.113.10
protected-mode yes
requirepass "StrongMasterPassword123!"
masterauth "StrongMasterPassword123!"
tcp-keepalive 300
timeout 0
tcp-backlog 511
databases 16
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump-master.rdb
dir /var/lib/redis/master
appendonly yes
appendfilename "appendonly-master.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 100
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
stream-node-max-bytes 4096
stream-node-max-entries 100
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
client-query-buffer-limit 1gb
proto-max-bulk-len 512mb
hz 10
dynamic-hz yes
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
logfile /var/log/redis/redis-master.log
loglevel notice
syslog-enabled yes
syslog-ident redis-master
maxmemory-policy allkeys-lruConfigure Redis replica instances
Set up Redis replica instances that will replicate data from the master with SSL encryption.
port 0
tls-port 6381
tls-cert-file /etc/redis/certs/redis.crt
tls-key-file /etc/redis/certs/redis.key
tls-ca-cert-file /etc/redis/certs/ca.crt
tls-dh-params-file /etc/redis/certs/redis-dh.pem
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256
tls-prefer-server-ciphers yes
tls-session-caching no
tls-session-cache-timeout 60
bind 127.0.0.1 203.0.113.10
protected-mode yes
requirepass "StrongReplicaPassword123!"
masterauth "StrongMasterPassword123!"
replicaof 203.0.113.10 6380
replica-serve-stale-data yes
replica-read-only yes
replica-diskless-sync no
replica-diskless-sync-delay 5
replica-priority 90
tcp-keepalive 300
timeout 0
tcp-backlog 511
databases 16
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump-replica1.rdb
dir /var/lib/redis/replica1
appendonly yes
appendfilename "appendonly-replica1.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 100
logfile /var/log/redis/redis-replica1.log
loglevel notice
syslog-enabled yes
syslog-ident redis-replica1
maxmemory-policy allkeys-lruCreate second replica configuration
Configure the second Redis replica instance for additional redundancy.
port 0
tls-port 6382
tls-cert-file /etc/redis/certs/redis.crt
tls-key-file /etc/redis/certs/redis.key
tls-ca-cert-file /etc/redis/certs/ca.crt
tls-dh-params-file /etc/redis/certs/redis-dh.pem
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256
tls-prefer-server-ciphers yes
tls-session-caching no
tls-session-cache-timeout 60
bind 127.0.0.1 203.0.113.10
protected-mode yes
requirepass "StrongReplicaPassword123!"
masterauth "StrongMasterPassword123!"
replicaof 203.0.113.10 6380
replica-serve-stale-data yes
replica-read-only yes
replica-diskless-sync no
replica-diskless-sync-delay 5
replica-priority 80
tcp-keepalive 300
timeout 0
tcp-backlog 511
databases 16
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump-replica2.rdb
dir /var/lib/redis/replica2
appendonly yes
appendfilename "appendonly-replica2.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 100
logfile /var/log/redis/redis-replica2.log
loglevel notice
syslog-enabled yes
syslog-ident redis-replica2
maxmemory-policy allkeys-lruConfigure Redis Sentinel instances
Set up Redis Sentinel with SSL encryption and authentication for monitoring and automatic failover.
port 0
tls-port 26380
tls-cert-file /etc/redis/certs/redis.crt
tls-key-file /etc/redis/certs/redis.key
tls-ca-cert-file /etc/redis/certs/ca.crt
tls-dh-params-file /etc/redis/certs/redis-dh.pem
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256
tls-prefer-server-ciphers yes
tls-session-caching no
bind 127.0.0.1 203.0.113.10
protected-mode yes
requirepass "StrongSentinelPassword123!"
sentinel monitor mymaster 203.0.113.10 6380 2
sentinel auth-pass mymaster "StrongMasterPassword123!"
sentinel down-after-milliseconds mymaster 5000
sentinel parallel-syncs mymaster 1
sentinel failover-timeout mymaster 60000
sentinel deny-scripts-reconfig yes
sentinel announce-ip 203.0.113.10
sentinel announce-port 26380
logfile /var/log/redis/sentinel1.log
loglevel notice
syslog-enabled yes
syslog-ident redis-sentinel1
dir /var/lib/redis/sentinelCreate additional Sentinel configurations
Configure two more Sentinel instances to form a quorum of three for reliable failover decisions.
