Install redis6.2 and enable TLS encryption

install

# Install dependent software
sudo apt update
sudo apt install make gcc libssl-dev pkg-config

# Download redis and decompress
wget https://download.redis.io/releases/redis-6.2.6.tar.gz
tar -xvf redis-6.2.6.tar.gz

# compile
cd redis-6.2.6
make BUILD_TLS=yes
# If there is an error during compilation, you will be prompted with zmalloc.h:50:10: fatal error: jemalloc/jemalloc.h: No such file or directory MALLOC=libc
make BUILD_TLS=yes MALLOC=libc
make install 
#Copy command to environment variable
cd src
cp redis-sentinel redis-cli redis-server /usr/bin/
#overcommit_memory is set to 1
echo "vm.overcommit_memory = 1" >>/etc/sysctl.conf 
sysctl -p   #take effect

Create TLS certificate

# Create directory
mkdir -p /etc/redis/{conf,ssl,logs,pid,data}
# Create certificate
./utils/gen-test-certs.sh
# The location of the copy certificate is specified
cp tests/tls/redis.* /etc/redis/ssl/
cp tests/tls/ca.crt /etc/redis/ssl/

./utils/gen-test-certs.sh

Write configuration file

/etc/redis/conf/redis.conf

##########################################Basic parameter configuration############################################
bind 0.0.0.0
protected-mode no
#Port 0 means that non TLS ports are completely disabled
port 0
tls-port 6379
tcp-backlog 511
unixsocket /tmp/redis.sock
unixsocketperm 700
timeout 0
tcp-keepalive 300
daemonize yes
supervised no
pidfile /etc/redis/pid/redis.pid
loglevel notice
logfile /etc/redis/logs/redis.log
databases 16
always-show-logo yes
################################# Persistent configuration #################################
#RDB snapshot persistence
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir /etc/redis/data
#AOF persistence
appendonly no
appendfilename appendonly.aof
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble yes
aof-rewrite-incremental-fsync yes
################################# Master slave configuration #################################
#replicaof <masterip> <masterport>
#masterauth <master-password>
replica-serve-stale-data no
replica-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-disable-tcp-nodelay no
repl-backlog-size 10mb
repl-backlog-ttl 3600
################################## Safety certification ###################################
requirepass 123456
rename-command CONFIG b840fc02d524045429941cc43f59e41cb7be6c52
################################## TLS to configure ###################################
tls-cert-file /etc/redis/ssl/redis.crt
tls-key-file /etc/redis/ssl/redis.key
tls-ca-cert-file /etc/redis/ssl/ca.crt
tls-dh-params-file /etc/redis/ssl/redis.dh
tls-auth-clients yes
tls-replication yes
#Specify TLS replication yes to use TLS for external connections to the primary server. sentinel also needs synchronization settings.
#tls-cluster yes
################################## Connection configuration ##################################
maxclients 10000
############################# The release of laziness ####################################
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
replica-lazy-flush no
################################ LUA time limit ###############################
lua-time-limit 5000
############################### Slow log  ################################
slowlog-log-slower-than 10000
slowlog-max-len 128
#rejson.so
#loadmodule /usr/local/redis-6.2.0/module/rejson.soo
######################### advanced setting #########################
activerehashing yes
#Cache space limit
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit slave 1024mb 256mb 300
client-output-buffer-limit pubsub 32mb 8mb 60
client-query-buffer-limit 1gb
#Speed up writing rdb and aof
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
######################### Multithreading settings #########################
## Set the number of threads to no more than the total number of available cores of the CPU
#io-threads 4
## Set yes to enable multithreading
#io-threads-do-reads yes

systemd management

/etc/systemd/system/redis.service

[Unit]
Description=redis
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/usr/bin/redis-server /etc/redis/conf/redis.conf
ExecReload=/bin/kill -s HUP $MAINPID
# This field is filled in according to the configuration
ExecStop=/usr/bin/redis-cli -p 6379 -a 123456 shutdown
PrivateTmp=true

[Install]
WantedBy=multi-user.target

#Start and self start
systemctl daemon-reload
systemctl start redis.service 
systemctl enable redis.service 
Created symlink /etc/systemd/system/multi-user.target.wants/redis.service → /usr/lib/systemd/system/redis.service.

