Aiven Redis uses SSL encrypted connections by default. This is denoted by the use of
rediss:// prefix in the service URL (note the double s).
Since Redis 6, the
redis-cli tool itself supports SSL connections so you can access connect directly to your service using:
redis-cli -u rediss://username:password@host:port
Or with the third-party
redli -u rediss://username:password@host:port
Unfortunately not all Redis clients support using SSL encrypted connections. In order to support using these clients, we allow but do not recommend turning off SSL.
One way to work around this is to set up a
stunnel process on the client side to handle encryption for the clients that do not support SSL connections. You can use the following
stunnel configuration to set this up.
client = yes
foreground = yes
debug = info
delay = yes
accept = 127.0.0.1:6380
connect = myredis.testproject.aivencloud.com:28173
TIMEOUTclose = 0
; For old services only. New ones use Let's Encrypt and there's no
; CA cert available from Aiven console. Most environments trust
; Let's Encrypt by default without any explicit CAfile config.
; CAfile = /path/to/optional/project/cacert/that/you/can/download/from/aiven/console
Note that when SSL is in use we have a separate service terminating the SSL connections before they are forwarded to Redis. This process has a connection timeout of its own independent of Redis' connection timeout. If you allow very long Redis timeouts this frontend service may end up closing the connection before the Redis timeout has expired. By the time of writing this timeout is set to 12 hours.
Another alternative is to actually allow plain-text connections. Before doing that, make sure you understand the implications of communicating with your Redis service over plain-text connections. If SSL is turned off anyone who can eavesdrop on the traffic will be able to potentially connect and access your Aiven Redis service.
In order to do this you need to have the Aiven command line client installed.
Once installed, you should run:
avn login # if you haven't logged in previously
And then run:
avn service update myredis -c "redis_ssl=false"
After this the
service_uri will change and point at the new location, it will also start with the
redis:// prefix denoting that it's a direct Redis connection which doesn't use SSL.
Got here by accident? Learn how Aiven simplifies managing Redis in the Cloud: