GuidesAPI ReferenceSupportArticles

Redis SSH Tunnels

Suggest Edits

TLS/SSL vs SSH

Beginning in October of 2017, Compose offers TLS/SSL enabled connections to Redis. Check out our Connecting to Redis page for all the various connection types to choose the best one for your environment.

It is still possible to provision SSH portals for your deployment, but it is no longer the recommended method for connecting securely. Please consider using the TLS/SSL enabled HTTPS connections instead.

Generating SSH keys

To use SSH tunnels, SSH keys will need to be generated or existing keys used. These keys are present on your local system so before doing this, check in the ~/.ssh directory for any files beginning with id_ and back them up. If you know the appropriate pass-phrases for these files, skip generating keys and go straight to enabling the SSH portal.

Here is a a quick recap on how to generate SSH keys. To start the process issue a command such as:

ssh-keygen -t rsa -C "[email protected]"

Remember to substitute in a real email address. This starts the key generation process. You'll be asked where to save the key; press return to accept the default. You'll then be asked for a passphrase. Choose a strong phrase – ideally a reasonably long one too. Once you've entered it, press return and enter it again to verify the passphrase. The key generator starts and generates two files, id_rsa (the private part of your key that you hold on to) and id_rsa.pub (the public part you give to other people). They can be found in the ~/.ssh directory.

Enabling the SSH portal

Return to the Compose console for the Redis deployment and there, go to the Security tab where you can find the controls for enabling SSH tunnels.

2418

Set the on/off switch on the SSH line to On and click 'Set Active Portals'. The Jobs page opens. This is where the progress of setting up the new portal will be displayed.

Return to the Overview page of the console. The Connection line now reads `Connection: TCP, SSH Available".

1870

Deployment Overview after adding an SSH portal.

Adding a User

The Overview page also suggests adding a user to the system to allow you to connect. Select the Users tab to start adding users.

1812

The User tab.

Click Add user.

1692

Adding a User through the Compose UI.

Users for the SSH tunnel are actually placeholders for SSH keys. They have a Title, for display and reference purposes, and a text field to hold the public SSH key.

Enter a 'Title' that will help you associate the SSH key you are using with a person or a system.

You will find the public SSH key in the ~/.ssh directory, stored as the .ssh/id_rsa.pub file. The contents of this file need to be transferred to the Key field. You can get it there with cat ~/.ssh/id_rsa.pub and use the standard cut and paste options on your terminal. On MacOS you can run cat ~/.ssh/id_rsa.pub | pbcopy to transfer the file directly to the clipboard ready for pasting into the Key field.

Click Add user' to complete the operation. The Jobs view opens as the user is added to the system.

Creating the SSH Tunnel

Connection details are shown on the overview page

1514

Connection info for all connection types on the Deployment Overview page.

If the SSH portal is not configured, there will be no "SSH Tunnel Configuration", "SSH Connection String" or "SSH Command Line" entries. Return to the top of this page and check for any omitted steps in the process of setting up the portal.

In a terminal session, run the "SSH Tunnel Configuration" command to create the SSH Tunnel. Note that this command does not exit, and that you might be prompted for the passphrase used when the SSH key was created. Given the connection information above, for example, the command would be:

ssh -N [email protected] -p 10467 \
-L 127.0.0.1:6379:10.0.25.197:5000

Once the tunnel is established the Redis database will appear to be on port 6379, as specified in the -L part of the tunnel creation. In this example that is port 6379. Traffic on that port will be sent, encrypted, to the remote end of the tunnel and delivered to the IP address and port specified within the secure VLAN on which the Redis deployment is hosted.

Connecting through the tunnel

The "SSH Command Line" string is the invocation for the redis-cli command. This requires that the redis-cli command is installed. See Connecting to Redis for details. Once the redis-cli command is installed the command in the "SSH Command Line" string should be executable. The required password is available in the Credentials field: click Show in Credentials to reveal the password and also substitute it into the various command lines. Run the command in a new terminal session:

$ redis-cli -p 6379 -a [password]
127.0.0.1:6379> KEYS *
 1) "x"
 2) "testing"
127.0.0.1:6379>

Similarly, the "SSH Connection String" can be used for applications to make a connection to the Redis server.

Enhancing Security

We recommend that you increase the security of your deployment by disabling TCP connections from the outside world. Traffic from the SSH portal goes to the TCP Haproxy portal for routing, so the portal is still needed. Using the Security view's Whitelisting option you can select IP addresses or ranges that are allowed to connect to the TCP portals, allowing you to control where the traffic comes from. The IP address you need to whitelist can be found in the Deployment Topology in the Overview. Here is an example topology.

2132

Deployment Topology view

In the Deployment Topology panel, find the row that has a capsule type of ssh and make a note of the IP address. In the screenshot shown it is 10.0.26.102. To add this to the whitelist:

  • Open the Security view
1800

Security view, showing the Whitelist TCP/HTTP IPs panel

  • In the Whitelist TCP/HTTP IPs panel, select Add IP to display the form.
  • Enter a name for the whitelist entry and the IP address you took from the Deployment Topology panel.
  • Click Add IP to complete the process.
1240

Whitellist IP address entry

If you enable whitelisting, 'Whitelist Compose Services' should also be enabled to allow features like the Data Browser access to the database. The system might prompt you to do this by displaying a warning on the Security page.

1524

Reminder to whitelist Compose services.

Click the Whitelist Compose Services button and the required IP addresses will be automatically added to the whitelist. The TCP portal will now only service the SSH portal traffic and Compose's data browser and related services.

Still Need Help?

If this article didn't solve things, summon a human and get some help!

Updated over 3 years ago