Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Support for Redis Sentinel #1063

Closed
jornfranke opened this issue Jun 17, 2019 · 3 comments
Closed

TLS Support for Redis Sentinel #1063

jornfranke opened this issue Jun 17, 2019 · 3 comments
Labels
status: duplicate A duplicate of another issue type: feature A new feature

Comments

@jornfranke
Copy link

Feature Request

According to the documentation, Lettuce does not support TLS connections for Redis Sentinel and Redis Master/Slave replicas.

Is your feature request related to a problem? Please describe

Encryption of network traffic may be needed due to compliance reasons for confidentiality, but also integrity.

Describe the solution you'd like

Connections using Redis Sentinel (Client) connections should support TLS. Securing the traffic between Redis Sentinel servers is out of scope (but could be handled, for instance, using IPSEC).

Describe alternatives you've considered

I tried to figure out what the blockers are for supporting Redis Sentinel TLS connections. As far as I understood, the issue seems to be only that the TLS connection and the Redis Sentinel server use internally different ports, e.g.

  • Redis Sentinel Servers use port 26379 (TLS Port using Stunnel, e.g. 26380)
  • Redis Server uses 6379 (TLS Port using Stunnel, e.g. 6380)

So, if Lettuce would connect to Redis Sentinel on port 26380, the issue is that Redis Sentinel would tell us the wrong port (e.g. 6379,26380) of the Redis instances and or the Redis Master.
Would the following a solution to this:

  • Connect to Redis Sentinel via TLS on Port 26380
  • Ports reported by Redis Sentinel are corrected by a configurable setting (e.g. +1 to make out of 6379 -> 6380)

Can anyone confirm/correct my understanding?
Once this is done, I could think about submitting a patch.

Teachability, Documentation, Adoption, Migration Strategy

It should be a simple blog entry etc. to explain the setup.
@jornfranke jornfranke added the type: feature A new feature label Jun 17, 2019
@mp911de
Copy link
Collaborator

mp911de commented Jun 17, 2019

This is a duplicate of #1048.

To your questions:

  • Redis isn't aware of a SSL proxy, but with slave-announce-port and sentinel announce-port Redis gained some flexibility. Not entirely sure that NAT support is complete as I never used these features.
  • Lettuce provides a SocketAddressResolver with a MappingSocketAddressResolver subclass that allows re-mapping ports.

Can you do the following and check out the latest 5.2.0 snapshots whether you're able to cover your use case?

@mp911de mp911de added the status: duplicate A duplicate of another issue label Jun 17, 2019
@jornfranke
Copy link
Author

Sorry i missed that other one. I will try to do a PoC on that one, but I need to go through the tickets.

@ae6rt
Copy link

ae6rt commented Jan 15, 2020

Of possible interest: #1209

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue type: feature A new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ae6rt @mp911de @jornfranke