How do I connect to an Amazon ElastiCache In-Transit encryption-enabled Redis node using redis-cli?

Last updated: 2019-12-09

The Redis Command Line Interface (redis-cli) does not support SSL-enabled clients. How do I access data from an Amazon ElastiCache In-Transit encryption-enabled Redis node?

Short Description

The redis-cli client doesn't support SSL/TLS connections. To use the redis-cli to access an ElastiCache for Redis node (cluster mode disabled) with in-transit encryption, you can use the stunnel package in your Linux-based clients. The stunnel command can create an SSL tunnel to Redis nodes specified in the stunnel configuration. After the tunnel is established, you can use the redis-cli to connect an in-transit encryption enabled cluster node.

Note: To connect to Redis nodes (cluster-mode enabled) with in-transit encryption, use Redis clients that natively support SSL and Cluster Mode Enabled Clusters. For more information, refer to Redis.io/clients.

Resolution

1.    Connect to your Linux client instance using SSH and install the stunnel package:

On CentOS-based systems:

$sudo yum install stunnel

On Debian-based systems (Ubuntu 16):

$sudo apt-get install stunnel

2.    In the redis-cli.conf file, add a Redis cluster endpoint to one or more connection parameters:

# cat /etc/stunnel/redis-cli.conf
fips = no
setuid = root
setgid = root
pid = /var/run/stunnel.pid
debug = 7
options = NO_SSLv2
options = NO_SSLv3
[redis-cli]
  client = yes
  accept = 127.0.0.1:6379
  connect = master.ssltest.wif0lh.use1.cache.amazonaws.com:6379
[redis-cli-slave]
  client = yes
  accept = 127.0.0.1:6380
  connect = ssltest-002.ssltest.wif0lh.use1.cache.amazonaws.com:6379

In this example, the config file has two connections, the redis-cli and the redis-cli-slave. The parameters are set as follows:

  • client set to yes, to specify this stunnel instance is a client.
  • accept is set to the client IP. In this example, the master is set to the Redis default of 127.0.0.1 on port 6379. The slave must call a different port and it is set to 6380. You can use the ephemeral ports 1024 to 65535.
  • connect is set to the Redis server endpoint. For more information, see Finding Connection Endpoints.

3.    Start stunnel.

$ sudo stunnel /etc/stunnel/redis-cli.conf

Use the netstat command to confirm that the tunnels have started:

# netstat -tulnp | grep -i stunnel
tcp    0      0 127.0.0.1:6379      0.0.0.0:*        LISTEN      3189/stunnel
tcp    0      0 127.0.0.1:6380      0.0.0.0:*        LISTEN      3189/stunnel

4.    You can now use the redis-cli to connect to the encrypted Redis node using the local endpoint of the tunnel:

# redis-cli -h localhost -p 6379 -a MySecretPassword
localhost:6379>set foo "bar"
OK
localhost:6379>get foo
"bar"

Note: If your instance is password-protected, then the -a MySecretPassword option in redis-cli performs the authentication without needing the AUTH command. For more information, see redis-cli, the Redis command line interface.

This example uses telnet to connect to the Redis server:

# telnet localhost 6379
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
auth MySecretPassword
+OKget foo
$3
bar

Run the pkill command to stop and close the SSL tunnels:

$ sudo pkill stunnel

Did this article help you?

Anything we could improve?


Need more help?