How do I connect to an Amazon ElastiCache In-Transit encryption-enabled Redis node using redis-cli?
Last updated: 2020-07-09
The Redis Command Line Interface (redis-cli) does not support SSL-enabled clients. How do I access data from an Amazon ElastiCache In-Transit encryption-enabled Redis node?
The redis-cli client doesn't support SSL/TLS connections. To use the redis-cli to access an ElastiCache for Redis node (cluster mode disabled) with in-transit encryption, use the stunnel package in your Linux-based clients. The stunnel command creates an SSL tunnel to Redis nodes specified in the stunnel configuration. After establishing the tunnel, you can use the redis-cli to connect an in-transit encryption enabled cluster node.
Note: To connect to Redis nodes (cluster-mode enabled) with in-transit encryption, use Redis clients that natively support SSL and Cluster Mode Enabled Clusters. For more information, see Redis.io/clients on the Redis website.
1. Connect to your Linux client instance using SSH and install the stunnel package:
On CentOS-based systems:
$sudo yum install stunnel
On Debian-based systems (Ubuntu 16):
$sudo apt-get install stunnel
2. In the redis-cli.conf file, add a Redis cluster endpoint to one or more connection parameters:
# cat /etc/stunnel/redis-cli.conf fips = no setuid = root setgid = root pid = /var/run/stunnel.pid debug = 7 options = NO_SSLv2 options = NO_SSLv3 [redis-cli] client = yes accept = 127.0.0.1:6379 connect = master.ssltest.wif0lh.use1.cache.amazonaws.com:6379 [redis-cli-replica] client = yes accept = 127.0.0.1:6380 connect = ssltest-002.ssltest.wif0lh.use1.cache.amazonaws.com:6379
In this example, the config file has two connections, the redis-cli and the redis-cli-replica. The parameters are set as follows:
- client set to yes, to specify this stunnel instance is a client.
- accept is set to the client IP. In this example, the primary is set to the Redis default of 127.0.0.1 on port 6379. The replica must call a different port and it is set to 6380. You can use the ephemeral ports 1024 to 65535.
- connect is set to the Redis server endpoint. For more information, see Finding connection endpoints.
3. Start stunnel.
$ sudo stunnel /etc/stunnel/redis-cli.conf
Use the netstat command to confirm that the tunnels have started:
# netstat -tulnp | grep -i stunnel tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 3189/stunnel tcp 0 0 127.0.0.1:6380 0.0.0.0:* LISTEN 3189/stunnel
4. You can now use the redis-cli to connect to the encrypted Redis node using the local endpoint of the tunnel:
# redis-cli -h localhost -p 6379 -a MySecretPassword localhost:6379>set foo "bar" OK localhost:6379>get foo "bar"
Note: If your instance is password-protected, then the -a MySecretPassword option in redis-cli performs the authentication without needing the AUTH command. For more information, see redis-cli, the Redis command line interface on the Redis website.
This example uses telnet to connect to the Redis server:
# telnet localhost 6379 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. auth MySecretPassword +OKget foo $3 bar
Run the pkill command to stop and close the SSL tunnels:
$ sudo pkill stunnel