diff --git a/CHANGELOG.md b/CHANGELOG.md index 72a062d8..5c746c89 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ This file is used to list changes made in each version of the redisio cookbook. ## Unreleased +- Add an option to manage all TLS related attributes + ## 7.0.1 - *2024-04-04* ## 7.0.0 - *2024-04-04* diff --git a/README.md b/README.md index 95a6c7de..992b6ca6 100644 --- a/README.md +++ b/README.md @@ -387,6 +387,26 @@ Available options and their defaults 'includes' => nil, 'aclfile' => nil, # Requires redis 6+ 'breadcrumb' => true # Defaults to create breadcrumb lock-file. +'tlsport' => nil, +'tlscertfile' => nil, +'tlskeyfile' => nil, +'tlskeyfilepass' => nil, +'tlsclientcertfile' => nil, +'tlsclientkeyfile' => nil, +'tlsclientkeyfilepass' => nil, +'tlsdhparamsfile' => nil, +'tlscacertfile' => nil, +'tlscacertdir' => nil, +'tlsauthclients' => nil, +'tlsreplication' => nil, +'tlscluster' => nil, +'tlsprotocols' => nil, +'tlsciphers' => nil, +'tlsciphersuites' => nil, +'tlspreferserverciphers' => nil, +'tlssessioncaching' => nil, +'tlssessioncachesize' => nil, +'tlssessioncachetimeout' => nil, ``` * `redisio['servers']` - An array where each item is a set of key value pairs for redis instance specific settings. The only required option is 'port'. These settings will override the options in 'default_settings', if it is left `nil` it will default to `[{'port' => '6379'}]`. If set to `[]` (empty array), no instances will be created. diff --git a/attributes/default.rb b/attributes/default.rb index a3b86c5d..b4759c4b 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -150,6 +150,26 @@ 'minreplicastowrite' => nil, 'minreplicasmaxlag' => nil, 'breadcrumb' => true, + 'tls-port' => nil, + 'tls-cert-file' => nil, + 'tls-key-file' => nil, + 'tls-key-file-pass' => nil, + 'tls-client-cert-file' => nil, + 'tls-client-key-file' => nil, + 'tls-client-key-file-pass' => nil, + 'tls-dh-params-file' => nil, + 'tls-ca-cert-file' => nil, + 'tls-ca-cert-dir' => nil, + 'tls-auth-clients' => nil, + 'tls-replication' => nil, + 'tls-cluster' => nil, + 'tls-protocols' => nil, + 'tls-ciphers' => nil, + 'tls-ciphersuites' => nil, + 'tls-prefer-server-ciphers' => nil, + 'tls-session-caching' => nil, + 'tls-session-cache-size' => nil, + 'tls-session-cache-timeout' => nil, } # The default for this is set inside of the "install" recipe. This is due to the way deep merge handles arrays diff --git a/providers/configure.rb b/providers/configure.rb index 683ad62b..0f47bb97 100644 --- a/providers/configure.rb +++ b/providers/configure.rb @@ -265,7 +265,27 @@ minreplicastowrite: current['minreplicastowrite'], minreplicasmaxlag: current['minreplicasmaxlag'], repldisklesssync: current['repldisklesssync'], - repldisklesssyncdelay: current['repldisklesssyncdelay'] + repldisklesssyncdelay: current['repldisklesssyncdelay'], + tlsport: current['tlsport'], + tlscertfile: current['tlscertfile'], + tlskeyfile: current['tlskeyfile'], + tlskeyfilepass: current['tlskeyfilepass'], + tlsclientcertfile: current['tlsclientcertfile'], + tlsclientkeyfile: current['tlsclientkeyfile'], + tlsclientkeyfilepass: current['tlsclientkeyfilepass'], + tlsdhparamsfile: current['tlsdhparamsfile'], + tlscacertfile: current['tlscacertfile'], + tlscacertdir: current['tlscacertdir'], + tlsauthclients: current['tlsauthclients'], + tlsreplication: current['tlsreplication'], + tlscluster: current['tlscluster'], + tlsprotocols: current['tlsprotocols'], + tlsciphers: current['tlsciphers'], + tlsciphersuites: current['tlsciphersuites'], + tlspreferserverciphers: current['tlspreferserverciphers'], + tlssessioncaching: current['tlssessioncaching'], + tlssessioncachesize: current['tlssessioncachesize'], + tlssessioncachetimeout: current['tlssessioncachetimeout'] ) not_if { ::File.exist?("#{current['configdir']}/#{server_name}.conf.breadcrumb") } end diff --git a/templates/default/redis.conf.erb b/templates/default/redis.conf.erb index a05949ed..b8ab66e8 100644 --- a/templates/default/redis.conf.erb +++ b/templates/default/redis.conf.erb @@ -130,6 +130,142 @@ syslog-facility <%= @syslogfacility %> # dbid is a number between 0 and 'databases'-1 databases <%=@databases%> +################################# TLS/SSL ##################################### + +# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration +# directive can be used to define TLS-listening ports. To enable TLS on the +# default port, use: +# +# port 0 +# tls-port 6379 +<%= "tls-port #{@tlsport}" unless @tlsport.nil? %> + +# Configure a X.509 certificate and private key to use for authenticating the +# server to connected clients, masters or cluster peers. These files should be +# PEM formatted. +# +# tls-cert-file redis.crt +# tls-key-file redis.key +<%= "tls-cert-file #{@tlscertfile}" unless @tlscertfile.nil? %> +<%= "tls-key-file #{@tlskeyfile}" unless @tlskeyfile.nil? %> +# +# If the key file is encrypted using a passphrase, it can be included here +# as well. +# +# tls-key-file-pass secret +<%= "tls-key-file-pass #{@tlskeyfilepass}" unless @tlskeyfilepass.nil? %> + +# Normally Redis uses the same certificate for both server functions (accepting +# connections) and client functions (replicating from a master, establishing +# cluster bus connections, etc.). +# +# Sometimes certificates are issued with attributes that designate them as +# client-only or server-only certificates. In that case it may be desired to use +# different certificates for incoming (server) and outgoing (client) +# connections. To do that, use the following directives: +# +# tls-client-cert-file client.crt +# tls-client-key-file client.key +<%= "tls-client-cert-file #{@tlsclientcertfile}" unless @tlsclientcertfile.nil? %> +<%= "tls-client-key-file #{@tlsclientkeyfile}" unless @tlsclientkeyfile.nil? %> +# +# If the key file is encrypted using a passphrase, it can be included here +# as well. +# +# tls-client-key-file-pass secret +<%= "tls-client-key-file-pass #{@tlsclientkeyfilepass}" unless @tlsclientkeyfilepass.nil? %> + +# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange, +# required by older versions of OpenSSL (<3.0). Newer versions do not require +# this configuration and recommend against it. +# +# tls-dh-params-file redis.dh +<%= "tls-dh-params-file #{@tlsdhparamsfile}" unless @tlsdhparamsfile.nil? %> + +# Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL +# clients and peers. Redis requires an explicit configuration of at least one +# of these, and will not implicitly use the system wide configuration. +# +# tls-ca-cert-file ca.crt +# tls-ca-cert-dir /etc/ssl/certs +<%= "tls-ca-cert-file #{@tlscacertfile}" unless @tlscacertfile.nil? %> +<%= "tls-ca-cert-dir #{@tlscacertdir}" unless @tlscacertdir.nil? %> + +# By default, clients (including replica servers) on a TLS port are required +# to authenticate using valid client side certificates. +# +# If "no" is specified, client certificates are not required and not accepted. +# If "optional" is specified, client certificates are accepted and must be +# valid if provided, but are not required. +# +# tls-auth-clients no +# tls-auth-clients optional +<%= "tls-auth-clients #{@tlsauthclients}" unless @tlsauthclients.nil? %> + +# By default, a Redis replica does not attempt to establish a TLS connection +# with its master. +# +# Use the following directive to enable TLS on replication links. +# +# tls-replication yes +<%= "tls-replication #{@tlsreplication}" unless @tlsreplication.nil? %> + +# By default, the Redis Cluster bus uses a plain TCP connection. To enable +# TLS for the bus protocol, use the following directive: +# +# tls-cluster yes +<%= "tls-cluster #{@tlscluster}" unless @tlscluster.nil? %> + +# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended +# that older formally deprecated versions are kept disabled to reduce the attack surface. +# You can explicitly specify TLS versions to support. +# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2", +# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination. +# To enable only TLSv1.2 and TLSv1.3, use: +# +# tls-protocols "TLSv1.2 TLSv1.3" +<%= "tls-protocols #{@tlsprotocols}" unless @tlsprotocols.nil? %> + +# Configure allowed ciphers. See the ciphers(1ssl) manpage for more information +# about the syntax of this string. +# +# Note: this configuration applies only to <= TLSv1.2. +# +# tls-ciphers DEFAULT:!MEDIUM +<%= "tls-ciphers #{@tlsciphers}" unless @tlsciphers.nil? %> + +# Configure allowed TLSv1.3 ciphersuites. See the ciphers(1ssl) manpage for more +# information about the syntax of this string, and specifically for TLSv1.3 +# ciphersuites. +# +# tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256 +<%= "tls-ciphersuites #{@tlsciphersuites}" unless @tlsciphersuites.nil? %> + +# When choosing a cipher, use the server's preference instead of the client +# preference. By default, the server follows the client's preference. +# +# tls-prefer-server-ciphers yes +<%= "tls-prefer-server-ciphers #{@tlspreferserverciphers}" unless @tlspreferserverciphers.nil? %> + +# By default, TLS session caching is enabled to allow faster and less expensive +# reconnections by clients that support it. Use the following directive to disable +# caching. +# +# tls-session-caching no +<%= "tls-session-caching #{@tlssessioncaching}" unless @tlssessioncaching.nil? %> + +# Change the default number of TLS sessions cached. A zero value sets the cache +# to unlimited size. The default size is 20480. +# +# tls-session-cache-size 5000 +<%= "tls-session-cache-size #{@tlssessioncachesize}" unless @tlssessioncachesize.nil? %> + +# Change the default timeout of cached TLS sessions. The default timeout is 300 +# seconds. +# +# tls-session-cache-timeout 60 +<%= "tls-session-cache-timeout #{@tlssessioncachetimeout}" unless @tlssessioncachetimeout.nil? %> + ################################ SNAPSHOTTING ################################# # # Save the DB on disk: