| title | description |
|---|---|
Database Access with Redis |
How to configure Teleport Database Access with Redis. |
If you want to configure Redis Cluster, please read Database Access with Redis Cluster.
This guide will help you to:
- Install and configure Teleport.
- Configure mutual TLS authentication between Teleport and Redis.
- Connect to Redis through Teleport.
<ScopedBlock scope={["oss", "enterprise"]}>
<ScopedBlock scope={["cloud"]}>
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
-
Redis version
6.0or newer. -
redis-cliversion6.2or newer installed and added to your system'sPATHenvironment variable. -
A host where you will run the Teleport Database Service. Teleport version 9.0 or newer must be installed.
See Installation for details.
(!docs/pages/includes/tctl.mdx!)
(!docs/pages/includes/database-access/token.mdx!)
Install Teleport on the host where you will run the Teleport Database Service:
(!docs/pages/includes/install-linux.mdx!)
<ScopedBlock scope={["oss", "enterprise"]}>
Start the Teleport Database Service, pointing the --auth-server flag to the
address of your Teleport Proxy Service:
$ teleport db start \
--token=/tmp/token \
--auth-server=teleport.example.com:3080 \
--name=example-redis \
--protocol=redis \
--uri=rediss://redis.example.com:6379 \
--labels=env=dev
The --auth-server flag must point to the Teleport cluster's Proxy Service
endpoint because the Database Service always connects back to the cluster over a
reverse tunnel.
Start the Teleport Database Service, pointing the --auth-server flag to the
address of your Teleport Cloud tenant:
$ teleport db start \
--token=/tmp/token \
--auth-server=mytenant.teleport.sh:443 \
--name=example-redis \
--protocol=redis \
--uri=rediss://redis.example.com:6379 \
--labels=env=dev
(!docs/pages/includes/database-access/create-user.mdx!)
(!docs/pages/includes/database-access/redis-create-users.mdx!)
(!docs/pages/includes/database-access/tctl-auth-sign.mdx!)
We will show you how to use tctl auth sign below.
When connecting to standalone Redis, sign the certificate for the hostname over which Teleport will be connecting to it.
For example, if your Redis server is accessible at redis.example.com,
run:
$ tctl auth sign --format=redis --host=redis.example.com --out=server --ttl=2190h
(!docs/pages/includes/database-access/ttl-note.mdx!)
The command will create three files:
server.caswith Teleport's certificate authorityserver.keywith a generated private keyserver.crtwith a generated user certificate
You will need these files to enable mutual TLS on your Redis server.
(!docs/pages/includes/database-access/rotation-note.mdx!)
Use the generated secrets to enable mutual TLS in your redis.conf configuration
file and restart the database:
tls-port 6379
port 0
aclfile /path/to/users.acl
tls-ca-cert-file /path/to/server.cas
tls-cert-file /path/to/server.crt
tls-key-file /path/to/server.key
tls-protocols "TLSv1.2 TLSv1.3"Once mutual TLS has been enabled, you will no longer be able to connect to
the cluster without providing a valid client certificate. You can use the
tls-auth-clients optional setting to allow connections
from clients that do not present a certificate.
See TLS Support in the Redis documentation for more details.
(!docs/pages/includes/database-access/redis-connect.mdx!)
Redis in standalone mode doesn't support the commands below. If one of the listed commands is called Teleport
returns the ERR Teleport: not supported by Teleport error.
HELLOPUNSUBSCRIBESSUBSCRIBESUNSUBSCRIBE
(!docs/pages/includes/database-access/guides-next-steps.mdx!)