Add example configuration using SNI enabled TLS connection (#3045)

ggivo · web-flow · commit f513739df19f · 2024-11-05T08:27:20.000+02:00
Make file updated to bootstrap one primary virtual service (127.0.0.1:36443) redirecting to redis-sni1(localhost:6480) or redis-sni2(localhost:6479) Redis instances based on the provided SNI server name.
diff --git a/Makefile b/Makefile
@@ -282,6 +282,24 @@ work/stunnel.conf:
 	@echo accept = 127.0.0.1:6443 >> $@
 	@echo connect = 127.0.0.1:6479 >> $@
 
+	@echo [redis-sni-vritual] >> $@
+	@echo accept = 127.0.0.1:36443 >> $@
+	@echo cert=$(ROOT_DIR)/work/ca/certs/foo-host.cert.pem >> $@
+	@echo key=$(ROOT_DIR)/work/ca/private/foo-host.decrypted.key.pem >> $@
+	@echo connect = unavailable.internal.mydomain.com:6666 >> $@
+
+	@echo [redis-sni1] >> $@
+	@echo sni = redis-sni-vritual:redis-sni1.local >> $@
+	@echo key=$(ROOT_DIR)/work/ca/private/localhost.decrypted.key.pem >> $@
+	@echo cert=$(ROOT_DIR)/work/ca/certs/localhost.cert.pem >> $@
+	@echo connect = localhost:6480 >> $@
+
+	@echo [redis-sni2] >> $@
+	@echo sni = redis-sni-vritual:redis-sni2.local >> $@
+	@echo connect = localhost:6479 >> $@
+	@echo cert=$(ROOT_DIR)/work/ca/certs/foo-host.cert.pem >> $@
+	@echo key=$(ROOT_DIR)/work/ca/private/foo-host.decrypted.key.pem >> $@
+
 	@echo [foo-host] >> $@
 	@echo accept = 127.0.0.1:6444 >> $@
 	@echo connect = 127.0.0.1:6479 >> $@
diff --git a/src/test/java/io/lettuce/examples/ConnectToRedisSSLWithSni.java b/src/test/java/io/lettuce/examples/ConnectToRedisSSLWithSni.java
@@ -0,0 +1,46 @@
+package io.lettuce.examples;
+
+import io.lettuce.core.ClientOptions;
+import io.lettuce.core.RedisClient;
+import io.lettuce.core.SslOptions;
+import io.lettuce.core.api.StatefulRedisConnection;
+
+import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SNIServerName;
+import javax.net.ssl.SSLParameters;
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+
+public class ConnectToRedisSSLWithSni {
+
+    public static void main(String[] args) {
+        // Syntax: rediss://[password@]host[:port][/databaseNumber]
+        // Adapt the port to the stunnel port in front of your Redis instance
+        RedisClient redisClient = RedisClient.create("rediss://127.0.0.1:36443");
+
+        List<SNIServerName> serverNames = new ArrayList<>();
+
+        // Hint : Enable SSL debugging (-Djavax.net.debug=ssl to the VM Args)
+        // to verify/troubleshoot ssl configuration
+        // Hint : Adapt the server name to switch between multiple instances
+        serverNames.add(new SNIHostName("redis-sni1.local"));
+        // serverNames.add(new SNIHostName("redis-sni2.local"));
+        SslOptions sslOptions = SslOptions.builder().jdkSslProvider().truststore(new File("work/truststore.jks"), "changeit")
+                .sslParameters(() -> {
+                    SSLParameters parameters = new SSLParameters();
+                    parameters.setServerNames(serverNames);
+                    return parameters;
+                }).build();
+
+        ClientOptions clientOptions = ClientOptions.builder().sslOptions(sslOptions).build();
+        redisClient.setOptions(clientOptions);
+
+        StatefulRedisConnection<String, String> connection = redisClient.connect();
+        System.out.println("Connected to Redis using TLS with enabled SNI");
+
+        connection.close();
+        redisClient.shutdown();
+    }
+
+}