sudo cp /etc/redis/sentinel1.conf /etc/redis/sentinel2.conf
sudo cp /etc/redis/sentinel1.conf /etc/redis/sentinel3.conf
sudo sed -i 's/tls-port 26380/tls-port 26381/' /etc/redis/sentinel2.conf
sudo sed -i 's/announce-port 26380/announce-port 26381/' /etc/redis/sentinel2.conf
sudo sed -i 's/sentinel1.log/sentinel2.log/' /etc/redis/sentinel2.conf
sudo sed -i 's/redis-sentinel1/redis-sentinel2/' /etc/redis/sentinel2.conf
sudo sed -i 's/tls-port 26380/tls-port 26382/' /etc/redis/sentinel3.conf
sudo sed -i 's/announce-port 26380/announce-port 26382/' /etc/redis/sentinel3.conf
sudo sed -i 's/sentinel1.log/sentinel3.log/' /etc/redis/sentinel3.conf
sudo sed -i 's/redis-sentinel1/redis-sentinel3/' /etc/redis/sentinel3.confSet configuration file permissions
Secure Redis configuration files with proper ownership and restricted access permissions.
sudo chown redis:redis /etc/redis/*.conf
sudo chmod 640 /etc/redis/*.confCreate systemd service files
Create systemd service definitions for Redis master, replica, and Sentinel instances.
[Unit]
Description=Redis Master Server
After=network.target
[Service]
Type=notify
ExecStart=/usr/bin/redis-server /etc/redis/redis-master.conf
ExecStop=/bin/kill -s QUIT $MAINPID
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis-master
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.targetCreate replica service files
Set up systemd services for Redis replica instances.
sudo tee /etc/systemd/system/redis-replica1.service > /dev/null << 'EOF'
[Unit]
Description=Redis Replica 1 Server
After=network.target redis-master.service
[Service]
Type=notify
ExecStart=/usr/bin/redis-server /etc/redis/redis-replica1.conf
ExecStop=/bin/kill -s QUIT $MAINPID
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis-replica1
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
EOF
sudo tee /etc/systemd/system/redis-replica2.service > /dev/null << 'EOF'
[Unit]
Description=Redis Replica 2 Server
After=network.target redis-master.service
[Service]
Type=notify
ExecStart=/usr/bin/redis-server /etc/redis/redis-replica2.conf
ExecStop=/bin/kill -s QUIT $MAINPID
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis-replica2
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
EOFCreate Sentinel service files
Configure systemd services for Redis Sentinel instances.
sudo tee /etc/systemd/system/redis-sentinel1.service > /dev/null << 'EOF'
[Unit]
Description=Redis Sentinel 1
After=network.target redis-master.service redis-replica1.service redis-replica2.service
[Service]
Type=notify
ExecStart=/usr/bin/redis-sentinel /etc/redis/sentinel1.conf
ExecStop=/bin/kill -s QUIT $MAINPID
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis-sentinel1
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
EOF
sudo tee /etc/systemd/system/redis-sentinel2.service > /dev/null << 'EOF'
[Unit]
Description=Redis Sentinel 2
After=network.target redis-master.service redis-replica1.service redis-replica2.service
[Service]
Type=notify
ExecStart=/usr/bin/redis-sentinel /etc/redis/sentinel2.conf
ExecStop=/bin/kill -s QUIT $MAINPID
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis-sentinel2
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
EOF
sudo tee /etc/systemd/system/redis-sentinel3.service > /dev/null << 'EOF'
[Unit]
Description=Redis Sentinel 3
After=network.target redis-master.service redis-replica1.service redis-replica2.service
[Service]
Type=notify
ExecStart=/usr/bin/redis-sentinel /etc/redis/sentinel3.conf
ExecStop=/bin/kill -s QUIT $MAINPID
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis-sentinel3
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
EOFStart Redis services
Enable and start all Redis services in the correct order to establish replication and monitoring.
sudo systemctl daemon-reload
Start Redis master first
sudo systemctl enable --now redis-master
sudo sleep 5
Start replicas
sudo systemctl enable --now redis-replica1
sudo systemctl enable --now redis-replica2
sudo sleep 5
Start Sentinel instances
sudo systemctl enable --now redis-sentinel1
sudo systemctl enable --now redis-sentinel2
sudo systemctl enable --now redis-sentinel3Configure firewall rules
Open necessary ports for Redis and Sentinel communications while maintaining security.
