example/tls-connection/README.md
Shows different ways to connect to Redis over TLS.
Start Redis with TLS:
cd ../..
docker compose --profile standalone up -d
Then run the example:
go run .
Quick way to test with self-signed certs:
client := redis.NewClient(&redis.Options{
Addr: "localhost:6666",
TLSConfig: &tls.Config{
InsecureSkipVerify: true,
},
})
Don't use this in production.
Proper way for production:
caCert, _ := os.ReadFile("path/to/ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
client := redis.NewClient(&redis.Options{
Addr: "localhost:6666",
TLSConfig: &tls.Config{
RootCAs: caCertPool,
ServerName: "localhost",
},
})
If Redis requires client certs:
caCert, _ := os.ReadFile("path/to/ca.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
cert, _ := tls.LoadX509KeyPair("path/to/client.crt", "path/to/client.key")
client := redis.NewClient(&redis.Options{
Addr: "localhost:6666",
TLSConfig: &tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{cert},
ServerName: "localhost",
},
})
opt, _ := redis.ParseURL("rediss://localhost:6666")
opt.TLSConfig = &tls.Config{
InsecureSkipVerify: true, // for testing only
}
client := redis.NewClient(opt)
Redis 6.2+ can authenticate users based on the certificate CN field. You need to configure Redis with:
tls-auth-clients optional
tls-auth-clients-user CN
Then the CN in your client cert becomes your username - no password needed.
Check ../../tls_cert_auth_test.go for a working example that:
Note: Current Redis test build doesn't support this yet, so the test skips gracefully.
Run the TLS tests:
go test -v -run "^TestTLS" -timeout 30s