Redis ios client using websocket in secure way
Question
I am currently communicating with my Redis instance from my iOS client using a websocket. I specify the host address and the listening port and execute some Redis Commands from my IOS client directly.
The reason I am doing that because I am doing real live geolocation tracking and executing these commands from my backend which is in php will result in latency.
I am afraid that this is not the most secure way because if someone knows my host address and ports he will be able to access my Redis Instance.
My question is how can I communicate with my Redis Instance from my iOs client using a websocket but in a more secure way.
3 answers
solution1
1 2018-07-07 03:23:06
There are a couple ways of doing it, depending on how your project is set up. You could add an NGINX loadbalancer in front of your php/redis containers that accepts JSON Web Tokens for authentication. https://www.nginx.com/blog/authentication-content-based-routing-jwts-nginx-plus/
Redis has the ability to do authentication as well, but isn't considered best practices it looks like, but you can find more information about it here also: https://redis.io/commands/auth
solution2
1 ACCPTED 2018-07-07 05:11:27
@Ahmed,
I read the answer provided by @ThatCampbellKid and the comments and understand your wish to have the iOS client communicate directly with the Redis server.
However, Redis was NOT designed for this approach . As indicated in the documentation (emphasis added):
Redis is designed to be accessed by trusted clients inside trusted environments .
The internet is not a trusted environment and the direct access allows Redis to be accessed by non-trusted clients.
The same documentation gives the following example (emphasis added):
In the common case of a single computer directly exposed to the internet, such as a virtualized Linux instance (Linode, EC2, ...), the Redis port should be firewalled to prevent access from the outside . Clients will still be able to access Redis using the loopback interface.
The correct approach would be to use a dynamic application to authenticate clients and bridge between clients and the Redis server.
You can use JWT (the nginx module suggested by @ThatCampbellKid), PHP, Ruby, node.js, Java, C or whatever you want - but you will need to use something.
I'm sorry to say this, but any other shortcut will expose your system to security risks.
EDIT :
Yes, you can still use WebSocket.
The difference is that this architecture is not secure:
Client <=(WebSockets)=> Redis
And this architecture is secure (if implemented correctly):
Client <=(WebSockets)=> Authentication Layer <=(TCP)=> Redis
solution3
0 2018-07-07 18:57:00
As you said you are already running Nginx then have a look at the Nchan websockets module
Your Nginx install can then serve websocket connections directly and it has support for several methods of client authentication as well as direct integration with redis
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.