- #Stunnel windows configuration how to
- #Stunnel windows configuration install
- #Stunnel windows configuration series
:~# openssl req -new -x509 -key /etc/stunnel/key.pem -out /etc/stunnel/cert.pem -days 1826 The -days flag specifies the number of days this certificate is valid for, you can modify this if you need to but 5 years should be good enough.
#Stunnel windows configuration series
When generating the certificate we will be asked a series of questions the answers provided are used to prove the validity of the certificate.
Now that we generated a key we will now create a certificate. :~# openssl genrsa -out /etc/stunnel/key.pem 4096 In my example I am using 4096 bit key as it adds more security than a 1024 or 2048 bit key. Generating a keyįirst we will create a private key, I am using openssl to create a 4096 bit RSA key. While you could get a signed certificate from a certificate authority such as Verisign, since we are using this for internal purposes only we can create a self signed certificate. Like any other SSL protocol stunnel requires a certificate to use for client to server communication. To start stunnel on boot we will need to edit the /etc/default/stunnel file. Unlike redis, stunnel doesn't start on boot automatically.
#Stunnel windows configuration install
For ease we will install stunnel with apt-get as well. Now that redis is installed and running we will install stunnel. Upon installation redis-server is started automatically, in order for our configuration changes to take effect we will need to restart the instance. For better security we will enable requirepass which requires all clients to authenticate before being able to pull or put data from the redis instance.
:~# apt-get install redis-serverĪfter installation we only need to make one change to the redis configuration. We will first install redis and then setup stunnel to forward connections from external sources to the local redis instance. We will install stunnel on both the client and server hosts and establish a tunnel that redirects localhost:6379 on client to the redis instance running on server. In today's article we will use stunnel to encrypt traffic from a client host to a server host. Wrapping redis traffic in SSL with stunnel If an attacker was able to compromise either the server or client server they could capture unencrypted local traffic as it is being sent to stunnel. While stunnel adds SSL encryption it does not guarantee 100% that the traffic will never be captured unencrypted. The stunnel application is a SSL encryption wrapper that can tunnel unencrypted traffic (like redis) through a SSL encrypted tunnel to another server.
#Stunnel windows configuration how to
In this article I am going to show you how to secure your redis connections with stunnel, this article should handle the SSL part of securing a connection but you should also follow the other recommendations in Redis Security.
Leaving that sensitive traffic to be sent across the cloud providers network or even the general internet with no protection from someone with a network sniffer. So if you want to run a Redis master on one server and your application on another, you have no choice but to leave that connection unencrypted. While some cloud providers offer private networks, not all of them do. While that is ok for many implementations, it does not lend well to cloud based implementations. Redis has been designed for use within a trusted private network, and does not support SSL encrypted connections. I've been using Redis lately on one of my side projects, but I keep finding myself limited by the lack of SSL encryption. Redis a distributed memory cache is a newer service that at this time does not support SSL connections. There are many commonly used services that either do not support SSL encryption or that option is rarely used. These attackers can often be quite crafty on the ways they get this data, many times they do it by gaining access to a database but another common place to capture and steal data is through unencrypted network traffic.
With more and more internet based services becoming part of peoples lives, there is even more targets for attackers who are looking to get sensitive data. In the past these types of attacks still happened, but there was not as many attacks as today and when they happened they were kept secret. Sometimes these data breaches have allowed attackers to gather unencrypted passwords or credit card numbers. Lately if you have been paying attention to tech or even mainstream media you might have seen a few stories about data breaches.