Configure Redis Sentinel

Last updated: 3 minutes read.

Introduction

From v2.9.3 Redis Sentinel is supported.

Similar to Redis Cluster, our Gateway, Dashboard and Pump all support integration with Redis Sentinel.

To configure Tyk to work with Redis Sentinel, list your servers under addrs and set the master name in your Gateway, Dashboard, Pump and MDCB config. Unlike Redis Cluster, enable_cluster should not be set. Indicative config snippets as follows:

Supported Versions

  • Tyk 5.3 supports Redis 6.2.x, 7.0.x, and 7.2.x
  • Tyk 5.2.x and earlier supports Redis 6.0.x and Redis 6.2.x only.

Gateway

"storage": {
  "type": "redis",
  "addrs": [
    "server1:26379",
    "server2:26379",
    "server3:26379"
  ],
  "master_name": "mymaster",
  "username": "",
  "password": "",
  "database": 0,
  "optimisation_max_idle": 2000,
  "optimisation_max_active": 4000,
  "use_ssl": false
},

Dashboard

"redis_addrs": [
  "server1:26379",
  "server2:26379",
  "server3:26379"
],
"redis_master_name": "mymaster"

Pump

"analytics_storage_config": {
  "type": "redis",
  "addrs": [
    "server1:26379",
    "server2:26379",
    "server3:26379"
  ],
  "master_name": "mymaster",
  "username": "",
  "password": "",
  "database": 0,
  "optimisation_max_idle": 100,
  "use_ssl": false
},

Warning

When using Bitnami charts to install Redis Sentinel in k8s, a Redis service is exposed, which means that standard Redis config is required instead of the above setup, i.e. a single server in addrs and master_name is not required.

Support for Redis Sentinel AUTH

To support the use of Redis Sentinel AUTH (introduced in Redis 5.0.1) we have added the following global config settings in Tyk v3.0.2:

  • In the Tyk Gateway config file - sentinel_password
  • In the Tyk Dashboard config file - redis_sentinel_password
  • In the Tyk Pump config file - sentinel_password
  • In the Tyk Identity Broker config file - SentinelPassword
  • In the Tyk Synk config file - sentinel_password

These settings allow you to support Sentinel password-only authentication in Redis version 5.0.1 and above.

See the Redis and Sentinel authentication section of the Redis Sentinel docs for more details.

Redis Encryption

Redis supports SSL/TLS encryption from version 6 as an optional feature, enhancing the security of data in transit. To configure TLS or mTLS connections between an application and Redis, consider the following settings in Tyk’s configuration files:

  • storage.use_ssl: Set this to true to enable TLS encryption for the connection.

  • storage.ssl_secure_skip_verify: A flag that, when set to true, instructs the application not to verify the Redis server’s TLS certificate. This is not recommended for production due to the risk of man-in-the-middle attacks.

From Tyk 5.3, additional options are available for more granular control:

  • storage.ca_file: Path to the Certificate Authority (CA) file for verifying the Redis server’s certificate.

  • storage.cert_file and storage.key_file: Paths to your application’s certificate and private key files, necessary for mTLS where both parties verify each other’s identity.

  • storage.max_version and storage.min_version: Define the acceptable range of TLS versions, enhancing security by restricting connections to secure TLS protocols (1.2 or 1.3).

Setting up an Insecure TLS Connection

  • Enable TLS: By setting "use_ssl": true, you encrypt the connection.
  • Skip Certificate Verification: Setting "ssl_secure_skip_verify": true bypasses the server’s certificate verification, suitable only for non-production environments.

Setting up a Secure TLS Connection

  • Ensure use_ssl is set to true.
  • Set ssl_secure_skip_verify to false to enforce certificate verification against the CA specified in ca_file.
  • Specify the path to the CA file in ca_file for server certificate verification.
  • Adjust min_version and max_version to secure TLS versions, ideally 1.2 and 1.3.

Setting up a Mutual TLS (mTLS) Connection

  • Follow the steps for a secure TLS connection.
  • Provide paths for cert_file and key_file for your application’s TLS certificate and private key, enabling Redis server to verify your application’s identity.

Example Gateway Configuration

"storage": {
  "type": "redis",
  "addrs": [
    "server1:6379",
    "server2:6380",
    "server3:6381"
  ],
  "use_ssl": true,
  "ssl_secure_skip_verify": false,
  "ca_file": "/path/to/ca.crt",
  "cert_file": "/path/to/client.crt",
  "key_file": "/path/to/client.key",
  "max_version": "1.3",
  "min_version": "1.2",
  "optimisation_max_idle": 2000,
  "optimisation_max_active": 4000
}

See also

Return to Top
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.
   Read More