diff --git a/README.md b/README.md index eb3f72a..cc0591b 100644 --- a/README.md +++ b/README.md @@ -2,19 +2,17 @@ No-configuration connections for redis-cli to Redis TLS services. +## Requirements + + - redis-cli + - stunnel + ## Use -To run stunredis.sh: +To run stunredis: * Download the files. -* `chmod u+x stunredis.sh` to make it executable. +* `chmod u+x stunredis` to make it executable. * Get a connection string for your Redis database. -* Run `./stunredis.sh ` - -## Notes on lechain.pem - -The lechain.pem file is a sample of the verification chain for Lets Encrypt. Do not use for production if you are concerned about correctness. - -You can be create your own version of lechain.pem by downloading and combining the contents of the [Let's Encrypt X3 Cross-signed PEM file](https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt) and the [IdenTrust Root for X3](https://www.identrust.com/certificates/trustid/root-download-x3.html). (The latter link's content will need to be wrapped in the same `-----BEGIN CERTIFICATE-----`/`-----END CERTIFICATE-----` lines that the first links content is wrapped in). Consult lechain.pem for an example of how it should look. +* Run `./stunredis ` -For simplicity, it is located in the same directory as the stunredis.sh script. diff --git a/lechain.pem b/lechain.pem deleted file mode 100644 index 51a191a..0000000 --- a/lechain.pem +++ /dev/null @@ -1,50 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow -SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT -GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF -q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 -SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 -Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA -a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj -/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T -AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG -CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv -bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k -c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw -VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC -ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz -MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu -Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF -AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo -uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ -wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu -X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG -PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 -KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ ------END CERTIFICATE----- - - - diff --git a/stunredis.sh b/stunredis similarity index 51% rename from stunredis.sh rename to stunredis index 37cfe19..426c950 100755 --- a/stunredis.sh +++ b/stunredis @@ -17,41 +17,46 @@ # limitations under the License. DATABASE_URL=$1 -LOCALPORT=${2:-6830} + +if [ -z "$1" ]; then + echo "stunredis rediss://redis.example.com:6379 [localbindport]" + exit 1 +fi # This is the location of the validation chain file -lechain=./lechain.pem +cabundle=/etc/pki/tls/certs/ca-bundle.crt # URL parsing based on https://stackoverflow.com/a/17287984 # extract the protocol -proto="`echo $DATABASE_URL | grep '://' | sed -e's,^\(.*://\).*,\1,g'`" +proto="`echo "$DATABASE_URL" | grep '://' | sed -e's,^\(.*://\).*,\1,g'`" # remove the protocol -url=`echo $DATABASE_URL | sed -e s,$proto,,g` +url=`echo "$DATABASE_URL" | sed -e s,$proto,,g` # extract the user and password (if any) -userpass="`echo $url | grep @ | cut -d@ -f1`" -pass=`echo $userpass | grep : | cut -d: -f2` +userpass="`echo "$url" | grep @ | cut -d@ -f1`" +pass=`echo "$userpass" | grep : | cut -d: -f2-` if [ -n "$pass" ]; then - user=`echo $userpass | grep : | cut -d: -f1` + user=`echo "$userpass" | grep : | cut -d: -f1` else - user=$userpass + user="$userpass" fi -hostport=`echo $url | sed -e s,$userpass@,,g | cut -d/ -f1` -port=`echo $hostport | grep : | cut -d: -f2` +hostport=${url#"$userpass@"} +port=`echo "$hostport" | grep : | cut -d: -f2` if [ -n "$port" ]; then - host=`echo $hostport | grep : | cut -d: -f1` + host=`echo "$hostport" | grep : | cut -d: -f1` else - host=$hostport + host="$hostport" fi # Now we create our configuration file as a variable +acceptsock=$"${HOME}/.redis.${BASHPID}.sock" stunnelconf="" -stunnelconf+=$"foreground=yes\n" +stunnelconf+=$"foreground=yes\n" +stunnelconf+=$"pid=\n" stunnelconf+=$"[redis-cli]\n" stunnelconf+=$"client=yes\n" -stunnelconf+=$"accept=127.0.0.1:$LOCALPORT\n" -stunnelconf+=$"verifyChain=yes\n" -stunnelconf+=$"checkHost=$host\n" -stunnelconf+=$"CAfile=$lechain\n" +stunnelconf+=$"accept=$acceptsock\n" +stunnelconf+=$"CAfile=$cabundle\n" +stunnelconf+=$"verify=2\n" stunnelconf+=$"connect=$hostport\n" # We expand that out in echo and feed the result to stunnel @@ -62,11 +67,20 @@ echo -e $stunnelconf | stunnel -fd 0 & # Grab the pid stunnelpid=$! -# Sleep a moment to let the connection establish -sleep 1 -# Now call redis-cli for the user to interact with -redis-cli -p $LOCALPORT -a ${pass} -# Once they leave that, kill the stunnel -kill $stunnelpid - - +# Sleep a moment to let stunnel start +sleep 1 +# Assuming it's running... +if kill -0 $stunnelpid &>/dev/null; then + # Now call redis-cli for the user to interact with + if [[ -n "${pass}" ]]; then + redis-cli -s "$acceptsock" -a "${pass}" + else + redis-cli -s "$acceptsock" + fi + # Once they leave that, kill the stunnel + kill $stunnelpid &>/dev/null + wait $stunnelpid + exit 0 +fi +echo "stunnel faild to start" 1>&2 +exit 1