Test connection

Because we have enabled TLS settings, we must also bring a certificate when connecting. If we do not specify a certificate, we cannot authenticate and log in to operate redis

Specify certificate connection

redis-cli --tls --cert /etc/redis/ssl/redis.crt --key /etc/redis/ssl/redis.key --cacert /etc/redis/ssl/ca.crt -p 6379

redis master-slave configuration tls

Connect the above operation configuration, and configure a slave from the above master to the following

master	slave
192.168.50.235	192.168.50.236
Ubuntu:18.04	Ubuntu:18.04
redis.6.2.6	redis6.2.6

install

# Install dependent software
sudo apt update
sudo apt install make gcc libssl-dev pkg-config

# Download redis and decompress
wget https://download.redis.io/releases/redis-6.2.6.tar.gz
tar -xvf redis-6.2.6.tar.gz

# compile
cd redis-6.2.6
make BUILD_TLS=yes
# If there is an error during compilation, you will be prompted with zmalloc.h:50:10: fatal error: jemalloc/jemalloc.h: No such file or directory MALLOC=libc
make BUILD_TLS=yes MALLOC=libc
make install 
#Copy command to environment variable
cd src
cp redis-sentinel redis-cli redis-server /usr/bin/
#overcommit_memory is set to 1
echo "vm.overcommit_memory = 1" >>/etc/sysctl.conf 
sysctl -p   #take effect

Copy master certificate to slave

# slave creates a directory first
mkdir -p /etc/redis/{conf,ssl,logs,pid,data}
# Copy certificate to slave
scp -r /etc/redis/ssl/* root@192.168.50.236:/etc/redis/ssl

Write configuration file

/etc/redis/conf/redis.conf

##########################################Basic parameter configuration############################################
bind 0.0.0.0
protected-mode no
#Port 0 means that non TLS ports are completely disabled
port 0
tls-port 6379
tcp-backlog 511
unixsocket /tmp/redis.sock
unixsocketperm 700
timeout 0
tcp-keepalive 300
daemonize yes
supervised no
pidfile /etc/redis/pid/redis.pid
loglevel notice
logfile /etc/redis/logs/redis.log
databases 16
always-show-logo yes
################################# Persistent configuration #################################
#RDB snapshot persistence
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir /etc/redis/data
#AOF persistence
appendonly no
appendfilename appendonly.aof
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble yes
aof-rewrite-incremental-fsync yes
################################# Master slave configuration #################################
replicaof 192.168.50.235 6379
masterauth 123456
replica-serve-stale-data no
replica-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-disable-tcp-nodelay no
repl-backlog-size 10mb
repl-backlog-ttl 3600
################################## Safety certification ###################################
requirepass 123456
rename-command CONFIG b840fc02d524045429941cc43f59e41cb7be6c52
################################## TLS to configure ###################################
tls-cert-file /etc/redis/ssl/redis.crt
tls-key-file /etc/redis/ssl/redis.key
tls-ca-cert-file /etc/redis/ssl/ca.crt
tls-dh-params-file /etc/redis/ssl/redis.dh
tls-auth-clients yes
tls-replication yes
#Specify TLS replication yes to use TLS for external connections to the primary server. sentinel also needs synchronization settings.
#tls-cluster yes
################################## Connection configuration ##################################
maxclients 10000
############################# The release of laziness ####################################
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
replica-lazy-flush no
################################ LUA time limit ###############################
lua-time-limit 5000
############################### Slow log  ################################
slowlog-log-slower-than 10000
slowlog-max-len 128
#rejson.so
#loadmodule /usr/local/redis-6.2.0/module/rejson.soo
######################### advanced setting #########################
activerehashing yes
#Cache space limit
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit slave 1024mb 256mb 300
client-output-buffer-limit pubsub 32mb 8mb 60
client-query-buffer-limit 1gb
#Speed up writing rdb and aof
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
######################### Multithreading settings #########################
## Set the number of threads to no more than the total number of available cores of the CPU
#io-threads 4
## Set yes to enable multithreading
#io-threads-do-reads yes

systemd management

/etc/systemd/system/redis.service

[Unit]
Description=redis
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/usr/bin/redis-server /etc/redis/conf/redis.conf
ExecReload=/bin/kill -s HUP $MAINPID
# This field is filled in according to the configuration
ExecStop=/usr/bin/redis-cli -p 6379 -a 123456 shutdown
PrivateTmp=true

[Install]
WantedBy=multi-user.target

#Start and self start
systemctl daemon-reload
systemctl start redis.service 
systemctl enable redis.service 
Created symlink /etc/systemd/system/multi-user.target.wants/redis.service → /usr/lib/systemd/system/redis.service.

Verifying master-slave services

1. Log view
   

2. Connect redis to perform info replication
   

3. Connect to redis for data synchronization test

   master
   

   slave
   

sentinel service

For the test environment, it is not required to deploy multiple sentinel services. Here, you can deploy them to the redis master server to show how to enable TLS connection.

