Stunnel to DigitalOcean Redis DB

Stunnel to DigitalOcean Redis DB

Connecting to your DigitalOcean DBaaS Redis server

The DigitalOcean DBaaS Redis offering requires that connections be made over secure connections using SSL/TLS. Unfortunately the default redis-cli client does not support SSL/TLS connections. So to get your clients connected you’ll need to either use a third-party client or library that supports secured connections, or use Stunnel to create a tunnel through which your redis-cli can connect.

We’ll quickly go through setting up Stunnel and getting it connected to your Redis server. Keep in mind that your application will most likely use a library, but this can be useful if you have a management node or a jumpbox/bastion node.

Prerequisites

We’ll be using an Ubuntu 18.04 server in SFO2. The size doesn’t really matter for this example, but if you do plan to use this moving forward, be sure to give yourself enough room to run your tool set from it as well as having room for other users on your admin staff. Towards the bottom of the Droplet creation page you’ll want to set a tag on your Droplet. I’ll be using jumpbox as my tag. Also, please be sure to secure the server by setting up a firewall, disallowing root SSH login, disable password authentication, and change the default SSH port. We won’t be doing that in this example, but keep those things in mind.

Once the Droplet is up and running, go ahead and create yourself a Redis server using DigitalOcean’s DBaaS offering. The provisioning time is pretty quick, but we’ll use that time to start setting up some tools on the Ubuntu server.

Installing tools on your jumpbox

Connect to your Droplet over SSH. Let’s go ahead and update the Droplet and install redis-cli and stunnel.

$ sudo apt-get update && sudo apt-get upgrade -y;
$ sudo apt-get install -y redis-tools stunnel4;

Let’s make sure stunnel starts on boot.

$ sudo vim /etc/default/stunnel4

Now go ahead and replace ENABLED=0 with ENABLED=1 and save and quit the file.

Retrieve connection information

By now your Redis server is probably up and running and ready to be configured. You should be able to start by adding trusted sources. This is where you’re going to insert the Droplet tag you set up when creating your Droplet, which in our example is jumpbox.

The next prompt is going to ask you to set an eviction policy for Redis. You can decide on what works best for your application. I’ll be leaving it as noeviction since this is just an example.

The next step is going to show you connectivity information for both public and private connections. Since we’re going to be connecting from an internal jumpbox, let’s switch that over to the private tab. Keep that screen up or copy the details over to a secure location, you’ll need the host and port information to configure stunnel.

Configure stunnel

Jump back over to your terminal which should be connected to your Droplet running Ubuntu. Create the following file /etc/stunnel/redis.conf. This file will get read by stunnel when you start it back up and create the tunnel for you. Start editing the file save it with the following info:

$ sudo vim /etc/stunnel/redis.conf

pid = /run/stunnel-redis.pid
client = yes

[redis-client]
connect = private_host_name:25061
accept = 127.0.0.1:25061

Then stop and start the stunnel service.

$ sudo systemctl stop stunnel4.service

$ sudo systemctl start stunnel4.service

You can then run ss -plant and see the service listening on 127.0.0.1 with the local port you specified. This also means you can set up multiple connections to different servers by just using different local ports. Let’s go ahead and try connecting using redis-cli.

$ redis-cli -h 127.0.0.1 -p 25061 -a "yourpasswordhere"

You should now see the redis prompt where you can enter in the PING command to get a PONG response.

127.0.0.1:25061> PING
PONG
127.0.0.1:25061>

That’s it. You’re all set and can now connect to your Redis server to run scheduled or ad-hoc tasks for management and troubleshooting. Hope this helps. If there are any recommendations you want to make to improve this process, please feel free to comment.

Popular posts from this blog

Install gdu

Quick install script for go DiskUsage() If you want to quickly run through your file system usage and determine what’s eating up your storage space you can simply use gdu . This will install the gdu binary on your linux system. LATEST_VERSION=$(curl -LISs https://github.com/dundee/gdu/releases/latest | grep location | cut -d" " -f2) LATEST_VERSION=$(echo "${LATEST_VERSION##*/}" | tr -d '\r') PKG_NAME="gdu_linux_amd64.tgz" curl -LSs https://github.com/dundee/gdu/releases/download/${LATEST_VERSION}/${PKG_NAME} | sudo tar -xzf - -C /usr/local/bin/ sudo mv /usr/local/bin/{"${PKG_NAME%.*}",gdu} For more information on the features and how to use it, check out the gdu github .
Read more

Configure Postfix through cloud-init

Configure Postfix through cloud-init I recently decided to set up Nagios for monitoring a small cluster of nodes I’m running, and set up alerts to be sent out through email; however, I didn’t want those emails being sent directly from the VPS itself. What I did was set up this cloud-config script to be executed in order to spin up the VPS with postfix configured to connect to a Google email account in order to send out notification emails. This should help with minimizing the possibility that the email will be seen as spam and I won’t have to add additional IP addresses to my SPF record. Here’s the script for you to try out if you’re interested in getting this set up: #cloud-config packages: - postfix - mailutils - libsasl2-2 - ca-certificates - libsasl2-modules write_files: - path: /etc/postfix/sasl_passwd content: | [smtp.gmail.com]:587 [email protected]:PASSWORD owner: root:root permissions: 0400 runcmd: - sed -i 's/r...
Read more

resize your LVM partition

resize your LVM partition resizing your LVM partition So this process takes a little manual work but is pretty straight forward. We’re going to be using a DigitalOcean Droplet that was created using a custom image created from FreePBX distro 7. The issue was that the SSD was provisioned with 25G of storage, but the OS was only seeing 10G. Start off by extending the /dev/vda2 partition parted /dev/vda This will enter parted’s interactive mode. you’ll want to enter in the command resizepart , then enter the number of the partition you want to modify. In this case partition 2 . For the partition ‘end’ prompt you can enter in 100% or -1s . This next step is a little odd but you can enter an estimate for the total size that should be allocated for /dev/vda2. pvresize --setphysicalvolumesize 24.6G /dev/vda2 You’ll be see a prompt that actually states the real size. So you can just select no for the prompt to carry out the change and adjust the size on the command...
Read more