Redis on Red-Hut with C# Windows Client (Disable SSH)
795 views
Skip to first unread message
Shmuel Amour
May 8, 2014, 2:40:24 AM5/8/14
to redi...@googlegroups.com
Hi,
I using Redis server on Linux and C# Client on Windows Server 2012
I can connect to the Redis only via SSH shell (I'm using ServiceStack on C#)
Can I disable the SSH enforcement?
Best,
Amour Shmuel
Jan-Erik Rediger
May 8, 2014, 4:20:07 AM5/8/14
to redi...@googlegroups.com
Redis has nothing to do with SSH. It listens on its own port (by default
6379).
Make sure Redis is listening on the right IP (or the complete interface) and not only on localhost
and makre sure the port it uses is open to the Windows Server (check your firewall).
Keep in mind that you should not make the redis instance reachable by
everyone. Redis does very little to prevent malicious access if exposed
over the internet.
> --
> You received this message because you are subscribed to the Google Groups "Redis DB" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
> To post to this group, send email to redi...@googlegroups.com.
> Visit this group at http://groups.google.com/group/redis-db.
> For more options, visit https://groups.google.com/d/optout.
6379).
Make sure Redis is listening on the right IP (or the complete interface) and not only on localhost
and makre sure the port it uses is open to the Windows Server (check your firewall).
Keep in mind that you should not make the redis instance reachable by
everyone. Redis does very little to prevent malicious access if exposed
over the internet.
> You received this message because you are subscribed to the Google Groups "Redis DB" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
> To post to this group, send email to redi...@googlegroups.com.
> Visit this group at http://groups.google.com/group/redis-db.
> For more options, visit https://groups.google.com/d/optout.
Marc Gravell
May 8, 2014, 12:04:06 PM5/8/14
to redi...@googlegroups.com
It is a bit unclear what you are asking, and it is unclear what lies between the linux and windows machines. If they are in the same isolated environment (private network, VPN, etc), you're probably fine. If your data is exposed, you probably want some level of encryption. SSH and similar are viable options for this (stunnel woks quite well too). Many clients also now support SSL directly, for use either with stunnel or presumably with custom redis-server implementations. For example, redislabs recently created pull-requests for SSL support in redis-rb, jedis, redis-py, predis and node_redis. There is also equivalent support baked into StackExchange.Redis, which is C# and works fine on Windows Server.
So: lots of options there, but what is most appropriate is kinda up to you.
Links:
--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To post to this group, send email to redi...@googlegroups.com.
Visit this group at http://groups.google.com/group/redis-db.
For more options, visit https://groups.google.com/d/optout.
Regards,
Marc
Demis Bellot
May 8, 2014, 5:20:42 PM5/8/14
to redi...@googlegroups.com
Hi Salvatore,
Do you have an opinion on whether Redis Clients should bake SSL support in the clients directly to handle these types of scenarios? Or do you think transparent approaches like stunnel are the way to go?
Matt Stancliff
May 8, 2014, 6:00:17 PM5/8/14
to redi...@googlegroups.com
On May 8, 2014, at 5:20 PM, Demis Bellot <demis....@gmail.com> wrote:
> Do you have an opinion on whether Redis Clients should bake SSL support in the clients directly to handle these types of scenarios? Or do you think transparent approaches like stunnel are the way to go?
The default Redis approach to security is a pre-shared secret key. sipped uses the same approach, plus your connection will be fully encrypted. Only remote spiped clients with your pre-shared secret key can connect, so your connection is authenticated as well (modulo the security of your pre-shared secret key).
Just run one spiped in front of your Redis process, then another spiped on your client machines. Each client machine would talk to the localhost spiped, which would encrypt and forward your connections to the remote spiped in front of Redis. No CA. No PKI. No cryptic openssl commands. You can get the same effect with SSH tunnels as well (and SSH allows compression as well).
As for enabling SSL access directly in clients, it’s a bit of feature creep. SSL isn’t a feature of Redis, so SSL in the client is debatable.
As for stunnel, it has always been kinda equally bad at everything. A while ago, https://github.com/bumptech/stud became a viable replacement, but it has been unmaintained since the parent company died. It’s possibly still very usable.
Another possibility is haproxy’s SSL mode. It’s good at sending data places.
But, I think the original question was from a windows user who wanted to access Redis without SSH. That could mean many different things. My first thought is: sounds like they are logging in to a Linux box to use redis-cli (or are required to use a Putty tunnel to connect their C# client), but they want to use Redis directly. Except, they don’t know the IP/Port of their Redis server. Potentially, they just need to ask for the local Redis IP/Port information. We’re just guessing at this point; not enough information to go on.
-Matt
Marc Gravell
May 9, 2014, 5:02:51 AM5/9/14
to redi...@googlegroups.com
SSL isn't a feature of Redis, so SSL in the client is debatable.
It does, however, potentially make it very easy to deploy applications that connect to secured endpoints, whether that is a web server going to arbitrary servers (perhaps hosted), or to random desktops - without needing to run any additional configuration on the targets.
Itamar Haber
May 9, 2014, 7:04:49 AM5/9/14
to redi...@googlegroups.com
[Continuing the sidetracking and the debate]
+1 to Marc's point. Also:
* In some cases even the web/app server is hosted/PaaSed, making it is hard/impossible to install anything on it. An SSL-aware client can solve that.
* Re. spiped - very neat - didn't know about it. However, it appears that spiped is UNIX-only whereas stunnel can run on other (e.g. Windows) OSes.
* Re. CA, PKI, etc. - I agree this is somewhat cryptic but with proper documentation the pain can be lessened somewhat.
The bottom line is that, be it a feature creep or a feature request, strong security is needed in some use cases and the lack of it/complexity of adding it is a barrier for Redis' adoption. In fact, this is exactly why we have added SSL support to our service and several popular Redis clients (see here for more details: http://redislabs.com/blog/secure-redis-ssl-added-to-redsmin-and-clients).
On Fri, May 9, 2014 at 12:02 PM, Marc Gravell <marc.g...@gmail.com> wrote:
SSL isn't a feature of Redis, so SSL in the client is debatable.
It does, however, potentially make it very easy to deploy applications that connect to secured endpoints, whether that is a web server going to arbitrary servers (perhaps hosted), or to random desktops - without needing to run any additional configuration on the targets.
--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To post to this group, send email to redi...@googlegroups.com.
Visit this group at http://groups.google.com/group/redis-db.
For more options, visit https://groups.google.com/d/optout.
Itamar Haber
Chief Developers Advocate
Mobile: +1 (415) 688-2443
Mobile (IL): +972 (54) 567-9692
Skype: itamar.haber
Reply all
Reply to author
Forward
0 new messages