Create directories, profiles

mkdir -p /etc/redis/sentinel

/etc/redis/conf/sentinel.conf

################################sentinel.conf########################################
# port
port 0
tls-port 26379

# Whether to start in the background
daemonize yes

# pid file path
pidfile "/etc/redis/pid/sentinel.pid"

# log file path
logfile "/etc/redis/logs/sentinel.log"

# Define working directory
dir "/etc/redis/sentinel"

# tls settings
tls-cert-file /etc/redis/ssl/redis.crt
tls-key-file /etc/redis/ssl/redis.key
tls-ca-cert-file /etc/redis/ssl/ca.crt
tls-dh-params-file /etc/redis/ssl/redis.dh
tls-replication yes

# Define the alias, IP and port of the Redis master. 1 here refers to the need for at least one Sentinel to think that the master Redis is hung before taking the next step
sentinel monitor mymaster 192.168.50.235 6379 1

#If the password is set for the main service, you need to pay attention to it. The order must be under sentinel monitor
sentinel auth-pass mymaster 123456

# If mymaster does not respond within 30 seconds, it is considered as subjective failure
sentinel down-after-milliseconds mymaster 30000
# How many slave nodes can synchronize the new master node during failover
sentinel parallel-syncs mymaster 1
# This parameter specifies a time period. If the failover is not successful within this time period, the failover operation will be initiated again, in milliseconds
sentinel failover-timeout mymaster 180000

systemd management

/etc/systemd/system/sentinel.service

[Unit]
Description=sentinel
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/usr/bin/redis-sentinel /etc/redis/conf/sentinel.conf
ExecReload=/bin/kill -s HUP $MAINPID
# This field is filled in according to the configuration
ExecStop=/usr/bin/redis-cli -p 26379 shutdown
PrivateTmp=true

[Install]
WantedBy=multi-user.target

#Start and self start
systemctl daemon-reload
systemctl start redis.service 
systemctl enable redis.service

View sentinel status

Master slave failover will not be demonstrated here

1. View sentinel startup log
   

2. Connect sentinel to view status

   Because we have configured TLS encryption, we cannot connect to sentienl service directly using redis cli -p 26379. We have to add the certificate path.

   redis-cli --tls --cert /etc/redis/ssl/redis.crt --key /etc/redis/ssl/redis.key --cacert /etc/redis/ssl/ca.crt  -p 26379
   

   

redis cluster fragment cluster TLS

I deployed cluster and partitioned cluster here. Instead of finding at least six machines, I used one virtual machine. In fact, the operation is the same. The actual use is based on the actual situation.

install

# Install dependent software
sudo apt update
sudo apt install make gcc libssl-dev pkg-config

# Download redis and decompress
wget https://download.redis.io/releases/redis-6.2.6.tar.gz
tar -xvf redis-6.2.6.tar.gz

# compile
cd redis-6.2.6
make BUILD_TLS=yes
# If there is an error during compilation, you will be prompted with zmalloc.h:50:10: fatal error: jemalloc/jemalloc.h: No such file or directory MALLOC=libc
make BUILD_TLS=yes MALLOC=libc
make install 
#Copy command to environment variable
cd src
cp redis-sentinel redis-cli redis-server /usr/bin/
#overcommit_memory is set to 1
echo "vm.overcommit_memory = 1" >>/etc/sysctl.conf 
sysctl -p   #take effect

Planning catalogue and certificate

# Create directory
mkdir -p /etc/redis/{conf,ssl,logs,pid,data}
# Create cluster storage directory (depending on the situation)
for i in $(seq 1 6); do mkdir -p /etc/redis/data/698$i; done
# Create certificate
./utils/gen-test-certs.sh
# The location of the copy certificate is specified
cp tests/tls/redis.* /etc/redis/ssl/
cp tests/tls/ca.crt /etc/redis/ssl/

Write configuration file

One of the configuration files is posted here. The other configuration files are similar. You can modify the port, file name, storage directory, etc