sudo ufw allow from 203.0.113.0/24 to any port 6380 comment 'Redis Master SSL'
sudo ufw allow from 203.0.113.0/24 to any port 6381 comment 'Redis Replica 1 SSL'
sudo ufw allow from 203.0.113.0/24 to any port 6382 comment 'Redis Replica 2 SSL'
sudo ufw allow from 203.0.113.0/24 to any port 26380 comment 'Redis Sentinel 1 SSL'
sudo ufw allow from 203.0.113.0/24 to any port 26381 comment 'Redis Sentinel 2 SSL'
sudo ufw allow from 203.0.113.0/24 to any port 26382 comment 'Redis Sentinel 3 SSL'
sudo ufw reloadVerify your setup
Test Redis Sentinel cluster functionality, SSL encryption, and authentication to ensure proper configuration.
# Check service status
sudo systemctl status redis-master redis-replica1 redis-replica2
sudo systemctl status redis-sentinel1 redis-sentinel2 redis-sentinel3
Test SSL connection to master
redis-cli --tls --cert /etc/redis/certs/redis.crt --key /etc/redis/certs/redis.key --cacert /etc/redis/certs/ca.crt -p 6380 -a "StrongMasterPassword123!" ping
Check replication status
redis-cli --tls --cert /etc/redis/certs/redis.crt --key /etc/redis/certs/redis.key --cacert /etc/redis/certs/ca.crt -p 6380 -a "StrongMasterPassword123!" info replication
Test Sentinel status
redis-cli --tls --cert /etc/redis/certs/redis.crt --key /etc/redis/certs/redis.key --cacert /etc/redis/certs/ca.crt -p 26380 -a "StrongSentinelPassword123!" sentinel masters
Test write to master and read from replica
redis-cli --tls --cert /etc/redis/certs/redis.crt --key /etc/redis/certs/redis.key --cacert /etc/redis/certs/ca.crt -p 6380 -a "StrongMasterPassword123!" set testkey "testvalue"
redis-cli --tls --cert /etc/redis/certs/redis.crt --key /etc/redis/certs/redis.key --cacert /etc/redis/certs/ca.crt -p 6381 -a "StrongReplicaPassword123!" get testkeyTest failover functionality
Verify automatic failover by simulating master failure and observing Sentinel behavior.
# Monitor Sentinel logs in separate terminal
sudo tail -f /var/log/redis/sentinel*.log &
Simulate master failure
sudo systemctl stop redis-master
Wait for failover (typically 5-10 seconds)
sleep 10
Check new master
redis-cli --tls --cert /etc/redis/certs/redis.crt --key /etc/redis/certs/redis.key --cacert /etc/redis/certs/ca.crt -p 26380 -a "StrongSentinelPassword123!" sentinel get-master-addr-by-name mymaster
Restart original master (it will become a replica)
sudo systemctl start redis-masterCommon issues
| Symptom | Cause | Fix |
|---|---|---|
| SSL connection refused | Certificate permission issues | Check sudo ls -la /etc/redis/certs/ and ensure redis user owns files |
| Authentication failures | Mismatched passwords | Verify password consistency in all config files |
| Replication not working | Master unreachable | Check firewall rules and bind addresses |
| Sentinel can't reach Redis | Wrong SSL configuration | Ensure all instances use matching SSL settings |
| Failover not happening | Insufficient Sentinel quorum | Verify at least 3 Sentinels are running and connected |
| Services won't start | Configuration syntax errors | Check logs with sudo journalctl -u redis-master -f |
| High memory usage | No memory policy set | Configure maxmemory and eviction policy in config |
Next steps
- Configure Redis Sentinel for high availability - Basic Sentinel setup without SSL
- Optimize Redis 7 memory usage and performance with advanced configuration tuning - Performance optimization techniques
- Set up Prometheus and Grafana monitoring stack with Docker compose - Monitor your Redis cluster
- Configure Redis Cluster sharding with SSL and authentication - Scale beyond single-master setup
- Implement Redis backup automation with compression and encryption - Automated backup strategies
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# Usage message
