Configure Redis

The Security Proxy uses Redis as a cache server to store short-lived values in memory. This speeds up the application and reduces the number of database queries significantly.

Sentinel is an application that provides high-availability for Redis. The rest of this chapter describes how Redis including Sentinel can be setup and how to configure Redis in the Security Proxy.

Example Redis Compose configuration

In order to have a high-available Redis setup you must deploy at least 3 Sentinels and 2 Redis nodes (one slave and one master). You need 3 Sentinels because in case of a failure of the Redis master the Sentinels need to elect a new master. If there are only 2 Sentinels available they cannot get a majority to elect a new master and the cluster is in a masterless state which means that it will not function anymore.

The code snippet below shows an example Compose configuration that deploys 1 Redis master, 1 Redis slave and 3 Sentinel nodes.

version: "2"
services:
  redis-master:
    image: release.onegini.com/onegini/redis:1.0.0
    user: onegini
    environment:
      - REDIS_PORT=6379
      - REDIS_ANNOUNCE_IP=192.168.100.8
      - REDIS_ANNOUNCE_PORT=6379
    networks:
      overlay:
        ipv4_address: 192.168.100.8

  redis-slave:
    image: release.onegini.com/onegini/redis:1.0.0
    user: onegini
    environment:
      - REDIS_PORT=6379
      - REDIS_ANNOUNCE_IP=192.168.100.9
      - REDIS_ANNOUNCE_PORT=6379
      - REDIS_SLAVE=True
      - REDIS_SLAVEOF_IP=192.168.100.8
      - REDIS_SLAVEOF_PORT=6379
    depends_on:
      - redis-master
    networks:
      overlay:
        ipv4_address: 192.168.100.9

  redis-master-sentinel:
    image: release.onegini.com/onegini/redis:1.0.0
    user: onegini
    environment:
      - REDIS_SENTINEL=True
      - REDIS_SENTINEL_PORT=26379
      - REDIS_SENTINEL_ANNOUNCE_IP=192.168.100.10
      - REDIS_SENTINEL_ANNOUNCE_PORT=26379
      - REDIS_SENTINEL_MASTER_IP=192.168.100.8
      - REDIS_SENTINEL_MASTER_PORT=6379
    depends_on:
      - redis-master
    networks:
      overlay:
        ipv4_address: 192.168.100.10

  redis-slave-sentinel:
    image: release.onegini.com/onegini/redis:1.0.0
    user: onegini
    environment:
      - REDIS_SENTINEL=True
      - REDIS_SENTINEL_PORT=26379
      - REDIS_SENTINEL_ANNOUNCE_IP=192.168.0.11
      - REDIS_SENTINEL_ANNOUNCE_PORT=26379
      - REDIS_SENTINEL_MASTER_IP=192.168.0.8
      - REDIS_SENTINEL_MASTER_PORT=6379
    depends_on:
      - redis-master-sentinel
    networks:
      overlay:
        ipv4_address: 192.168.100.11

  redis-slave-sentinel-failover:
    image: release.onegini.com/onegini/redis:1.0.0
    user: onegini
    environment:
      - REDIS_SENTINEL=True
      - REDIS_SENTINEL_PORT=26379
      - REDIS_SENTINEL_ANNOUNCE_IP=192.168.100.12
      - REDIS_SENTINEL_ANNOUNCE_PORT=26379
      - REDIS_SENTINEL_MASTER_IP=192.168.100.8
      - REDIS_SENTINEL_MASTER_PORT=6379
    depends_on:
      - redis-master-sentinel
    networks:
      overlay:
        ipv4_address: 192.168.100.12

networks:
 overlay:
   driver: bridge
   ipam:
     config:
       - subnet: 192.168.100.0/24

Security Proxy configuration

The Security Proxy connects to Redis through Sentinel. This means that the Sentinel nodes must be configured in the Security Proxy. Add the following properties to the engine container environment configuration. The values are inspired on the Redis configuration shown above.

  security-proxy:
    image: release.onegini.com/onegini/security-proxy:<SECURITY_PROXY_VERSION>
    restart: always
    user: onegini
    environment:
      ...
      # Cache
      - SECURITY_PROXY_CACHE_ENCRYPTION_PASSWORD=39mDvjEezgZZ6bgHy3jTG25K

      - SECURITY_PROXY_REDIS_SENTINEL_NODES=192.168.100.10:26379,192.168.100.11:26379,192.168.100.12:26379
      - SECURITY_PROXY_REDIS_SENTINEL_MASTER_ID=mymaster
      ...

The SECURITY_PROXY_CACHE_ENCRYPTION_PASSWORD is the property that sets the password that is used to encrypt all values stored in the cache. Make sure that you pick a strong password since the Payload Encryption session keys are among the cached values.

The last 2 properties are Redis specific. The SECURITY_PROXY_REDIS_SENTINEL_NODES is a comma separated list of host:port pairs that define all sentinel nodes. The SECURITY_PROXY_REDIS_SENTINEL_MASTER_ID defines the name of the Redis master. The Onegini Redis container creates a Redis master that is called mymaster so we need to tell the Security Proxy that our master is called mymaster.

A full example of a Security Proxy configuration can be found in the Installation instructions chapter.