Introduction to Redis

Redis Security

One of the biggest changes in Redis 3.2 version is how Redis's default security is handled when running Redis server. The new Redis Protected mode is a layer of security protection, to avoid that Redis instances left open on the Internet are accessed and exploited. This mode is active when the following occurs:

  1. The server is not binding explicitly to a set of addresses using the "bind" directive.
  2. No password is configured.Before, the only way to restrict access to a Redis instance was to set a password.

With Redis general security model of only trusted clients accessing a Redis server within a protected environment, there are some general guidelines to follow if the Redis is running on a computer with direct exposure to the Internet (a common use-case when using a cloud server).

  • Redis port (default is 6379) should be firewalled to prevent access from the outside
  • Clients running should still be able to access Redis through the local loopback interface.

Exercise: Connect to Redis Master

If the master has requirepass parameter set in the redis.conf, any clients will need to send the password to the Redis instance using the AUTH

127.0.0.1:6379> KEYS *
(error) NOAUTH Authentication required.
127.0.0.1:6379> AUTH badpassword
(error) ERR invalid password
127.0.0.1:6379> AUTH foobared
OK
     

Exercise: Configuring Protect Mode

Manually with redis-cli
127.0.0.1:6379> CONFIG SET protected-mode no OK
    
At startup buy setting protected-mode in redis.conf

Coming Features

Redis is a very active project and new features and improvements are being implemented all the time. Currently in the unstable branch, Redis is adding a number of Geographic commands to support GIS and other location-based applications.

Exercise: Downloading and Using Geo Commands

First, we'll need to download and make Redis using the unstable branch

$ wget https://github.com/antirez/redis/archive/unstable.tar.gz
$ tar xvf unstable.tar.gz
$ cd redis-unstable
$ make
$ src/redis-server
      

Now that we have complied and have a running Redis instance, we'll open a second terminal window and launch Redis-cli. We'll then add a couple of data points to the BayArea key with the GEOADD and then calculate the distance between San Francisco and San Jose with the GEODIST

127.0.0.1:6379> GEOADD BayArea 121.8863 37.7833 "San Jose" 122.4167 37.7833 "San Francisco" 122.2708 37.8044 Oakland
127.0.0.1:6379> GEODIST BayArea "San Francisco" "San Jose"
"46624.876174299716"
127.0.0.1:6379> GEODIST BayArea "San Francisco" "San Jose" km
"46.624876174299715"
127.0.0.1:6379> GEODIST BayArea "San Francisco" "San Jose" mi
"28.971426904382987"
      

With the GEORADIUS and GEORADIUSBYMEMBER returns the geospatial information that are within the borders of an area specified with a central location and a maximum distance from the center.

127.0.0.1:6379> GEORADIUS BayArea 121.9692 37.3544 100 mi
1) "San Jose"
2) "Oakland"
3) "San Francisco"
127.0.0.1:6379> GEORADIUS BayArea 121.9692 37.3544 30 mi
1) "San Jose"
      

References and Resources

  1. From the redis.io website: topic on Redis Security