Създадох примерно репо за това как може да се настрои докер контейнер за използване на новия redis v6+ ssl:
- https://github.com/allen-munsch/docker-redis-ssl-example
docker-compose.yml
version: "3"
volumes:
redis:
services:
redis:
image: "example/redis:v6.0.13"
command: ["/app/docker-redis-entrypoint.sh"]
container_name: redis
ports:
- 6379:6379
volumes:
- redis:/data
- ./:/app
Dockerfile:
FROM redis:6.0.13 as base
COPY ./redis/tls /tls
входна точка.sh
#!/bin/sh
set -e
redis-server --tls-port 6379 --port 0 \
--tls-cert-file /tls/redis.crt \
--tls-key-file /tls/redis.key \
--tls-ca-cert-file /tls/ca.crt
gen-redi-certs.sh
#!/bin/bash
# COPIED/MODIFIED from the redis server gen-certs util
# Generate some test certificates which are used by the regression test suite:
#
# tls/ca.{crt,key} Self signed CA certificate.
# tls/redis.{crt,key} A certificate with no key usage/policy restrictions.
# tls/client.{crt,key} A certificate restricted for SSL client usage.
# tls/server.{crt,key} A certificate restricted for SSL server usage.
# tls/redis.dh DH Params file.
generate_cert() {
local name=$1
local cn="$2"
local opts="$3"
local keyfile=tls/${name}.key
local certfile=tls/${name}.crt
[ -f $keyfile ] || openssl genrsa -out $keyfile 2048
openssl req \
-new -sha256 \
-subj "/O=Redis Test/CN=$cn" \
-key $keyfile | \
openssl x509 \
-req -sha256 \
-CA tls/ca.crt \
-CAkey tls/ca.key \
-CAserial tls/ca.txt \
-CAcreateserial \
-days 365 \
$opts \
-out $certfile
}
mkdir -p tls
[ -f tls/ca.key ] || openssl genrsa -out tls/ca.key 4096
openssl req \
-x509 -new -nodes -sha256 \
-key tls/ca.key \
-days 3650 \
-subj '/O=Redis Test/CN=Certificate Authority' \
-out tls/ca.crt
cat > tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
_END_
generate_cert server "Server-only" "-extfile tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tls/openssl.cnf -extensions client_cert"
generate_cert redis "Generic-cert"
[ -f tls/redis.dh ] || openssl dhparam -out tls/redis.dh 2048