usage() {
echo "Usage: $0 [OPTIONS]"
echo "Options:"
echo " -i IP_ADDRESS Redis bind IP address (default: 127.0.0.1)"
echo " -p PASSWORD Redis password (default: auto-generated)"
echo " -h Show this help"
exit 1
}
# Default values
REDIS_IP="127.0.0.1"
REDIS_PASSWORD=""
# Parse arguments
while getopts "i:p:h" opt; do
case $opt in
i) REDIS_IP="$OPTARG" ;;
p) REDIS_PASSWORD="$OPTARG" ;;
h) usage ;;
*) usage ;;
esac
done
# Check if running as root
if [[ $EUID -ne 0 ]]; then
echo -e "${RED}Error: This script must be run as root${NC}"
exit 1
fi
# Cleanup function
cleanup() {
echo -e "${RED}Error occurred during installation. Cleaning up...${NC}"
systemctl stop redis-server 2>/dev/null || true
systemctl stop redis-sentinel 2>/dev/null || true
}
trap cleanup ERR
# Auto-detect distribution
if [ -f /etc/os-release ]; then
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_UPDATE="apt update -y"
PKG_INSTALL="apt install -y"
REDIS_SERVICE="redis-server"
REDIS_CONF_DIR="/etc/redis"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_UPDATE="dnf update -y"
PKG_INSTALL="dnf install -y"
REDIS_SERVICE="redis"
REDIS_CONF_DIR="/etc/redis"
;;
amzn)
PKG_MGR="yum"
PKG_UPDATE="yum update -y"
PKG_INSTALL="yum install -y"
REDIS_SERVICE="redis"
REDIS_CONF_DIR="/etc/redis"
;;
*)
echo -e "${RED}Unsupported distribution: $ID${NC}"
exit 1
;;
esac
else
echo -e "${RED}Cannot detect distribution${NC}"
exit 1
fi
# Generate password if not provided
if [ -z "$REDIS_PASSWORD" ]; then
REDIS_PASSWORD=$(openssl rand -base64 32)
fi
echo -e "${GREEN}Starting Redis Sentinel SSL/TLS setup...${NC}"
# Step 1: Update system and install packages
echo -e "${YELLOW}[1/8] Updating system and installing Redis...${NC}"
$PKG_UPDATE
if [ "$PKG_MGR" = "apt" ]; then
$PKG_INSTALL redis-server openssl ca-certificates
else
$PKG_INSTALL redis openssl ca-certificates
fi
systemctl stop $REDIS_SERVICE 2>/dev/null || true
# Step 2: Create directories
echo -e "${YELLOW}[2/8] Creating Redis directories...${NC}"
mkdir -p $REDIS_CONF_DIR/{certs,conf.d}
mkdir -p /var/lib/redis/{master,replica1,replica2,sentinel}
mkdir -p /var/log/redis
# Create redis user if it doesn't exist
if ! id "redis" &>/dev/null; then
useradd -r -s /bin/false redis
fi
chown -R redis:redis /var/lib/redis /var/log/redis $REDIS_CONF_DIR
chmod 755 /var/lib/redis /var/log/redis
chmod 750 $REDIS_CONF_DIR
# Step 3: Generate SSL certificates
echo -e "${YELLOW}[3/8] Generating SSL certificates...${NC}"
cd $REDIS_CONF_DIR/certs
# Generate CA private key
openssl genrsa -out ca.key 4096
# Generate CA certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt \
-subj "/C=US/ST=State/L=City/O=Organization/CN=Redis-CA"
# Generate Redis server private key
openssl genrsa -out redis.key 2048
# Generate Redis server certificate signing request
openssl req -new -key redis.key -out redis.csr \
-subj "/C=US/ST=State/L=City/O=Organization/CN=redis-server"
# Generate Redis server certificate
openssl x509 -req -in redis.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out redis.crt -days 365 -sha256
# Generate DH parameters
openssl dhparam -out redis-dh.pem 2048
# Step 4: Set certificate permissions
echo -e "${YELLOW}[4/8] Setting certificate permissions...${NC}"
chown redis:redis $REDIS_CONF_DIR/certs/*
chmod 644 $REDIS_CONF_DIR/certs/*.crt
chmod 600 $REDIS_CONF_DIR/certs/*.key
chmod 644 $REDIS_CONF_DIR/certs/*.pem
rm -f $REDIS_CONF_DIR/certs/*.csr
# Step 5: Configure Redis master
echo -e "${YELLOW}[5/8] Configuring Redis master...${NC}"
cat > $REDIS_CONF_DIR/redis-master.conf << EOF
port 0
tls-port 6380
tls-cert-file $REDIS_CONF_DIR/certs/redis.crt
tls-key-file $REDIS_CONF_DIR/certs/redis.key
tls-ca-cert-file $REDIS_CONF_DIR/certs/ca.crt
tls-dh-params-file $REDIS_CONF_DIR/certs/redis-dh.pem
