Redis is up-front with the state of its security. The following important excerpt can be found within the Redis security page:
Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.
To use SSH tunnels, SSH keys will need to be generated or existing keys used. These keys are present on your local system so before doing this, check in the
~/.ssh directory for any files beginning with
id_ and back them up. If you know the appropriate pass-phrases for these files, skip generating keys and go straight to enabling the SSH portal.
Here is a a quick recap on how to generate SSH keys. To start the process issue a command such as:
ssh-keygen -t rsa -C "firstname.lastname@example.org"
Remember to substitute in a real email address. This will begin the key generation process. You'll be asked where to save the key, just press enter for the default. You'll then be asked for a passphrase. Choose a strong phrase – ideally a reasonably long one too. Once you've entered it, hit return and enter it again to verify that you actually entered what you think you entered. The key generator will then start up and will write out two files,
id_rsa (the private part of your key that you hold on to) and
id_rsa.pub (the public part you give to other people). They can be found in the
Return to the Compose console for the Redis deployment and there, go to the Security tab where the controls for enabling SSH tunnels are.
Set the on/off switch on the SSH line to On and then click on 'Set Active Portals'. This will take us to to the 'Jobs' page where the progress of setting up the new portal will be displayed.
Return to the Overview page of the console and the Connection line now reads `Connection: TCP, SSH Available".
The overview above also suggests adding a user to the system to allow you to connect. Select the Users tab and it will show no exisiting users.
Click on the Add user button or link to add a user.
Users for the SSH tunnel are actually placeholders for SSH keys. They have a Title, for display and reference purposes, and a text field to hold the public SSH key.
Enter a 'Title' that will help you associate the SSH key you are using with a person or a system.
The public SSH key will be in the
~/.ssh directory, specifically it'll be the
.ssh/id_rsa.pub file. The contents of this file need to be transferred to the Key field. Users can
cat ~/.ssh/id_rsa.pub and use the standard cut and paste options on their terminal. MacOS users can run
cat ~/.ssh/id_rsa.pub | pbcopy to transfer the file directly to the clipboard ready for pasting into the Key field.
Click the Add user' button to complete the operation. The Jobs view will appear as the user is added to the system.
Connection details are shown on the overview page
If the SSH portal is not configured, there will be no "SSH Tunnel Configuration", "SSH Connection String" or "SSH Command Line" entries. Return to the top of this page and check for any omitted steps in the process of setting up the portal.
In a terminal session, run the "SSH Tunnel Configuration" command to create the SSH Tunnel. This command does not exit and the user may be prompted for the pass phrase used when they created the SSH key. Given the connection information above, for example, the command would be:
ssh -N email@example.com -p 10467 \ -L 127.0.0.1:6379:10.0.25.197:5000
Once the tunnel is established, in this example, the Redis database will appear to be on port 6379, as specified in the
-L part of the tunnel creation. Traffic on that port will be sent, encrypted, the remote end of the tunnel and delivered to the IP address and port specified within the secure VLAN on which the Redis deployment is hosted.
The "SSH Command Line" string is the invocation for the
redis-cli command. This requires that the
redis-cli command to be installed. See Connecting to Redis for details. Once the
redis-cli command is installed the command in the "SSH Command Line" string should be executable. Users will require the password which is available in the Credentials field - Clicking Show in *Credentials will not only reveal the password but also substitute it into the various command lines. Take the command and run it in a new terminal session:
$ redis-cli -p 6379 -a [password] 127.0.0.1:6379> KEYS * 1) "x" 2) "testing" 127.0.0.1:6379>
Similarly, the "SSH Connection String" can be used for applications to make a connection to the Redis server.
If we want to increase security and disable TCP connections from the outside world, we can use the 'Security' view's Whitelisting option. This allows you to select IP addresses or ranges that are allowed to connect to the TCP or SSH portals.
If you enable white-listing, 'Whitelist Compose Services' should be enabled too to allow features like the Data Browser access to the database.
If this article didn't solve things, summon a human and get some help!