Monitoring Redis with in-Transit Encryption Enabled
Introduction to Redis
Redis is an open source, in-memory, key-value data store for use as a database, cache, message broker, and queue. It delivers sub-millisecond response times enabling millions of requests per second for a variety of real-time applications. Redis is a popular choice for caching, session management, real-time analytics, geospatial, chat/messaging, media streaming, and gaming leaderboards. It offers different levels of on-disk persistence and clustering for high availability
Monitoring Redis on Amazon Web Services
AWS Web console gives you very limited options to monitor Redis health and activity. You can navigate to the ElasticCache dashboard and view service level events (Services > ElasticCache > Events). From CloudWatch, you can look at the following counters individually or create a custom dashboard to include them all in it.
- BytesUsedForCache
- CacheHits
- CacheMisses
- CurrConnections
- NewConnections
- EngineCPUUtilization
- Network I/O
If you feel the need to interact with the database and get the following questions answered, you need to connect to the database using a client tool:
- Who is connected and from what IP address?
- What’s the of Redis database?
- What key-values pairs are currently stored in the database?
- Which commands are being process by the server right now?
In addition, you can also perform the following actions on the database:
- Kill a specific client connection
- View current configuration settings
- Modify configuration
- List all databases
- Reset a database or all databases.
- Create a new key-value pair.
- Retrieve a key
Connecting to Redis with in-Transit Encryption Enabled
To access data from ElastiCache for Redis nodes enabled with in-transit encryption, you must use a client that works with Secure Socket Layer (SSL). However, redis-cli doesn’t support SSL or Transport Layer Security (TLS). A TLS proxy can be used with redis-cli to enable it for connection to Redis over an encrypted link. “stunnel” is of the TLS wrappers which is available for free.
stunnel TLS Proxy
stunnel is a Transport Layer Security (TLS) offloading and load-balancing proxy. It works as TLS encryption wrapper between remote clients and local or remote servers. non-TLS aware daemons running on your system can communicate with clients over secure TLS channels. Like any other SSL protocol, stunnel requires a certificate to use for client to server communication. Since Redis client is usually used internally only on private networks, you can create a self-signed certificate instead of buying one from a certificate authority such as GeoTrust and Symantec.
Installing stunnel
SSH to your Linux EC2 and login using ‘ec2-user” and the SSH key machine was deployed with. Run the following commands in the provided sequence. You can skip the SSH steps and follow only SSL certificate instruction in case you don’t need to apply it to your Redis server install on EC2. If your using AWS’s Redis cluster, you can connect just with the SSL certificate. Remember to update the connect string with your Redis end-point.
sudo yum install stunnel cat /etc/stunnel/redis-cli.conf cd /etc/stunnel sudo vi redis-cli.conf ;######## /etc/stunnel/redis-cli.conf ################# fips = no setuid = root setgid = root cert = /etc/stunnel/private.pem pid = /var/run/stunnel.pid debug = 7 delay = yes [redis-cli] client = yes accept = 127.0.0.1:6379 connect = clustercfg.agill-test-dev-rg.xyz7ia.use1.cache.amazonaws.com:6379 ;######## /etc/stunnel/redis-cli.conf ################# sudo openssl genrsa -out /etc/stunnel/key.pem 4096 #generate key sudo openssl req -new -x509 -key /etc/stunnel/key.pem -out /etc/stunnel/cert.pem -days 1826 #generate certificate cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >private.pem #combine both sudo chmod 600 /etc/stunnel/key.pem /etc/stunnel/cert.pem /etc/stunnel/private.pem #lock down sensitive files sudo stunnel /etc/stunnel/redis-cli.conf #start the stunnel process sudo netstat -tulnp | grep -i stunnel #verify it’s running sudo pkill stunnel #terminate stunnel process, once done testing.
Installing Redis Client
SSH to your Linux EC2 and login using ‘ec2-user” and the SSH key machine was deployed with. Run the following commands in the provided sequence. You can optionally combine multiple commands together. They are spread out to enhance readability and add comments againt individual commands wherever needed.
sudo yum install wget # GNU network utility to retrieve files from the World Wide Web using HTTP and FTP, sudo yum install gcc #GNU C/C++ compilers, which gcc && gcc –version #see if gcc installed ok. wget http://download.redis.io/redis-stable.tar.gz #download Redis client tar xvzf redis-stable.tar.gz #uncompress cd redis-stable #go to source direcroty make #compile Redis client sudo cp src/redis-cli /usr/local/bin/ #copy client binary to user bin, to access from anywhere sudo chmod 755 /usr/local/bin/redis-cli #update permissions on client binary
Connecting to Redis
sudo netstat -tulnp | grep -i stunnel sudo stunnel /etc/stunnel/redis-cli.conf #start the stunnel, if not running. Can be added to initd. redis-cli -h localhost telnet localhost 6379
Useful Commands
Note: Don’t run the “flush*” & “kill*” commands unless you absolutely understand the outcome. They are listed for reference only, should there be a need for it. They are not required for monitoring.
ping #You can play ping pong with the server to verify your connection. Will fail without “auth”. echo "Hello AGill" #Verify your connection. Will fail without “auth”. auth #Authentication password, Auth Code. Good practice to launch Redis cluster with this option ping #You can play ping pong with the server to verify your connection echo "Hello AGill" #Will respond only if connected to the server. command count #Count of all the Redis commands available to you at this prompt command #List of all the Redis commands available to you at this prompt command info#list specific command(s) client list #list of current connections, their IP addresses client getname #Get client name for your connection client setname AGill-Redis-Client #Set client name for your connection client getname #Get client name for your connection client list #Get client name for your connection client kill addr #Kill a connection, based on “ip:port” returned from “client list” client kill id #Kill a connection, based on “id” returned from “client list” monitor #Debugging command to live activity. Streams all the requests being processed by Redis. #Ctl+C to cancel monitoring from “redis-cli” #Issue “quit” command to stop monitor stream running from “telnet” client dbsize #Total number of key/value pairs stored in current database select #Select a database. New connections use the database “0”. Not available in cluster. keys * #list of all the key/value pairs stored in the database scan 0 #Start a new cursor to browse through the stored keys. #Will return the value for new cursor for next call, and an array of elements. scan #Begin from where first new cursor left off set agill “Hello Handsome!” #Create a new key. get agill #Retrieve a key. lastsave. #Contents flushed to disk. *seconds since 01/01/1970 UTC, #UNIX timestamp to datetime: https://www.epochconverter.com/ flushdb #Delete all the keys stored in the current database. flushdb async #Delete all the keys stored in the current database. #Delete occur in background in a different thread, without blocking the server. flushall #Delete all the keys stored in all the existing database. flushall async #Delete all the keys stored in all the existing database. #Delete occur in background in a different thread, without blocking the server. quit #Close the connection to the server
Redis is Single Threaded
Due to the single-threaded nature of Redis, it is not possible to kill a client connection while it is executing a command. From the client point of view, the connection can never be closed in the middle of the execution of a command. However, the client will notice the connection has been closed only when the next command is sent (and results in network error).
References and Further Reading:
What’s Redis
Introduction to Redis
Secure Redis: SSL Added to Redsmin and Clients
Amazon ElastiCache for Redis now supports In-Transit and At-Rest Encryption
CloudWatch Mertices for Redis
stunnel
Redis Commands Reference
Single-threaded nature of Redis