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
tls-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256
tls-prefer-server-ciphers yes
tls-session-caching no
tls-session-cache-timeout 60
bind 127.0.0.1 $REDIS_IP
protected-mode yes
requirepass "$REDIS_PASSWORD"
masterauth "$REDIS_PASSWORD"
tcp-keepalive 300
timeout 0
tcp-backlog 511
databases 16
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump-master.rdb
dir /var/lib/redis/master
appendonly yes
appendfilename "appendonly-master.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 100
maxclients 10000
maxmemory-policy allkeys-lru
EOF
chown redis:redis $REDIS_CONF_DIR/redis-master.conf
chmod 640 $REDIS_CONF_DIR/redis-master.conf
# Step 6: Configure Redis Sentinel
echo -e "${YELLOW}[6/8] Configuring Redis Sentinel...${NC}"
cat > $REDIS_CONF_DIR/sentinel.conf << EOF
port 0
tls-port 26380
tls-cert-file $REDIS_CONF_DIR/certs/redis.crt
tls-key-file $REDIS_CONF_DIR/certs/redis.key
tls-ca-cert-file $REDIS_CONF_DIR/certs/redis.crt
tls-dh-params-file $REDIS_CONF_DIR/certs/redis-dh.pem
tls-protocols "TLSv1.2 TLSv1.3"
tls-prefer-server-ciphers yes
tls-session-caching no
bind 127.0.0.1 $REDIS_IP
protected-mode yes
requirepass "$REDIS_PASSWORD"
sentinel monitor mymaster $REDIS_IP 6380 1
sentinel auth-pass mymaster $REDIS_PASSWORD
sentinel down-after-milliseconds mymaster 5000
sentinel failover-timeout mymaster 60000
sentinel parallel-syncs mymaster 1
dir /var/lib/redis/sentinel
logfile /var/log/redis/sentinel.log
EOF
chown redis:redis $REDIS_CONF_DIR/sentinel.conf
chmod 640 $REDIS_CONF_DIR/sentinel.conf
# Step 7: Create systemd services
echo -e "${YELLOW}[7/8] Creating systemd services...${NC}"
cat > /etc/systemd/system/redis-master.service << EOF
[Unit]
Description=Advanced key-value store (Redis Master)
After=network.target
Documentation=http://redis.io/documentation
[Service]
Type=notify
ExecStart=/usr/bin/redis-server $REDIS_CONF_DIR/redis-master.conf
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
EOF
cat > /etc/systemd/system/redis-sentinel.service << EOF
[Unit]
Description=Advanced key-value store (Redis Sentinel)
After=network.target redis-master.service
Documentation=http://redis.io/documentation
[Service]
Type=notify
ExecStart=/usr/bin/redis-sentinel $REDIS_CONF_DIR/sentinel.conf
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis-sentinel
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable redis-master redis-sentinel
# Step 8: Start services and verify
echo -e "${YELLOW}[8/8] Starting services and verifying installation...${NC}"
systemctl start redis-master
sleep 3
systemctl start redis-sentinel
# Verification
if systemctl is-active --quiet redis-master && systemctl is-active --quiet redis-sentinel; then
echo -e "${GREEN}✓ Redis Master and Sentinel are running${NC}"
else
echo -e "${RED}✗ Service startup failed${NC}"
exit 1
fi
# Test SSL connection
if timeout 5 redis-cli --tls --cert $REDIS_CONF_DIR/certs/redis.crt --key $REDIS_CONF_DIR/certs/redis.key --cacert $REDIS_CONF_DIR/certs/ca.crt -p 6380 -a "$REDIS_PASSWORD" ping 2>/dev/null; then
echo -e "${GREEN}✓ SSL connection test successful${NC}"
else
echo -e "${YELLOW}⚠ SSL connection test failed (this may be normal if firewall is configured)${NC}"
fi
echo -e "${GREEN}Redis Sentinel with SSL/TLS setup completed successfully!${NC}"
echo -e "${YELLOW}Configuration details:${NC}"
echo "Master IP: $REDIS_IP"
echo "Master SSL Port: 6380"
echo "Sentinel SSL Port: 26380"
echo "Password: $REDIS_PASSWORD"
echo ""
echo -e "${YELLOW}Save this password securely!${NC}"Review the script before running. Execute with: bash install.sh
#redis
#sentinel
#ssl
#tls
#authentication
#high-availability
#failover
#encryption
#security
#monitoring