Compose Database-as-a-Service Help and Documentation

Everything you need to know about Compose, Hosted or Enterprise, is here in our help system. Whether you run one database for your businesses' sole application or six different databases to support an entire corporation, we've got the information you need.

Redis SSH Tunnels

Why SSH Tunnels

Redis is up-front with the state of its security. The following important excerpt can be found within the Redis security page:

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.

Generating SSH keys

To use SSH tunnels, SSH keys will need to be generated or existing keys used. These keys are present on your local system so before doing this, check in the ~/.ssh directory for any files beginning with id_ and back them up. If you know the appropriate pass-phrases for these files, skip generating keys and go straight to enabling the SSH portal.

Here is a a quick recap on how to generate SSH keys. To start the process issue a command such as:

ssh-keygen -t rsa -C "your_email@example.com" 

Remember to substitute in a real email address. This will begin the key generation process. You'll be asked where to save the key, just press enter for the default. You'll then be asked for a passphrase. Choose a strong phrase – ideally a reasonably long one too. Once you've entered it, hit return and enter it again to verify that you actually entered what you think you entered. The key generator will then start up and will write out two files, id_rsa (the private part of your key that you hold on to) and id_rsa.pub (the public part you give to other people). They can be found in the ~/.ssh directory.

Enabling the SSH portal

Return to the Compose console for the Redis deployment and there, go to the Security tab where the controls for enabling SSH tunnels are.

Set the on/off switch on the SSH line to On and then click on 'Set Active Portals'. This will take us to to the 'Jobs' page where the progress of setting up the new portal will be displayed.

Return to the Overview page of the console and the Connection line now reads `Connection: TCP, SSH Available".

Adding a User

The overview above also suggests adding a user to the system to allow you to connect. Select the Users tab and it will show no exisiting users.

Click on the Add user button or link to add a user.

Users for the SSH tunnel are actually placeholders for SSH keys. They have a Title, for display and reference purposes, and a text field to hold the public SSH key.

Enter a 'Title' that will help you associate the SSH key you are using with a person or a system.

The public SSH key will be in the ~/.ssh directory, specifically it'll be the .ssh/id_rsa.pub file. The contents of this file need to be transferred to the Key field. Users can cat ~/.ssh/id_rsa.pub and use the standard cut and paste options on their terminal. MacOS users can run cat ~/.ssh/id_rsa.pub | pbcopy to transfer the file directly to the clipboard ready for pasting into the Key field.

Click the Add user' button to complete the operation. The Jobs view will appear as the user is added to the system.

Creating the SSH Tunnel

Connection details are shown on the overview page

If the SSH portal is not configured, there will be no "SSH Tunnel Configuration", "SSH Connection String" or "SSH Command Line" entries. Return to the top of this page and check for any omitted steps in the process of setting up the portal.

In a terminal session, run the "SSH Tunnel Configuration" command to create the SSH Tunnel. This command does not exit and the user may be prompted for the pass phrase used when they created the SSH key. Given the connection information above, for example, the command would be:

ssh -N compose@sl-eu-lon-2-portal.1.dblayer.com -p 10467 \
-L 127.0.0.1:6379:10.0.25.197:5000 

Once the tunnel is established, in this example, the Redis database will appear to be on port 6379, as specified in the -L part of the tunnel creation. Traffic on that port will be sent, encrypted, the remote end of the tunnel and delivered to the IP address and port specified within the secure VLAN on which the Redis deployment is hosted.

Connecting through the tunnel

The "SSH Command Line" string is the invocation for the redis-cli command. This requires that the redis-cli command to be installed. See Connecting to Redis for details. Once the redis-cli command is installed the command in the "SSH Command Line" string should be executable. Users will require the password which is available in the Credentials field - Clicking Show in *Credentials will not only reveal the password but also substitute it into the various command lines. Take the command and run it in a new terminal session:

$ redis-cli -p 6379 -a [password]
127.0.0.1:6379> KEYS *
 1) "x"
 2) "testing"
127.0.0.1:6379> 

Similarly, the "SSH Connection String" can be used for applications to make a connection to the Redis server.

Enhancing Security

If we want to increase security and disable TCP connections from the outside world, we can use the 'Security' view's Whitelisting option. This allows you to select IP addresses or ranges that are allowed to connect to the TCP or SSH portals.

If you enable white-listing, 'Whitelist Compose Services' should be enabled too to allow features like the Data Browser access to the database.


Still Need Help?

If this article didn't solve things, summon a human and get some help!

Redis SSH Tunnels