From f513739df19f3a87f92ed861d4dbb27379ad5ad6 Mon Sep 17 00:00:00 2001 From: ggivo Date: Tue, 5 Nov 2024 08:27:20 +0200 Subject: [PATCH] Add example configuration using SNI enabled TLS connection (#3045) Make file updated to bootstrap one primary virtual service (127.0.0.1:36443) redirecting to redis-sni1(localhost:6480) or redis-sni2(localhost:6479) Redis instances based on the provided SNI server name. --- Makefile | 18 ++++++++ .../examples/ConnectToRedisSSLWithSni.java | 46 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 src/test/java/io/lettuce/examples/ConnectToRedisSSLWithSni.java diff --git a/Makefile b/Makefile index d52b95dea5..eed833116b 100644 --- a/Makefile +++ b/Makefile @@ -282,6 +282,24 @@ work/stunnel.conf: @echo accept = 127.0.0.1:6443 >> $@ @echo connect = 127.0.0.1:6479 >> $@ + @echo [redis-sni-vritual] >> $@ + @echo accept = 127.0.0.1:36443 >> $@ + @echo cert=$(ROOT_DIR)/work/ca/certs/foo-host.cert.pem >> $@ + @echo key=$(ROOT_DIR)/work/ca/private/foo-host.decrypted.key.pem >> $@ + @echo connect = unavailable.internal.mydomain.com:6666 >> $@ + + @echo [redis-sni1] >> $@ + @echo sni = redis-sni-vritual:redis-sni1.local >> $@ + @echo key=$(ROOT_DIR)/work/ca/private/localhost.decrypted.key.pem >> $@ + @echo cert=$(ROOT_DIR)/work/ca/certs/localhost.cert.pem >> $@ + @echo connect = localhost:6480 >> $@ + + @echo [redis-sni2] >> $@ + @echo sni = redis-sni-vritual:redis-sni2.local >> $@ + @echo connect = localhost:6479 >> $@ + @echo cert=$(ROOT_DIR)/work/ca/certs/foo-host.cert.pem >> $@ + @echo key=$(ROOT_DIR)/work/ca/private/foo-host.decrypted.key.pem >> $@ + @echo [foo-host] >> $@ @echo accept = 127.0.0.1:6444 >> $@ @echo connect = 127.0.0.1:6479 >> $@ diff --git a/src/test/java/io/lettuce/examples/ConnectToRedisSSLWithSni.java b/src/test/java/io/lettuce/examples/ConnectToRedisSSLWithSni.java new file mode 100644 index 0000000000..a92607f290 --- /dev/null +++ b/src/test/java/io/lettuce/examples/ConnectToRedisSSLWithSni.java @@ -0,0 +1,46 @@ +package io.lettuce.examples; + +import io.lettuce.core.ClientOptions; +import io.lettuce.core.RedisClient; +import io.lettuce.core.SslOptions; +import io.lettuce.core.api.StatefulRedisConnection; + +import javax.net.ssl.SNIHostName; +import javax.net.ssl.SNIServerName; +import javax.net.ssl.SSLParameters; +import java.io.File; +import java.util.ArrayList; +import java.util.List; + +public class ConnectToRedisSSLWithSni { + + public static void main(String[] args) { + // Syntax: rediss://[password@]host[:port][/databaseNumber] + // Adapt the port to the stunnel port in front of your Redis instance + RedisClient redisClient = RedisClient.create("rediss://127.0.0.1:36443"); + + List serverNames = new ArrayList<>(); + + // Hint : Enable SSL debugging (-Djavax.net.debug=ssl to the VM Args) + // to verify/troubleshoot ssl configuration + // Hint : Adapt the server name to switch between multiple instances + serverNames.add(new SNIHostName("redis-sni1.local")); + // serverNames.add(new SNIHostName("redis-sni2.local")); + SslOptions sslOptions = SslOptions.builder().jdkSslProvider().truststore(new File("work/truststore.jks"), "changeit") + .sslParameters(() -> { + SSLParameters parameters = new SSLParameters(); + parameters.setServerNames(serverNames); + return parameters; + }).build(); + + ClientOptions clientOptions = ClientOptions.builder().sslOptions(sslOptions).build(); + redisClient.setOptions(clientOptions); + + StatefulRedisConnection connection = redisClient.connect(); + System.out.println("Connected to Redis using TLS with enabled SNI"); + + connection.close(); + redisClient.shutdown(); + } + +}