httpredis

HTTP status codes for Redis Sentinel when using TLS.

Why ?

To offer high availability when using HAProxy and Redis + Sentinel are configured to use TLS.

The problem to solve

When not using TLS, HAProxy can be configured like this to find the current master:

backend redis
    mode tcp
    balance first
    timeout queue 5s
    default-server check inter 1s fall 2 rise 2 maxconn 500
    option tcp-check
    tcp-check connect
    tcp-check send AUTH\ secret\r\n
    tcp-check expect string +OK
    tcp-check send PING\r\n
    tcp-check expect string +PONG
    tcp-check send info\ replication\r\n
    tcp-check expect string role:master
    tcp-check send info\ server\r\n
    tcp-check expect rstring uptime_in_seconds:\d{2,}
    tcp-check send QUIT\r\n
    tcp-check expect string +OK
    server redis1 10.0.1.11:6379
    server redis2 10.0.1.12:6379
    server redis3 10.0.1.13:6379

This works very good, but if Redis is configured to use TLS, the option tcp-check doesn't work since it doesn't support TLS.

How it works

httpredis is a web service that connects to Redis using TLS, when requesting info replication if role is role:master the service will return the HTTP status code 200.

The HAProxy configuration can be:

backend redis
    mode tcp
    option httpchk
    default-server check inter 1s fall 2 rise 2 port 36379
    server redis1 10.0.1.11:6379 ssl crt /path/to/redis.pem ca-file /path/to/ca.crt ssl verify none
    server redis2 10.0.1.11:6379 ssl crt /path/to/redis.pem ca-file /path/to/ca.crt ssl verify none
    server redis3 10.0.1.11:6379 ssl crt /path/to/redis.pem ca-file /path/to/ca.crt ssl verify none

redis.pem is the redis.crt + redis.key:

$ cat redis.crt redis.key > redis.pem

Every Redis node need to run httpredis:

$ cargo install httpredis

Then run it like this:

httpredis --tls-ca-cert-file /path/to/ca.crt --tls-cert-file /path/to/redis.crt --tls-key-file /path/to/redis.key --pass secret

check httpredis -h for more options