TLS¶
Moon supports TLS 1.3 via rustls and aws-lc-rs. You can run plaintext and TLS listeners simultaneously on different ports.
Basic TLS setup¶
./target/release/moon \
--port 6379 \
--tls-port 6380 \
--tls-cert-file /path/to/server.crt \
--tls-key-file /path/to/server.key
This serves plaintext on port 6379 and TLS on port 6380.
Connect with TLS:
TLS-only mode¶
To disable plaintext entirely, set --port 0:
./target/release/moon \
--port 0 \
--tls-port 6379 \
--tls-cert-file /path/to/server.crt \
--tls-key-file /path/to/server.key
Mutual TLS (mTLS)¶
Require clients to present a certificate signed by a trusted CA:
./target/release/moon \
--tls-port 6379 \
--tls-cert-file /path/to/server.crt \
--tls-key-file /path/to/server.key \
--tls-ca-cert-file /path/to/ca.crt
Connect with a client certificate:
redis-cli -p 6379 --tls \
--cacert /path/to/ca.crt \
--cert /path/to/client.crt \
--key /path/to/client.key
Configuration reference¶
| Flag | Default | Description |
|---|---|---|
--tls-port |
0 (disabled) |
TLS listener port |
--tls-cert-file |
(none) | PEM certificate file |
--tls-key-file |
(none) | PEM private key file |
--tls-ca-cert-file |
(none) | CA cert for mTLS client auth |
--tls-ciphersuites |
(default) | TLS 1.3 cipher suites |
Note
Moon uses pure-Rust TLS (rustls) with no OpenSSL dependency. The cryptographic backend is aws-lc-rs, which is FIPS-capable and provides high-performance AES-GCM and ChaCha20.