Security in Redis
Redis is intended for use by trusted clients in trusted environments. This means that exposing the Redis instance to the internet, or to an environment in which untrusted clients can directly access the Redis TCP port or UNIX socket, is usually not a good idea.
In the case of a web application that uses Redis as a database, cache, or messaging system, the clients in the front-end (web side) of the program would query Redis to generate pages or perform activities that the web application user has requested or triggered.
The web application mediates access between Redis and untrusted clients in this situation (the user browsers accessing the web application).
Untrusted access to Redis should, in general, be mediated by a layer that implements ACLs, validates user input, and decides what actions to do on the Redis instance.
Now let's talk about the network security
Network security
Access to the Redis port should be restricted to trusted clients on the network, so that the servers hosting Redis are only accessible directly by the computers that are implementing the Redis-based application.
The Redis port should be firewalled to restrict access from the outside in the common case of a single computer directly exposed to the internet, such as a virtualized Linux instance (Linode, EC2,...) Clients will still be able to use the loopback interface to connect to Redis.
It's worth noting that you can bind Redis to a single interface by adding the following line to the redis.conf file:
bind 127.0.0.1
Because of the nature of Redis, failing to protect the Redis port from the outside can have a significant security impact. An external attacker might, for example, destroy the entire data set with a single FLUSHALL command.
TLS
The successor to SSL, Transport Layer Security (TLS), preserves the secrecy of data transferred between apps and Redis databases. TLS encrypts communications between Redis Enterprise Software nodes as well.
TLS authentication can be used for the following forms of communication:
- Clients' (applications') communication with your database
- Using Replica Of, communicate from your database to other clusters for replication.
- Using Active-Active communication, you can synchronize your database with other clusters.
Now, lets get started with TLS.
Getting Started
Building
OpenSSL development libraries (e.g. libssl-dev on Debian/Ubuntu) are required to build with TLS support.
Make sure BUILD_TLS=yes is enabled.
Tests
TLS support for TCL (i.e. tcl-tls package on Debian/Ubuntu) is required to run the Redis test suite using TLS.
- To build a root CA and a server certificate, run./utils/gen-test-certs.sh.
- To run Redis and Redis Cluster tests in TLS mode, type./runtest —tls or./runtest-cluster —tls.
Running manually
To operate a Redis server in TLS mode manually (provided gen-test-certs.sh was run and sample certificates/keys are available), follow these steps:
./src/redis-server --tls-port 6379 --port 0 \
--tls-cert-file ./tests/tls/redis.crt \
--tls-key-file ./tests/tls/redis.key \
--tls-ca-cert-file ./tests/tls/ca.crt
To connect to this Redis server with redis-cli:
./src/redis-cli --tls \
--cert ./tests/tls/redis.crt \
--key ./tests/tls/redis.key \
--cacert ./tests/tls/ca.crt
Certificate configuration
Redis must be configured with an X.509 certificate and a private key in order to support TLS. When validating certificates, you must also specify a CA certificate bundle file or URL to be used as a trusted root. A DH params file can also be configured to support DH-based cyphers. Consider the following scenario:
tls-cert-file /path/to/redis.crt
tls-key-file /path/to/redis.key
tls-ca-cert-file /path/to/ca.crt
tls-dh-params-file /path/to/redis.dh
TLS listening port
Accepting SSL/TLS connections on the specified port is enabled by the tls-port configuration option. This is in addition to listening on a port for TCP connections, allowing Redis to be accessed via TLS and non-TLS connections at the same time.
You can choose port 0 to totally deactivate the non-TLS port. Use the following command to enable only TLS on the default Redis port:
port 0
tls-port 6379
Client certificate authentication
Redis employs mutual TLS by default, and clients must authenticate with a valid certificate (authenticated against trusted root CAs specified by ca-cert-file or ca-cert-dir).
To disable client authentication, use tls-auth-clients no.
Replication
The tls-port and tls-auth-clients directives apply to replication links as well, because a Redis master server connects clients and replica servers in the same way.
To use TLS for outbound connections to the master, you must set tls-replication yes on the replica server.
All of the aforementioned applies to Sentinel because it inherits its networking settings from the standard Redis setup.
Sentinel will utilise the tls-replication directive to determine whether a TLS or non-TLS connection is necessary when connecting to master servers.
The same tls-replication command will also determine if the Sentinel's port, which takes connections from other Sentinels, will support TLS. That is, if and only if tls-replication is enabled, Sentinel will be configured with tls-port.
Performance considerations
Writing and reading to and from an SSL connection, as well as encryption and decryption, and integrity checks, all add to the communication stack's overhead. As a result, using TLS limits the amount of throughput that a Redis instance can achieve (for more information refer to this discussion).
TLS does not presently support I/O threading.
Also Read - TCL Commands In SQL
Frequently asked questions
-
What is a redis?
Redis is an in-memory data structure store that can be used as a distributed, in-memory key-value database, cache, and message broker. Strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indices are among the abstract data structures supported by Redis.
-
What is TLS?
The successor to SSL, Transport Layer Security (TLS), preserves the secrecy of data transferred between apps and Redis databases. TLS encrypts communications between Redis Enterprise Software nodes as well.
-
What are the disadvantages of Redis?
Clients connecting to the Redis cluster should be aware of the cluster topology, causing overhead configuration on Clients because data is sharded based on the hash slots allotted to each Master. If the master does not have at least one slave, failover does not occur.
-
How is data stored in Redis?
Data is saved in memory because Redis is an in-memory database (or RAM). All data stored on a server is lost if it crashes. For the data on the disc, Redis has backup procedures in place. When the server reboots, the data is loaded from the disc into memory in this manner.
-
Is there any other Data Structures and Algorithms content in Coding Ninjas Studio?
Yes, Coding Ninjas Studio allows you to practice coding as well as answer frequently asked interview questions. The more we practice, the more likely we are to acquire a job at our dream company.
Conclusion
In this article, we have extensively discussed the TLS - Redis TLS support. We hope that this blog has helped you enhance your knowledge of ‘TLS - Redis TLS support’ and if you would like to learn more, check out our articles on Library where you can find everything about Databases, SQL Probelms, Interview Experiences, and other guided paths. Do upvote our blog to help other ninjas grow. Happy Coding!”
34+ registered 
