What's up Builders ! This friday a friend of mine asked me for help on his work with Redis. I was willing to help him because that would sharpen my problem solving skills. The goal was to access redis locally on his machine. The size of RDS was beyond a Terabyte and they needed a Cache for performance.
Infra Provisioning was no brainer with Redis Serverless. Few clicks in the UI and we had our Redis Cluster. It gave us an endpoint. We then installed redis-cli tool and Redis Insight for graphical View.
We tried to access it with all our forces and a day later realised that it was a VPC Endpoint after we checked it's dns on the records. It was a private IP. Facepalm !
Then we managed port forwarding. Port forwarding with SSH and also with a SSM
ssh -i <key-file> -NL <local port to expose redis to>:<redis url>:<redis port> <user>@<bastion ip> -v
ssh -i "mykey.pem" -NL 6379:prod-redis-txtayy.serverless.use1.cache.amazonaws.com:6379 ubuntu@ec2-52-4x-2x-x183.compute-1.amazonaws.com
This would expose port 6379 on our localhost
However it took me another 15 minutes to realise that AWS encrypts traffic and we had to use --tls in order to connect although the private resources were port forwarded
Similarly Port Forwarding could also be done by AWS SSM
- Configure Your Identity
# on your shell configure aws credentials
aws configure
# then insert your keys and necessary regions and output formats in the prompt.
aws sts get-caller-identity
{[f
"UserId": "AIDAFFQ3DTT7UHP",
"Account": "65465498400",
"Arn": "arn:aws:iam::65465498400:user/someuserxx"
}
// if you get such response then you’re loggedin else you have to configure aws again.
- Download Session Manager Plugin
curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac_arm64/sessionmanager-bundle.zip" -o "sessionmanager-bundle.zip"
unzip sessionmanager-bundle.zip
sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin
- Connect Redis via SSM
aws ssm start-session \
--target i-02f2fc3e98400f \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters host="prod-redis-txtayy.serverless.use1.cache.amazonaws.com",portNumber="6379",localPortNumber="6379"
The ssm Document we are using here is
AWS-StartPortForwardingSessionToRemoteHost
If you get waiting for connection, you have forwarded the port. Let's verify with
lsof -i tcp:6379
So far so good. Congratulations! you have forwarded AWS private infra into your local machine's network; in your localhost.
Now my friend told that the lazy developer isn't happy with the cli. He needs A Graphical tool which is Redis Insight. It wasn't connecting at all. It was timing out.
Thank god it was an open source tool. I cloned Redis Insight and installed dependencies. Ran the electron app and it was running good. It had two applications, one was backend for connection and frontend (a vite app) for rendering the UI. I moved into debug mode and started locating checking the memory traces for what was happening. Alas it was the rejectUnauthorized
rejectUnauthorized: true
parameter that was causing the error. The bug was trapped
I made all the instances false and it was connecting. Works with hook and crook at my end after taking help from my cousin (Prabhat). But There must be a concrete solution. I refreshed my research on Certificate and Certificate Authority; Diffie-Hellman key exchange algorithm.
Now here comes the trick; Let's go the the bastion with ssh and fire this command to get our server Certificate
openssl s_client -connect prod-redis-txtayy.serverless.use1.cache.amazonaws.com:6379
-showcerts
with openssl, you will get the details of cert that AWS uses to connect your redis server. Copy the Server Certificate and use it.
Still does not solve the problem unless you fix your DNS. Let's do it.
This was done because the certificate says the traffic is coming from prod-redis-txtayy.serverless.use1.cache.ama..
Wait a minute it was coming from localhost or 127.0.0.1 right ?
Lets change our hosts on /etc/hosts
What we're saying is prod-redis-txtayy.serverless.use1.cache.ama.. is localhost.
Now the information in certificate is correct for the domain name. and we could actually connect with the certificate
Select use tls; Add a new certificate. I named it *.serverless.use1.cache.amazonaws.com and in paste in the key . Now we are connected via the redis insight.