Open wlandau opened 1 year ago
redux does not support tls (yet, there's a long-standing PR but it needs work and as I don't use TLS it's not been a priority).
We always use redis as a container, so just the default configuration really. It's possible that other configurations will provide higher performance but I expect that would only be an issue if you were doing a great many very small jobs.
There are security issues with exposing redis to the internet at large, and I believe that the password will only partly mitigate this as an attacker can try many passwords a second to try and brute force it. So it's more important to think about the overall security of the communication. If you're using ssh tunnels between the client computer and your Redis instance on AWS (or similar) then you should be fine. We typically do all communication between Redis and the rrq queue/workers on a docker private network.
I am not sure what the penalty is for a maxclients that high, but it seems unlikely that you would be able to keep that many R processes happy.
Thanks for the advice, Rich. I agree, the password system in Redis is weak as password systems go. And from https://redis.io/docs/management/security/, I do understand that I will probably need to put the Redis server on the same network as the workers, with a tunnel or API for user-server communication. Still, I am not sure I understand what exactly makes SSH more secure than Redis + TLS, given that SSH also relies on TLS for security.
I am beginning a rewrite of
crew
, and part of my plan is to build on top ofrrq
and take responsibility for configuring and launching short-lived instances ofredis-server
(initiate when a pipeline begins, terminate when the pipeline ends or crashes). I am writing to ask your advice on a goodredis.conf
file. What settings would you suggest to only enable the Redis commands thatrrq
uses?I read through https://raw.githubusercontent.com/redis/redis/7.0/redis.conf, and so far I am thinking about the following template for ephemeral conf files. (I do not know how to use the TLS settings, and I do not know where to find the certificates or how to securely deliver them to clients, but it would be nice to have eventually.)