REDIS 6 now offers TLS, will Webdis?

[cilex-ft]

We manage hundreds of servers, each with their own redis / webdis server.

Webdis now supports user/password to connect to Redis, so we can consider moving to 1 single Redis server or cluster while ensuring good data isolation between our servers and clients.

However the data flow on the internal network between webdis / redis might be read by an attacker.

We have measures to secure our internal network, such as: we encrypt all the internal traffic (to mysql, between reverse proxies and web servers behind...); all servers run a firewall to avoid attacks from peers; webdis servers only answer on 127.0.0.1; and undisclosed more.

I couldn't find an include to hiredis_ssl.h in webdis code, so it's my understanding that you don't yet support hiredis ssl/tls - am I right?

It would be great if you can consider adding this feature.

[nicolasff]

Hi @cilex-ft,

That's correct, webdis doesn't support TLS connections to redis. I see that TLS was only added in Redis 6, so this is relatively new feature that webdis doesn't support.

I completely get how important it is, and it seems like a good idea to add it. I can't really make such changes myself due to IP restrictions linked to my current job, but have been helping a contributor recently who's made a lot of important fixes to webdis so I'll talk to him about what this involves and whether he's interested in taking this on.

Let's keep this open as a reference issue and an eventual PR can link to it.

Thanks for the suggestion!

[nicolasff]

Hey @cilex-ft, please try the latest Webdis as I've just merged the change in #202 that adds support for encrypted connections to Redis.

There is no tagged release with this feature just yet, I'm trying to find a way to package Webdis that would make sense. Since SSL connections require a few extra files like the client certificate and key, it seems like even with SSL enabled few people would actually use an unmodified Webdis Docker image to connect securely to Redis. I can see how it would be used as a base image though, with the secrets being injected at runtime.

If you can, could you please describe *how* you would use Webdis with SSL support? Would you build it yourself and maybe package it? Would you use one of the signed Docker images? If so, directly or as a base image? Or would you do something else?

Anything that can help me understand the deployment model of Webdis users would be very helpful, in that it would let me provide useful images that can be run directly or selected as base images. I mostly want to avoid a situation where the only good way to run Webdis with SSL is to build and package everything yourself.

[nicolasff]

Update: I've also added a full tutorial showing how to configure and run Redis and Webdis under Docker Compose with SSL connections between the two.

I had never made use of the Discussions tab on GitHub since it's relatively new, but it feels like a good place to add more of these tutorials. I just hope it doesn't get filled with low-quality content.

[cilex-ft]

Thanks for delivering this, and sorry for my delay answering, daily operations don't leave much time for experimenting. Our choices would be 1) using a package, or 2) build if required, then deliver to containers via ansible. We don't use Docker (and we won't). We should find some time in november to test... sounds great!

[nicolasff]

I don't manage the packages for distros, this would be too much work that is better left to folks who are much more familiar with their specific platforms than I could ever be. Some even take care of it very quickly, e.g. 0.1.18 was tagged on October 22 and updated in Homebrew just 3 days later.

Either way, thanks @cilex-ft for suggesting this feature and thanks to @jessie-murray for the concise implementation (although a lot of it is from Hiredis).

Please do let me know if you encounter any issues; it feels like this is pretty solid from what I've tested but since this is the first time this feature is added it's always possible that something was missed.

[cilex-ft]

I'm happy to finally report that SSL works for us.

Here is our server configuration:

#port 6379
port 0
tls-port 6379
# test certificates
tls-cert-file /etc/redis/tests/tls/redis.crt
tls-key-file /etc/redis/tests/tls/redis.key
tls-ca-cert-file /etc/redis/tests/tls/ca.crt
tls-dh-params-file /etc/redis/tests/tls/redis.dh
# clients don't need a certificate - https://redis.io/topics/encryption 
tls-auth-clients no

We don't need nor want to deal with client certificates, hence tls-auth-clients no (so only the server uses tls - like a webserver, client certificates are rarely used).

And on webdis (complete with daemon and redis authentication - v 0.1.20-dev compiled with SSL=1)

{
    "redis_host": "172.16.17.18",
    "redis_port": 6379,
    "redis_auth": ["arefg5p4_e0011","SOMEUGLYPASSWORDHERE"],

    "ssl": {
        "enabled": true,
        "ca_cert_bundle": "/etc/webdis/ca.crt"
    },

    "http_host": "0.0.0.0",
    "http_port": 7379,
    "threads": 2,

    "daemonize": true,
    "websockets": true,
    "pidfile": "/run/webdis/webdis.pid",

    "database": 0,

    "acl": [
        {
            "disabled":["*"]
        },
        {
            "ip": "127.0.0.1",
            "enabled": ["SET","GET","DEBUG","UPDATE","SUBSCRIBE","PUBLISH"]
        }
    ]
}

where /etc/webdis/ca.crt was copied from redis-server.

Thank you again for implementing this nice features.

[nicolasff]

@cilex-ft great to hear! And thanks for sharing your config. I've added some documentation recently that describes how to set up Webdis with encrypted connections to Redis using docker-compose, I'll try to add a page or a link to your post as one more example.