Redis SSL安装
一、概述
因为业务需求,mysql8必须部署在机房服务器,不能使用阿里云。
因客户安全性要求,必须开启SSL连接。
二、制作Redis SSL镜像
下载redis源码
wget https://download.redis.io/releases/redis-6.2.6.tar.gz tar zxvf redis-6.2.6.tar.gz cd redis-6.2.6
过滤redis.conf配置文件,去除以#开头的,以空行开头的。
cat redis.conf|grep -v "^#"|grep -v "^$" > redis.conf.new
生成ssl证书
mkdir -p /opt/redis/tls cd /opt/redis/tls
生成 CA 根证书,有效期100年
openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -sha256 -key ca.key -days 36500 -subj '/O=Redis Test/CN=Certificate Authority' -out ca.crt
生成 Redis 服务器证书,有效期100年
openssl genrsa -out redis.key 2048 openssl req -new -sha256 -key redis.key -subj '/O=Redis Test/CN=Server' | openssl x509 -req -sha256 -CA ca.crt -CAkey ca.key -CAserial ca.txt -CAcreateserial -days 36500 -out redis.crt openssl dhparam -out redis.dh 2048
生成Redis SSL镜像
创建一个 Dockerfile,基于官方 Redis 镜像
FROM redis:6.2.17-alpine # 安装 OpenSSL RUN apk add --no-cache openssl # 复制证书文件 COPY tls/redis.crt /tls/redis.crt COPY tls/redis.key /tls/redis.key COPY tls/ca.crt /tls/ca.crt COPY tls/redis.dh /tls/redis.dh # 复制 Redis 配置文件 COPY redis.conf /usr/local/etc/redis/redis.conf RUN chown redis:redis -R /tls/ # 启动 Redis CMD ["redis-server", "/usr/local/etc/redis/redis.conf"]
拷贝redis.conf 文件
cp /opt/redis-6.2.6/redis.conf.new redis.conf
修改redis.conf,增加tls配置
port 0 ################################## TLS 配置 ################################### tls-port 6380 tls-cert-file /tls/redis.crt tls-key-file /tls/redis.key tls-ca-cert-file /tls/ca.crt tls-dh-params-file /tls/redis.dh tls-auth-clients no #########################################
redis.conf,完整内容如下:
bind 0.0.0.0 protected-mode yes port 0 ################################## TLS 配置 ################################### tls-port 6380 tls-cert-file /tls/redis.crt tls-key-file /tls/redis.key tls-ca-cert-file /tls/ca.crt tls-dh-params-file /tls/redis.dh tls-auth-clients no ######################################### requirepass 12345678 save 900 1 save 300 10 save 60 10000 maxmemory-policy noeviction tcp-backlog 511 timeout 0 tcp-keepalive 300 daemonize no pidfile /var/run/redis_6379.pid loglevel notice logfile "" databases 16 always-show-logo no set-proc-title yes proc-title-template "{title} {listen-addr} {server-mode}" stop-writes-on-bgsave-error yes rdbcompression yes rdbchecksum yes dbfilename dump.rdb rdb-del-sync-files no dir /data replica-serve-stale-data yes replica-read-only yes repl-diskless-sync no repl-diskless-sync-delay 5 repl-diskless-load disabled repl-disable-tcp-nodelay no replica-priority 100 acllog-max-len 128 lazyfree-lazy-eviction no lazyfree-lazy-expire no lazyfree-lazy-server-del no replica-lazy-flush no lazyfree-lazy-user-del no lazyfree-lazy-user-flush no oom-score-adj no oom-score-adj-values 0 200 800 disable-thp yes appendonly no appendfilename "appendonly.aof" appendfsync everysec no-appendfsync-on-rewrite no auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb aof-load-truncated yes aof-use-rdb-preamble yes lua-time-limit 5000 slowlog-log-slower-than 10000 slowlog-max-len 128 latency-monitor-threshold 0 notify-keyspace-events "" hash-max-ziplist-entries 512 hash-max-ziplist-value 64 list-max-ziplist-size -2 list-compress-depth 0 set-max-intset-entries 512 zset-max-ziplist-entries 128 zset-max-ziplist-value 64 hll-sparse-max-bytes 3000 stream-node-max-bytes 4096 stream-node-max-entries 100 activerehashing yes client-output-buffer-limit normal 0 0 0 client-output-buffer-limit replica 256mb 64mb 60 client-output-buffer-limit pubsub 32mb 8mb 60 hz 10 dynamic-hz yes aof-rewrite-incremental-fsync yes rdb-save-incremental-fsync yes jemalloc-bg-thread yes
在默认配置文件基础上,主要修改了以下这些
bind 0.0.0.0 protected-mode yes port 0 ################################## TLS 配置 ################################### tls-port 6380 tls-cert-file /tls/redis.crt tls-key-file /tls/redis.key tls-ca-cert-file /tls/ca.crt tls-dh-params-file /tls/redis.dh tls-auth-clients no ######################################### requirepass 12345678 save 900 1 save 300 10 save 60 10000 maxmemory-policy noeviction dir /data
参数解释:
bind,这个参数必须要改成0.0.0.0,否则java连接无法连接redis
port 0,表示禁用默认的6379端口
tls-auth-clients no,必须设置成no,java代码,不需要双向认证
requirepass,redis登录密码
save 900 1,这些都是rdb的保持策略
maxmemory-policy noeviction,过期策略,不做删除,永久保留
dir /data,redis数据统一在/data里面
编译镜像
docker build -f Dockerfile -t redis:6.2.17-alpine-ssl .
测试运行镜像,是否正常
docker run -it redis:6.2.17-alpine-ssl
没有报错,就说明成功了。
三、正式运行
mkdir -p /data/redis-prod-ssl cd /data/redis-prod-ssl
拷贝tls
cp -r /opt/redis/tls .
vi redis.conf
只需要修改密码即可,修改requirepass后面的值
编辑docker-compose.yaml
services: redis-prod-ssl: image: redis:6.2.17-alpine-ssl container_name: redis-prod-ssl ports: - "6380:6380" environment: TZ: Asia/Shanghai volumes: - ./redis-data:/data - ./redis.conf:/usr/local/etc/redis/redis.conf restart: always volumes: redis-data:
启动服务
docker-compose up -d
四、navicat连接
使用navicat软件连接
注意要开启ssl,并指定证书
点击测试连接,提示连接成功,就可以了
浙公网安备 33010602011771号