Last active
June 17, 2023 16:08
-
-
Save arifnd/338619f1c6a6c7b59348c9dd1c61c07c to your computer and use it in GitHub Desktop.
Redis with TLS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # 1. Check if script is run as root | |
| if [[ $EUID -ne 0 ]]; then | |
| echo "This script must be run as root." | |
| exit 1 | |
| fi | |
| # 2. Get input domain/subdomain name | |
| read -p "Enter domain/subdomain name: " domain | |
| # 3. Install ufw and open ports 80, 443, 6379 | |
| apt-get update | |
| apt-get install -y ufw | |
| ufw allow 80 | |
| ufw allow 443 | |
| ufw allow 6379 | |
| echo y | ufw enable | |
| # 4. Install certbot and redis | |
| apt-get install -y certbot redis-server | |
| # 5. Generate SSL certificate using certbot | |
| certbot certonly --standalone -d $domain | |
| # 6. Combine certificate into a single PEM file | |
| cat /etc/letsencrypt/live/$domain/fullchain.pem /etc/letsencrypt/live/$domain/privkey.pem > /etc/ssl/redis.pem | |
| # 7. Update redis config | |
| read -sp "Enter a password for Redis (leave blank for no password): " password | |
| if [[ -n "$password" ]]; then | |
| sed -i "s/^# requirepass .*/requirepass $password/" /etc/redis/redis.conf | |
| fi | |
| sed -i 's/^bind .*/bind 0.0.0.0/' /etc/redis/redis.conf | |
| sed -i 's/^# port .*/port 0/' /etc/redis/redis.conf | |
| sed -i 's/^# tls-port .*/tls-port 6379/' /etc/redis/redis.conf | |
| sed -i 's|^# tls-cert-file .*|tls-cert-file /etc/ssl/redis.pem|' /etc/redis/redis.conf | |
| sed -i 's|^# tls-key-file .*|tls-key-file /etc/ssl/redis.pem|' /etc/redis/redis.conf | |
| sed -i 's|^# tls-ca-cert-dir .*|tls-ca-cert-dir /etc/ssl/certs|' /etc/redis/redis.conf | |
| sed -i 's/^# tls-auth-clients .*/tls-auth-clients no/' /etc/redis/redis.conf | |
| # 8. Restart redis | |
| systemctl restart redis | |
| # 9. Create a script as a hook for certbot renew | |
| cat > /etc/letsencrypt/renewal-hooks/deploy/01-update-redis.sh << EOL | |
| #!/bin/bash | |
| cat /etc/letsencrypt/live/$domain/fullchain.pem /etc/letsencrypt/live/$domain/privkey.pem > /etc/ssl/redis.pem | |
| systemctl restart redis | |
| EOL | |
| chmod +x /etc/letsencrypt/renewal-hooks/deploy/01-update-redis.sh | |
| # 10. Set cron to automatically renew certificates | |
| crontab -l | { cat; echo "0 0 * * 0 certbot renew --post-hook '/etc/letsencrypt/renewal-hooks/deploy/01-update-redis.sh'"; } | crontab - |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment