Redis+Sentinel with transport security

[Ghadi Shayban]

It's fairly straightforward to use `stunnel` to have transport security in Redis.  Can someone describe a Redis+Sentinel setup that works with TLS?

[The Real Bill]

On Thursday, February 9, 2017 at 10:06:05 AM UTC-6, Ghadi Shayban wrote:

It's fairly straightforward to use `stunnel` to have transport security in Redis.  Can someone describe a Redis+Sentinel setup that works with TLS?

If you're talking about from the client side, the same way you would do it with standalone Redis. 

If you are taking about from Sentinel to Redis, not without a ton of work on a remote chance for it to reliably work. Since Redis does not handle TLS, neither does Sentinel.  Thus for all connections to a redis node (master and each slave) you'd have to have them report the ip:port combo of your local sentinel - of which each sentinel will need its own. Since you can't have a Redis instance report multiple different connection details you would then have to write a custom ssl+proxy server and remove all such handling from sentinel. This proxy would need to know that nodeA is actually this IP:Port and nodeB is the IP:Port regardless of what they tell the master. At that point you'd be likely be better off writing your own version of Sentinel which speaks TLS and configure each Redis instance to announce it's port as the redis-local tunnel port. This would get around the need for a local tunnel for the "sentinel-like" software, but means you have to implement the election and promotion mechanism yourself.

On a related note, you'd actually have similar issues with encrypted communication between master and slave(s). Thus it is relatively easy to set up SSL communication between a Redis instance and a client, but not so much between Redis instances. 

Now, if Redis itself were to let you use *names* instead of IP addresses it could be easier to do it, even making the entire thing possible. If instead of using the connected-from-IP a Redis slave sent its DNS name, you could override it on a given host by using the /etc/hosts file on *nixes to point that name to the localhost SSL proxy. It would also require Redis to perform DNS lookups at connection time. But currently you can't do that.

So, Salvatore, does the above use case justify in your mind adding that type of DNS support into Redis? It does to me, but I'm not the one writing the code. ;)

Cheers,

Bill