How to secure Redis Cluster?
Question
I know Redis Cluster is still unstable, but it's been passing all the unit tests since quite a long time so I started using it.
I would like to know if a Redis Cluster would work well if the nodes required authentication. I'm incline to think yes, because they connect through a different port and use a different protocol, but I'm not sure and couldn't find any documentation or anything on the spec to confirm this.
Also, if the redis cluster protocol flies over the authentication barrier, isn't it a hole in security ? Could my database be accessed by the outside world ? (the port at least must be accessible so it can talk to the other nodes)
3 answers
solution1
6 2013-11-07 03:58:33
SSH tunnel may be an easy solution:
- You don't need to expose the redis port to the outside world. only the ssh one.
- SSH support data compression, which can reduce the transfer between data centers.
Quick Example: ssh -f -L 1234:localhost:6379 server.com -NC
This will route any incoming connection to localhost:1234 to the remote server.com:6379. So, you can replace server.com:6379 with localhost:1234 in your redis config file.
You could check man ssh for more information.
solution2
3 ACCPTED 2012-09-24 08:53:06
If any protocol flies over the internet you would need encryption ("ssl") eg across data- centers . This in general will effect performance. In the current security spec of Redis -
http://redis.io/topics/security
it is advised that ssl is not supported and you would require a SSL proxy. This should in general cause a system performance hit eg latency that you would have to take into account.
So ideally cluster nodes should be co-located. If they cannot be then the cluster should be designed so that it limits cross site data transport or does it off line without any real time constraints.
I have also chosen to disable/enable commands on a need only basis for each node (see details in the security spec above). I am not sure it this is supported in cluster mode or not.
solution3
0 2019-03-06 18:49:28
Redis Cluster with SSL is not possible because of the way by which Redis operates in a cluster.
For SSL to work in a Redis deployment you need to install and configure stunnel or a tunneling application.
From the Redis documentation: Note that for a Redis Cluster to work properly you need, for each node: The normal client communication port (usually 6379) used to communicate with clients to be open to all the clients that need to reach the cluster, plus all the other cluster nodes (that use the client port for keys migrations). The cluster bus port (the client port + 10000) must be reachable from all the other cluster nodes.
You can configure the stunnel to receive traffic at some port and redirect the traffic to 6379 or any other port where redis-server is listening. In cluster mode, redis-server announces its "cluster_port" so that clients and other nodes can connect to this port of connecting with it. If you override the setting "cluster_announce_port" ssl-clients will succeed in connecting to node but redis-cli and inter-node communication over cluster_port will fail.
It seems AWS ElastiCache/Redis Enterprise supports SSL with cluster but not Open Source Redis.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.