/etc/redis/conf/redis_6981.conf

##########################################Basic parameter configuration############################################
bind 0.0.0.0
protected-mode no
#Port 0 means that non TLS ports are completely disabled
port 0
# Single machine cluster ports cannot be consistent
tls-port 6981
tcp-backlog 511
unixsocket /tmp/redis.sock
unixsocketperm 700
timeout 0
tcp-keepalive 300
daemonize yes
supervised no
pidfile /etc/redis/pid/redis_6981.pid
loglevel notice
logfile /etc/redis/logs/redis_6981.log
databases 16
always-show-logo yes
################################# Persistent configuration #################################
#RDB snapshot persistence
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
# Set the corresponding storage location
dir /etc/redis/data/6981
#AOF persistence
appendonly no
appendfilename appendonly.aof
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble yes
aof-rewrite-incremental-fsync yes
################################# cluser to configure #################################
masterauth 123456
cluster-enabled yes
cluster-config-file nodes_6981.conf
cluster-node-timeout 15000 
################################## Safety certification ###################################
requirepass 123456
rename-command CONFIG b840fc02d524045429941cc43f59e41cb7be6c52
################################## TLS to configure ###################################
tls-cert-file /etc/redis/ssl/redis.crt
tls-key-file /etc/redis/ssl/redis.key
tls-ca-cert-file /etc/redis/ssl/ca.crt
tls-dh-params-file /etc/redis/ssl/redis.dh
tls-auth-clients yes
tls-replication yes
#Specify TLS replication yes to use TLS for external connections to the primary server. sentinel also needs synchronization settings.
tls-cluster yes
################################## Connection configuration ##################################
maxclients 10000
############################# The release of laziness ####################################
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
replica-lazy-flush no
################################ LUA time limit ###############################
lua-time-limit 5000
############################### Slow log  ################################
slowlog-log-slower-than 10000
slowlog-max-len 128
######################### advanced setting #########################
activerehashing yes
#Cache space limit
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit slave 1024mb 256mb 300
client-output-buffer-limit pubsub 32mb 8mb 60
client-query-buffer-limit 1gb
#Speed up writing rdb and aof
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
######################### Multithreading settings #########################
## Set the number of threads to no more than the total number of available cores of the CPU
#io-threads 4
## Set yes to enable multithreading
#io-threads-do-reads yes

Subsequent profile operations

# Copy profile
for i in $(seq 2 6); do cp /etc/redis/conf/redis_6981.conf /etc/redis/conf/redis_698$i.conf; done
# Modify profile
for i in $(seq 2 6); do sed  -i "s/6981/698$i/g"  redis_698$i.conf;done

Start view

systemd management is not created for a single machine. If necessary, you can refer to the above configuration and modify the port number

# Start service
for i in $(seq 1 6); do redis-server /etc/redis/conf/redis_698$i.conf;done

Create cluster

Because requirepass password verification is set in our configuration file, you need to add - a to enter the password when creating

redis-cli --tls --cert /etc/redis/ssl/redis.crt \
--key /etc/redis/ssl/redis.key \
--cacert /etc/redis/ssl/ca.crt -a 123456 \
--cluster create --cluster-replicas 1 \
192.168.50.235:6981 192.168.50.235:6982 192.168.50.235:6983 \
192.168.50.235:6984 192.168.50.235:6985 192.168.50.235:6986

Validate cluster

# Sign in
redis-cli --tls --cert /etc/redis/ssl/redis.crt --key /etc/redis/ssl/redis.key --cacert /etc/redis/ssl/ca.crt -c -p 6981
# View cluster information
cluster info
# List all nodes of the cluster
cluster nodes

Other cluster operation commands can be viewed https://blog.csdn.net/echizao1839/article/details/98509011

Postscript
Through the whole deployment process, we found that after using TLS, the redis cli operation becomes very complex. If it is easy to forget how to use parameters, we can make an alias in ~ /. bashrc

vim ~/.bashrc
# Set alias
alias redis-cli='redis-cli --tls --cert /etc/redis/ssl/redis.crt --key /etc/redis/ssl/redis.key --cacert /etc/redis/ssl/ca.crt'

# Save, exit, and load
source ~/.bashrc

A little test

# Write Key
root@local-1:/etc/redis/conf# redis-cli -c -p 6981 -a 123456
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
127.0.0.1:6981> set name aa
-> Redirected to slot [5798] located at 192.168.50.235:6982
OK
192.168.50.235:6982> get name
"aa"
192.168.50.235:6982> 

# Second terminal read
root@local-1:~# redis-cli -c -p 6982
127.0.0.1:6982> AUTH 123456
OK
127.0.0.1:6982> get name
"aa"
127.0.0.1:6982>

It is not difficult to find that we did not add a long string of Tls parameters this time. After writing the key, it will automatically jump to 6982 redis, because the data just written on 6981 is stored on 6982 redis.

But I don't understand how this thing jumped. Didn't I tell you that the Key should be stored in slot xxx of xxx redis?
I'm a little confused. Forget it. Keep understanding. That's the end of today.