Skip to content

Instantly share code, notes, and snippets.

@arifnd
Last active June 17, 2023 16:08
Show Gist options
  • Select an option

  • Save arifnd/338619f1c6a6c7b59348c9dd1c61c07c to your computer and use it in GitHub Desktop.

Select an option

Save arifnd/338619f1c6a6c7b59348c9dd1c61c07c to your computer and use it in GitHub Desktop.
Redis with TLS
#!/bin/bash
# 1. Check if script is run as root
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root."
exit 1
fi
# 2. Get input domain/subdomain name
read -p "Enter domain/subdomain name: " domain
# 3. Install ufw and open ports 80, 443, 6379
apt-get update
apt-get install -y ufw
ufw allow 80
ufw allow 443
ufw allow 6379
echo y | ufw enable
# 4. Install certbot and redis
apt-get install -y certbot redis-server
# 5. Generate SSL certificate using certbot
certbot certonly --standalone -d $domain
# 6. Combine certificate into a single PEM file
cat /etc/letsencrypt/live/$domain/fullchain.pem /etc/letsencrypt/live/$domain/privkey.pem > /etc/ssl/redis.pem
# 7. Update redis config
read -sp "Enter a password for Redis (leave blank for no password): " password
if [[ -n "$password" ]]; then
sed -i "s/^# requirepass .*/requirepass $password/" /etc/redis/redis.conf
fi
sed -i 's/^bind .*/bind 0.0.0.0/' /etc/redis/redis.conf
sed -i 's/^# port .*/port 0/' /etc/redis/redis.conf
sed -i 's/^# tls-port .*/tls-port 6379/' /etc/redis/redis.conf
sed -i 's|^# tls-cert-file .*|tls-cert-file /etc/ssl/redis.pem|' /etc/redis/redis.conf
sed -i 's|^# tls-key-file .*|tls-key-file /etc/ssl/redis.pem|' /etc/redis/redis.conf
sed -i 's|^# tls-ca-cert-dir .*|tls-ca-cert-dir /etc/ssl/certs|' /etc/redis/redis.conf
sed -i 's/^# tls-auth-clients .*/tls-auth-clients no/' /etc/redis/redis.conf
# 8. Restart redis
systemctl restart redis
# 9. Create a script as a hook for certbot renew
cat > /etc/letsencrypt/renewal-hooks/deploy/01-update-redis.sh << EOL
#!/bin/bash
cat /etc/letsencrypt/live/$domain/fullchain.pem /etc/letsencrypt/live/$domain/privkey.pem > /etc/ssl/redis.pem
systemctl restart redis
EOL
chmod +x /etc/letsencrypt/renewal-hooks/deploy/01-update-redis.sh
# 10. Set cron to automatically renew certificates
crontab -l | { cat; echo "0 0 * * 0 certbot renew --post-hook '/etc/letsencrypt/renewal-hooks/deploy/01-update-redis.sh'"; } | crontab -
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment