Redis is up-front with the state of its security. The following important excerpt can be found within the Redis security page:
Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.
To use SSH tunnels, SSH keys will need to be generated or existing keys used. These keys are present on your local system so before doing this, check in the
~/.ssh directory for any files beginning with
id_ and back them up. If you know the appropriate pass-phrases for these files, skip generating keys and go straight to enabling the SSH portal.
Here is a a quick recap on how to generate SSH keys. To start the process issue a command such as:
ssh-keygen -t rsa -C "firstname.lastname@example.org"
Remember to substitute in a real email address. This starts the key generation process. You'll be asked where to save the key; press return to accept the default. You'll then be asked for a passphrase. Choose a strong phrase – ideally a reasonably long one too. Once you've entered it, press return and enter it again to verify the passphrase. The key generator starts and generates two files,
id_rsa (the private part of your key that you hold on to) and
id_rsa.pub (the public part you give to other people). They can be found in the
Return to the Compose console for the Redis deployment and there, go to the Security tab where you can find the controls for enabling SSH tunnels.
Set the on/off switch on the SSH line to On and click 'Set Active Portals'. The Jobs page opens. This is where the progress of setting up the new portal will be displayed.
Return to the Overview page of the console. The Connection line now reads `Connection: TCP, SSH Available".
Deployment Overview after adding an SSH portal.
The Overview page also suggests adding a user to the system to allow you to connect. Select the Users tab to start adding users.
The User tab.
Click Add user.
Adding a User through the Compose UI.
Users for the SSH tunnel are actually placeholders for SSH keys. They have a Title, for display and reference purposes, and a text field to hold the public SSH key.
Enter a 'Title' that will help you associate the SSH key you are using with a person or a system.
You will find the public SSH key in the
~/.ssh directory, stored as the
.ssh/id_rsa.pub file. The contents of this file need to be transferred to the Key field. You can get it there with
cat ~/.ssh/id_rsa.pub and use the standard cut and paste options on your terminal. On MacOS you can run
cat ~/.ssh/id_rsa.pub | pbcopy to transfer the file directly to the clipboard ready for pasting into the Key field.
Click Add user' to complete the operation. The Jobs view opens as the user is added to the system.
Connection details are shown on the overview page
Connection info for all connection types on the Deployment Overview page.
If the SSH portal is not configured, there will be no "SSH Tunnel Configuration", "SSH Connection String" or "SSH Command Line" entries. Return to the top of this page and check for any omitted steps in the process of setting up the portal.
In a terminal session, run the "SSH Tunnel Configuration" command to create the SSH Tunnel. Note that this command does not exit, and that you might be prompted for the passphrase used when the SSH key was created. Given the connection information above, for example, the command would be:
ssh -N email@example.com -p 10467 \ -L 127.0.0.1:6379:10.0.25.197:5000
Once the tunnel is established the Redis database will appear to be on port 6379, as specified in the
-L part of the tunnel creation. In this example that is port 6379. Traffic on that port will be sent, encrypted, to the remote end of the tunnel and delivered to the IP address and port specified within the secure VLAN on which the Redis deployment is hosted.
The "SSH Command Line" string is the invocation for the
redis-cli command. This requires that the
redis-cli command is installed. See Connecting to Redis for details. Once the
redis-cli command is installed the command in the "SSH Command Line" string should be executable. The required password is available in the Credentials field: click Show in Credentials to reveal the password and also substitute it into the various command lines. Run the command in a new terminal session:
$ redis-cli -p 6379 -a [password] 127.0.0.1:6379> KEYS * 1) "x" 2) "testing" 127.0.0.1:6379>
Similarly, the "SSH Connection String" can be used for applications to make a connection to the Redis server.
We recommend that you increase the security of your deployment by disabling TCP connections from the outside world. Traffic from the SSH portal goes to the TCP Haproxy portal for routing, so the portal is still needed. Using the Security view's Whitelisting option you can select IP addresses or ranges that are allowed to connect to the TCP portals, allowing you to control where the traffic comes from. The IP address you need to whitelist can be found in the Deployment Topology in the Overview. Here is an example topology.
Deployment Topology view
In the Deployment Topology panel, find the row that has a capsule type of
ssh and make a note of the IP address. In the screenshot shown it is 10.0.26.102. To add this to the whitelist:
- Open the Security view
Security view, showing the Whitelist TCP/HTTP IPs panel
- In the Whitelist TCP/HTTP IPs panel, select Add IP to display the form.
- Enter a name for the whitelist entry and the IP address you took from the Deployment Topology panel.
- Click Add IP to complete the process.
Whitellist IP address entry
If you enable whitelisting, 'Whitelist Compose Services' should also be enabled to allow features like the Data Browser access to the database. The system might prompt you to do this by displaying a warning on the Security page.
Reminder to whitelist Compose services.
Click the Whitelist Compose Services button and the required IP addresses will be automatically added to the whitelist. The TCP portal will now only service the SSH portal traffic and Compose's data browser and related services.
If this article didn't solve things, summon a human and get some help!