Linux-UNIX: Redis configuration
Redis TCP protocol is supported by an S-TAP installed on a Redis server. If Redis is set up with SSL/TLS encryption, you need two proxies using HAProxy Load Balancer.
Capturing SSL Redis protocol activities
Capturing SSL Redis protocol activities requires two proxies using HAProxy Load Balancer. They must be set up and configured on the same database server. S-TAP can be set up with K-TAP or PCAP. K-TAP or PCAP intercepts the traffic between the two proxy ports.
Guidelines: Double-proxy set up with:
- HAProxy Load Balancer input port 18345
- Middle port 18346 where activities are captured
- Port 18347 output port, which is configured also for the Redis connection
redis-cli -h `hostname` -p 18345 --tls --cacert /etc/opt/redislabs/proxy_cert.pem
Configure the HAProxy Load Balancer in a configuration file that is typically located at
/etc/haproxy/haproxy.cfg. For
example:
#---------------------------------------------------------------------
main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_in
bind 0.0.0.0:18345 ssl crt /etc/haproxy.pem
mode tcp
use_backend intermediate_out
backend intermediate_out
server output 127.0.0.1:18346 send-proxy
frontend intermediate_in
bind 0.0.0.0:18346 accept-proxy
mode tcp
use_backend main_out
backend main_out
server output 127.0.0.1:18347 ssl verify none crt /etc/haproxy.pem
Typical inspection engine configuration
[DB_0]
connect_to_ip=127.0.0.1,::1
db2_fix_pack_adjustment=80
db2_shmem_client_position=0
db2_shmem_size=131072
db2bp_path=NULL
db_exec_file=/opt/redislabs/bin/redis-server
db_install_dir=/opt/redislabs/
db_type=REDIS
db_user=redislabs
encryption=0
db_version=0
instance_running=1
intercept_types=NULL
load_balanced=1
port_range_end=18346
port_range_start=18340
priority_count=20
real_db_port=18346
tap_identifier=REDIS_STAP
tee_listen_port=0
unix_domain_socket_marker=NULL
networks=0.0.0.0/0.0.0.0,::/0
exclude_networks=