Redis SSL安装
一、概述因为业务需求,mysql8必须部署在机房服务器,不能使用阿里云。
因客户安全性要求,必须开启SSL连接。
二、制作Redis SSL镜像
下载redis源码
wget https://download.redis.io/releases/redis-6.2.6.tar.gz
tar zxvf redis-6.2.6.tar.gz
cd redis-6.2.6过滤redis.conf配置文件,去除以#开头的,以空行开头的。cat redis.conf|grep -v "^#"|grep -v "^$" > redis.conf.new生成ssl证书
mkdir -p /opt/redis/tls
cd /opt/redis/tls生成 CA 根证书,有效期100年openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -sha256 -key ca.key -days 36500 -subj '/O=Redis Test/CN=Certificate Authority' -out ca.crt生成 Redis 服务器证书,有效期100年openssl genrsa -out redis.key 2048
openssl req -new -sha256 -key redis.key -subj '/O=Redis Test/CN=Server' | openssl x509 -req -sha256 -CA ca.crt -CAkey ca.key -CAserial ca.txt -CAcreateserial -days 36500 -out redis.crt
openssl dhparam -out redis.dh 2048生成Redis SSL镜像
创建一个 Dockerfile,基于官方 Redis 镜像FROM redis:6.2.17-alpine
# 安装 OpenSSL
RUN apk add --no-cache openssl
# 复制证书文件
COPY tls/redis.crt /tls/redis.crt
COPY tls/redis.key /tls/redis.key
COPY tls/ca.crt /tls/ca.crt
COPY tls/redis.dh /tls/redis.dh
# 复制 Redis 配置文件
COPY redis.conf /usr/local/etc/redis/redis.conf
RUN chown redis:redis -R /tls/
# 启动 Redis
CMD ["redis-server", "/usr/local/etc/redis/redis.conf"]拷贝redis.conf 文件cp /opt/redis-6.2.6/redis.conf.new redis.conf修改redis.conf,增加tls配置
port 0
################################## TLS 配置 ###################################
tls-port 6380
tls-cert-file /tls/redis.crt
tls-key-file /tls/redis.key
tls-ca-cert-file /tls/ca.crt
tls-dh-params-file /tls/redis.dh
tls-auth-clients no
#########################################redis.conf,完整内容如下:
bind 0.0.0.0protected-mode yesport 0
################################## TLS 配置 ###################################
tls-port 6380
tls-cert-file /tls/redis.crt
tls-key-file /tls/redis.key
tls-ca-cert-file /tls/ca.crt
tls-dh-params-file /tls/redis.dh
tls-auth-clients no
#########################################requirepass 12345678save 900 1save 300 10save 60 10000maxmemory-policy noevictiontcp-backlog 511timeout 0tcp-keepalive 300daemonize nopidfile /var/run/redis_6379.pidloglevel noticelogfile ""databases 16always-show-logo noset-proc-title yesproc-title-template "{title} {listen-addr} {server-mode}"stop-writes-on-bgsave-error yesrdbcompression yesrdbchecksum yesdbfilename dump.rdbrdb-del-sync-files nodir /datareplica-serve-stale-data yesreplica-read-only yesrepl-diskless-sync norepl-diskless-sync-delay 5repl-diskless-load disabledrepl-disable-tcp-nodelay noreplica-priority 100acllog-max-len 128lazyfree-lazy-eviction nolazyfree-lazy-expire nolazyfree-lazy-server-del noreplica-lazy-flush nolazyfree-lazy-user-del nolazyfree-lazy-user-flush nooom-score-adj nooom-score-adj-values 0 200 800disable-thp yesappendonly noappendfilename "appendonly.aof"appendfsync everysecno-appendfsync-on-rewrite noauto-aof-rewrite-percentage 100auto-aof-rewrite-min-size 64mbaof-load-truncated yesaof-use-rdb-preamble yeslua-time-limit 5000slowlog-log-slower-than 10000slowlog-max-len 128latency-monitor-threshold 0notify-keyspace-events ""hash-max-ziplist-entries 512hash-max-ziplist-value 64list-max-ziplist-size -2list-compress-depth 0set-max-intset-entries 512zset-max-ziplist-entries 128zset-max-ziplist-value 64hll-sparse-max-bytes 3000stream-node-max-bytes 4096stream-node-max-entries 100activerehashing yesclient-output-buffer-limit normal 0 0 0client-output-buffer-limit replica 256mb 64mb 60client-output-buffer-limit pubsub 32mb 8mb 60hz 10dynamic-hz yesaof-rewrite-incremental-fsync yesrdb-save-incremental-fsync yesjemalloc-bg-thread yes在默认配置文件基础上,主要修改了以下这些bind 0.0.0.0protected-mode yesport 0
################################## TLS 配置 ###################################
tls-port 6380
tls-cert-file /tls/redis.crt
tls-key-file /tls/redis.key
tls-ca-cert-file /tls/ca.crt
tls-dh-params-file /tls/redis.dh
tls-auth-clients no
#########################################requirepass 12345678save 900 1save 300 10save 60 10000maxmemory-policy noevictiondir /data参数解释:
bind,这个参数必须要改成0.0.0.0,否则java连接无法连接redisport 0,表示禁用默认的6379端口tls-auth-clients no,必须设置成no,java代码,不需要双向认证requirepass,redis登录密码save 900 1,这些都是rdb的保持策略maxmemory-policy noeviction,过期策略,不做删除,永久保留dir /data,redis数据统一在/data里面 编译镜像docker build -f Dockerfile -t redis:6.2.17-alpine-ssl .测试运行镜像,是否正常docker run -it redis:6.2.17-alpine-ssl没有报错,就说明成功了。
三、正式运行
mkdir -p /data/redis-prod-ssl
cd /data/redis-prod-ssl拷贝tlscp -r /opt/redis/tls .vi redis.conf只需要修改密码即可,修改requirepass后面的值 编辑docker-compose.yamlservices:
redis-prod-ssl:
image: redis:6.2.17-alpine-ssl
container_name: redis-prod-ssl
ports:
- "6380:6380"
environment:
TZ: Asia/Shanghai
volumes:
- ./redis-data:/data
- ./redis.conf:/usr/local/etc/redis/redis.conf
restart: always
volumes:
redis-data:启动服务docker-compose up -d
四、navicat连接
使用navicat软件连接
注意要开启ssl,并指定证书
点击测试连接,提示连接成功,就可以了
来源:程序园用户自行投稿发布,如果侵权,请联系站长删除
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! 感谢分享,学习下。 感谢分享 谢谢分享,试用一下 热心回复!
页:
[1]