securing and showing a redis server to the world

Published On - August 25, 2017

coderhs

Redis[/caption] Redis is an in memory based key value data structure server. They keywords here are in-memory (RAM) and Key – Value (Hash). RAM being the easily accessible memory location for your CPU, and hash being the most accissable data-structure a combination of both makes it lethal. It was developed by an Italian developer named Salvatore Sanfilippo, in 2009. Such a system is useful in multiple scenarios. Especially in cases where key is readily available, constant and not changing. Some example use cases being. In a rails projects Redis is used at multiple places for example:

  • Backend of action cable which is used to provide notifications (pub/sub)
  • Queue system used by background workers (Sidekiq, Resque)
  • Web Caching
  • Session Store – sharing user session across all the load balanced servers
  • Fast accessible meta data catalog for your inventory or tool
  • Counting – Redis offers a fast method to increment and decrement value. Being an in-memory storage does add
  Coming back to the topic of this article, most self hosted rails applications starts off by installing redis in the same server as your rails application. In fact sidekiq, crontab (for scheduling tasks) would all be on the same server. Over time as your projects grows with users you would see that your application is slowing dow, CPU spiking to 100%, etc. We can start fixing that by moving sidekiq and the cron to another server (like how its done in heroku). But the first thing we need to make is the redis on our main server open to the second server and secure it. The steps to be followed are: To open up your redis to the world. Go to /etc/redis/redis.conf find the following line bind 127.0.0.1, by removing that line you will make your redis application accessable to the world through the default port 6379 . You can also set for the world by placing the ip as 0.0.0.0. Lets remove it for now, as we will be securing it in our firewall (since my example is the AWS i would be doing that in the security group). If you don’t have a security group then add the ip of the servers connecting to it after a space bind 127.0.0.1 192.168.1.1 Disable Protective mod Since 3.2.0 redis comes with a default protective-mode yes that make it accepts query and request only from loopback (the machine itself). It was enables so as most people would install redis and have it exposed to the world (redis has limited security in itself, its expected for the system admin to take care of the necessary arrangements). So we need to turn it off. Find the line saying protective-mode and the set it to no Set a password for your instance As a final step we can set a password to access redis. To set that find the like that says requirepass and after that word provide your password : requirepass iwouldbeafooltosharemyrealpassword   SET the IP of your secondary server in your security group For all those who uses AWS, like us. You need to open up this particular port in your machine, but do not make it accessable to all the IPs. Redis doesn’t have user permissions so basically if anyone were to get access they could just do a FLUSHALL and you will loose all your data. So open the port 6379 in your security group or IP tables (if you are in just a linux server) to the IP of the clients you want to connect. You can read about security group here -> http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html With the above 4 steps you would have opened up your existing redis installed in your main server to the secondary new server. You can further add more machines by adding their IP to security group/ IP Tables.  ]]>