redis module TLS authentication
Chinnapaiyan, Nagamani
Nagamani.Chinnapaiyan at viasat.com
Tue Jul 23 10:50:27 CEST 2019
Hi,
We have TLS enabled AWS elasticache.
By default if we try to connect to redis-server with password Freeradius-DHCP server is not connecting with DB.
# cat /etc/raddb/mods-enabled/redis
redis {
server = clustercfg.naw01-dhcpdb.oovb0g.usw2.cache.amazonaws.com
port = 6379
password = PASSWORD
pool {
start = ${thread[pool].num_workers}
min = ${thread[pool].num_workers}
max = ${thread[pool].num_workers}
spare = 1
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
connect_timeout = 3.0
}
}
radiusd process got stuck while connecting to redis server:
Instantiating module "redis"
rlm_redis (redis) [1] - Initialising connection pool
pool {
start = 4
min = 4
max = 4
max_pending = 0
spare = 1
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_redis (redis) [1] - Ignoring "spare = 1", forcing to "spare = 0"
rlm_redis (redis) [1] - Opening additional connection (0), 1 of 4 pending slots used
rlm_redis (redis) - [1] Connecting to node 10.43.16.181:6379
<<<no output hereafter.
Then, I established a stunnel(secure tunnel) between localhost and redis-server and connected Freeradius-DHCP to localhost. This works sometimes but most of the times we are getting "MOVED" error from redis-server(as this is in a cluster).
Stunnel config:
# cat /etc/stunnel/redis-stunnel.conf
fips = no
setuid = root
setgid = root
pid = /var/run/stunnel.pid
debug = warning
delay = yes
options = NO_SSLv2
options = NO_SSLv3
[redis-stunnel]
client = yes
accept = 127.0.0.1:6379
connect = clustercfg.naw01-dhcpdb.oovb0g.usw2.cache.amazonaws.com:6379
redis_module:
# cat /etc/raddb/mods-enabled/redis
redis {
server = localhost
port = 6379
password = PASSWORD
pool {
start = ${thread[pool].num_workers}
min = ${thread[pool].num_workers}
max = ${thread[pool].num_workers}
spare = 1
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
connect_timeout = 3.0
}
}
(4) redis_ippool - EXPAND %{DHCP-Client-Hardware-Address}_%{DHCP-Client-Identifier}
(4) redis_ippool - --> 00:a0:bc:11:22:33_0x00a0bc112233
(4) redis_ippool - Allocating lease from pool "healthcheck_VSAT-UT", to "00:a0:bc:11:22:33_0x00a0bc112233", expires in 30s
(4) redis_ippool - Reserved connection (3)
(4) redis_ippool - [1] >>> Sending command(s) to 127.0.0.1:6379
(4) redis_ippool - ERROR: (0) error : MOVED 12826 naw01-dhcpdb-0001-001.naw01-dhcpdb.oovb0g.usw2.cache.amazonaws.com:6379
(4) redis_ippool - [1] <<< Returned: move
(4) redis_ippool - Initiating cluster remap
(4) redis_ippool - Not IPv4/6 address, and asked not to resolve
(4) redis_ippool - Released connection (3)
(4) redis_ippool - Need 2 more connections to reach min connections (4)
(4) redis_ippool - Opening additional connection (4), 1 of 2 pending slots used
rlm_redis (redis) - [1] Connecting to node 127.0.0.1:6379
(4) redis_ippool - [1] Processing redirect "MOVED 12826 naw01-dhcpdb-0001-001.naw01-dhcpdb.oovb0g.usw2.cache.amazonaws.com:6379"
(4) redis_ippool (fail)
(4) } # recv DHCP-Discover (fail)
This MOVED error will be resolved if redis_ippool retries the command many times.(I am saying this because even redis-cli does not support TLS authentication. With stunnel, redis-cli gives the same "MOVED" error. Retrying many times works there.)
If possible how to configure number of retries in redis_ippool/redis module?
Or Is there a way in which I can directly connect to redis-server from DHCP server without the need of stunnel?
I am using 4.x branch(with commit id #2e26049fae00508fe722ae0f04b00b5d9f3726dc)
Regards,
Nagamani Chinnapaiyan
More information about the Freeradius-Users
mailing list