堆栈内存溢出
  简体   繁体   English

如何保护Redis群集?

[英]How to secure Redis Cluster?

 原文  2012-08-18 06:21:31       database/ security/ database-design/ redis/ sharding

问题描述

I know Redis Cluster is still unstable, but it's been passing all the unit tests since quite a long time so I started using it. 我知道Redis Cluster仍然不稳定,但是很久以来它已经通过了所有的单元测试,所以我开始使用它。

I would like to know if a Redis Cluster would work well if the nodes required authentication. 我想知道如果节点需要身份验证,Redis群集是否能正常工作。 I'm incline to think yes, because they connect through a different port and use a different protocol, but I'm not sure and couldn't find any documentation or anything on the spec to confirm this. 我倾向于认为是,因为它们通过不同的端口连接并使用不同的协议,但我不确定,也无法在规范中找到任何文档或任何内容来确认这一点。

Also, if the redis cluster protocol flies over the authentication barrier, isn't it a hole in security ? 此外,如果redis群集协议飞过身份验证障碍,那么它不是安全漏洞吗? Could my database be accessed by the outside world ? 我的数据库可以被外界访问吗? (the port at least must be accessible so it can talk to the other nodes) (该端口至少必须是可访问的,以便它可以与其他节点通信)

3 个解决方案

解决方案1
 6  2013-11-07 03:58:33

SSH tunnel may be an easy solution: SSH隧道可能是一个简单的解决方案:

  1. You don't need to expose the redis port to the outside world. 您不需要将redis端口暴露给外部世界。 only the ssh one. 只有ssh一个。
  2. SSH support data compression, which can reduce the transfer between data centers. SSH支持数据压缩,可以减少数据中心之间的传输。

Quick Example: ssh -f -L 1234:localhost:6379 server.com -NC 快速示例: ssh -f -L 1234:localhost:6379 server.com -NC

This will route any incoming connection to localhost:1234 to the remote server.com:6379. 这会将任何传入连接到localhost:1234路由到远程server.com:6379。 So, you can replace server.com:6379 with localhost:1234 in your redis config file. 因此,您可以在redis配置文件中将local.com:6379替换为localhost:1234。

You could check man ssh for more information. 您可以查看man ssh以获取更多信息。

解决方案2
 3 已采纳  2012-09-24 08:53:06

If any protocol flies over the internet you would need encryption ("ssl") eg across data- centers . 如果任何协议通过互联网飞行,您将需要加密(“ssl”),例如跨数据中心。 This in general will effect performance. 这通常会影响性能。 In the current security spec of Redis - 在Redis的当前安全规范中 -

http://redis.io/topics/security http://redis.io/topics/security

it is advised that ssl is not supported and you would require a SSL proxy. 建议不支持ssl,您需要SSL代理。 This should in general cause a system performance hit eg latency that you would have to take into account. 这通常会导致系统性能下降,例如您必须考虑的延迟。

So ideally cluster nodes should be co-located. 理想情况下,群集节点应该位于同一位置。 If they cannot be then the cluster should be designed so that it limits cross site data transport or does it off line without any real time constraints. 如果它们不能,那么集群的设计应该限制跨站点数据传输,或者在没有任何实时约束的情况下离线。

I have also chosen to disable/enable commands on a need only basis for each node (see details in the security spec above). 我还选择在每个节点的基础上禁用/启用命令(请参阅上面的安全规范中的详细信息)。 I am not sure it this is supported in cluster mode or not. 我不确定它是否在群集模式下受支持。

解决方案3
 0  2019-03-06 18:49:28

Redis Cluster with SSL is not possible because of the way by which Redis operates in a cluster. 由于Redis在群集中的运行方式,因此无法使用具有SSL的Redis群集。

For SSL to work in a Redis deployment you need to install and configure stunnel or a tunneling application. 要使SSL在Redis部署中工作,您需要安装和配置stunnel或隧道应用程序。

From the Redis documentation: Note that for a Redis Cluster to work properly you need, for each node: The normal client communication port (usually 6379) used to communicate with clients to be open to all the clients that need to reach the cluster, plus all the other cluster nodes (that use the client port for keys migrations). 从Redis文档:请注意,要使Redis群集正常工作,您需要为每个节点:用于与客户端通信的普通客户端通信端口(通常为6379),以便向需要访问群集的所有客户端开放,以及所有其他群集节点(使用客户端端口进行密钥迁移)。 The cluster bus port (the client port + 10000) must be reachable from all the other cluster nodes. 必须可以从所有其他群集节点访问群集总线端口(客户端端口+ 10000)。

You can configure the stunnel to receive traffic at some port and redirect the traffic to 6379 or any other port where redis-server is listening. 您可以将stunnel配置为在某个端口接收流量,并将流量重定向到6379或redis-server正在侦听的任何其他端口。 In cluster mode, redis-server announces its "cluster_port" so that clients and other nodes can connect to this port of connecting with it. 在集群模式下,redis-server宣布其“cluster_port”,以便客户端和其他节点可以连接到与其连接的此端口。 If you override the setting "cluster_announce_port" ssl-clients will succeed in connecting to node but redis-cli and inter-node communication over cluster_port will fail. 如果覆盖设置“cluster_announce_port”,则ssl-clients将成功连接到节点,但是redis-cli和cluster_port上的节点间通信将失败。

It seems AWS ElastiCache/Redis Enterprise supports SSL with cluster but not Open Source Redis. 似乎AWS ElastiCache / Redis Enterprise支持带集群的SSL,但不支持Open Source Redis。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 怎么用redis-benchmark util填满一个redis集群内存? - How do you use redis-benchmark util to fill up a redis cluster memory? Redis锁定已启用集群模式 - Redis locks for cluster mode enabled Redis集群创建无法连接到服务器,出了什么问题? - Redis cluster creating cannot connect to the server, what's wrong? 解释 redis 集群节点命令中缺少的插槽信息 - Interpreting missing slot information in redis cluster nodes command Derby DB 的安全性如何? - How secure is Derby DB? 如何保护存储的数据 - How to secure stored data 如何清空redis数据库? - How to empty a redis database? 如何部署这个 mongodb 集群? - How to deploy this mongodb cluster? 如何简单地在后端保护实体? - How to simply secure entities on the backend? 如何在 PHP 中保护数据库密码? - How to secure database passwords in PHP?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM