ubuntu 安装 redis tls

sudo apt update
sudo apt install redis-server openssl

mkdir -p ~/redis-tls
cd ~/redis-tls
 
# 生成 CA 私钥
openssl genrsa -out ca.key 2048
 
# 生成 CA 公钥
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/CN=redis-ca"
 
# 生成服务器私钥
openssl genrsa -out redis.key 2048
 
# 生成证书签名请求 (CSR)
# openssl req -new -key redis.key -out redis.csr -subj "/CN=redis"
openssl req -new -key redis.key -out redis.csr -subj "/CN=127.0.0.1"
 
# 使用 CA 签名证书
openssl x509 -req -days 3650 -in redis.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out redis.crt

配置Redis以使用TLS。编辑Redis配置文件 /etc/redis/redis.conf，添加或修改以下行：

tls-port 6380
tls-cert-file /path/to/redis.crt
tls-key-file /path/to/redis.key
tls-ca-cert-file /path/to/ca.crt

tls-auth-clients optional

确保替换 /path/to/ 为你的证书和密钥文件的实际路径

调整权限

sudo chmod 644 /path/to/redis-tls/*
sudo chown redis:redis /path/to/redis-tls/*

查看日志

 cat /var/log/redis/redis-server.log

wsl 命令会有所区别没有 systemd支持

sudo systemctl start redis-server
# 开启启动
sudo systemctl enable redis-server
sudo systemctl status redis-server

查看状态

sudo service redis-server status

重启redis

sudo service redis-server restart

查看版本6.0以上支持tls

redis-server --version

查看证书有效期

openssl x509 -in /path/to/redis-tls/redis.crt -text -noout | grep "Not After"

使用 CA 证书验证 Redis 证书

openssl verify -CAfile /path/to/redis-tls/ca.crt /path/to/redis-tls/redis.crt

查找输出中的 Subject 字段，确认 CN 是否与你连接时使用的主机名或 IP 地址相匹配。例如，如果你连接到 127.0.0.1，则 CN 应该是 127.0.0.1

openssl x509 -in /path/to/redis-tls/redis.crt -text -noout

查看端口

netstat -tuln | grep 6379

指定端口证书

redis-cli --tls -h 127.0.0.1 -p 6380 --cacert /path/to/redis-tls/1/ca.crt

laravel 框架配置 redis tls

    'redis' => [

        'client' => env('REDIS_CLIENT', 'phpredis'),

        'options' => [
            'cluster' => env('REDIS_CLUSTER', 'redis'),
            'prefix' => env('REDIS_PREFIX', Str::slug(env('APP_NAME', 'laravel'), '_').'_database_'),

            'context' => [
                'stream' => [
                    'local_cert' => env('REDIS_CLIENT_CERT',null),
                    'local_pk' => env('REDIS_CLIENT_KEY',null),
                    'cafile' => env('REDIS_CA_FILE'),
                    'verify_peer' => true,
                    'verify_peer_name' => true,
                    'allow_self_signed' => true, // 允许自签名证书
                    'passphrase' => env('REDIS_CERT_PASSPHRASE', null), // 证书私钥的密码
                ]
            ]

        ],

        'default' => [
            'url' => env('REDIS_URL'),
            'host' => env('REDIS_HOST', '127.0.0.1'),
            'username' => env('REDIS_USERNAME'),
            'password' => env('REDIS_PASSWORD'),
            // 'port' => env('REDIS_PORT', '6379'),

            'port' => env('REDIS_SCHEME', 'tcp') == 'tls' ? env('REDIS_TLS_PORT', 6380) : env('REDIS_PORT', 6379),

            'database' => env('REDIS_DB', '0'),
          
        ],

        'cache' => [
            'url' => env('REDIS_URL'),
            'host' => env('REDIS_HOST', '127.0.0.1'),
            'username' => env('REDIS_USERNAME'),
            'password' => env('REDIS_PASSWORD'),
            'port' => env('REDIS_SCHEME', 'tcp') == 'tls' ? env('REDIS_TLS_PORT', 6380) : env('REDIS_PORT', 6379),
            'database' => env('REDIS_CACHE_DB', '1'),
        ],

    ],