Y
Y
Yaroslav2017-02-20 21:15:25
Redis
Yaroslav, 2017-02-20 21:15:25

How to ensure access to Redis only from certain ip?

We break a monolithic application into microservices, each microservice has its own server. Redis is selected as session storage, how to ensure access to Redis only inside a conditional cluster?
Is it possible with standard Redis tools?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Y
Yaroslav, 2017-02-26
@YarkoDzech

From some version 3.2.x, bind several ip in the config does not allow the server to start.
Therefore, the option is as follows:
1. In /redis.conf, change
bind 0.0.0.0 //open access to the database from outside
*optionally change the port against something like this zmap -p6379 -o omg.txt
is highly recommended to prescribe:
requirepass nl6Cq8mthJrrXbqlDqLaPgtFkeq12zqB7Sb5j5UJ
well, it is highly recommended to disable config management from the command line:
rename-command CONFIG ""
After restarting the server, it should look outside by ip and port:
redis-cli -h your_ip -p your_port
2. Write the rules for iptables
Important! All rules are in strict order, so it is advisable to reset all rules, overwrite the file with a clean sheet. And go through again and in the place where ports 80 open, for SSH and a number of others, register:
iptables -A INPUT -p tcp -s yyyy --dport xxxx -j ACCEPT access from yyyy ip to such and such a port
, repeat the rule for ip of all microservices that will knock on redis
, open the local interface:
iptables -A INPUT -i lo -j ACCEPT
last, block everything that is not described by the rules and open outgoing packets:
After that, you can block everything else and allow all outgoing connections.
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
After restarting iptables and if everything is configured correctly, the port should be only for the ip we need. And if you follow all the instructions, then even if the packet flies through the firewall, it will run into authorization and will not be able to generate an access key to the server from the command line.
PS If everything went wrong, reset iptables like this:
iptables -F

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question