Geek Answers Handbook

How to protect Redis Cluster?

I know that Redis Cluster is still unstable, but it passed all the unit tests for quite some time, so I started using it.

I would like to know if Redis Cluster will work well if hosts need authentication. I tend to think that yes, because they connect through a different port and use a different protocol, but I am not sure and could not find any documentation or anything on spec to confirm this.

Also, if the redis cluster protocol flies through an authentication barrier, isn't that a security issue? Could my database access the outside world? (the port must be accessible so that it can talk to other nodes)

+7
source share
2 answers

If any protocol flies over the Internet, you will need encryption ("ssl"), for example, through data centers. This will generally affect performance. In the current Redis security specification -

http://redis.io/topics/security

It is recommended that ssl is not supported and you will need an SSL proxy. In the general case, this should lead to an increase in system performance, for example, a delay that you must take into account.

Thus, it is desirable that the cluster nodes are located with each other. If they cannot be then, the cluster should be designed in such a way that it restricts the transfer of data between sites or disconnects without any restrictions in real time.

I also decided to disable / enable commands based on the need for each node only (see the security specification above for details). I'm not sure if this is supported in cluster mode or not.

+3
source

SSH tunnel can be a simple solution:

  • You do not need to expose the redis port to the outside world. only ssh.
  • SSH supports data compression, which can reduce data transfer between data centers.

Quick example: ssh -f -L 1234:localhost:6379 server.com -NC

This will direct any incoming connection to localhost: 1234 to the remote server.com:6379 server. So you can replace server.com:6379 with localhost: 1234 in your redis configuration file.

You can check man ssh for more information.

+6
source

More articles:


All Articles