Securing Redis - SSH tunnelling now available on Compose

Redis is a fine in-memory database which can act as the glue for your entire stack. If we were to pick a missing feature we'd really want though, it's the fact that it is essentially built for inside the private network and connections to the outside world are unencrypted - Redis doesn't handle SSL/TLS connections, at least not yet, and its authentication is as lightweight as it is, so the only real solution is to use SSH tunnels to connect to it. That's exactly what we've just enabled at Compose too. So if you want a more secure Redis, read on.

Practically SSH

To set up the the SSH tunnel, the first thing you will need, before you start, is some SSH keys. Now, the process for generating these varies slightly from platform to platform, but here are the steps for Mac and Linux:

First check you haven't already got keys. Open a terminal and run ls -la ~/.ssh which will display the keys already generated. You want to see if there's an id_rsa.pub there. If there is, you've already made a key and - providing you remember the passphrase you set for it – you should skip to the "Turn on the SSH portal" section below. For the rest of you, it's time to cut some keys.

Cutting your keys

Open the terminal again and type

ssh-keygen -t rsa -C "your_email_address"  

You'll be asked where to save the key, just press enter for the default. You'll then be asked for a passphrase. Choose a strong phrase – ideally a reasonably long one too. Once you've entered it, hit return and enter it again to verify that you actually entered what you think you entered. The key generator will then start up and will write out two files, id_rsa (the private part of your key that you hold on to) and id_rsa.pub (the public part you give to other people).

Now we are ready to turn on the SSH portal. You'll see where the keys come in later.

Turn on the SSH portal

Log into your Redis Compose console and select Security.

Security Tab

On that tab you'll see two access portals, the TCP portal which you probably already use, and the new SSH portal. Select On for the SSH portal and then Set Active Portals. The SSH portal's cost is displayed in the sidebar on the right and is currently billed at $4.50 per month.

This will activate the SSH portal but it will not allow tunnels to be created to it yet. For that you'll need to create a "user".

Create a user for the SSH portal

User Reminder

SSH portal users are notional placeholders for certificates which can be presented to the SSH portal by client applications to allow access, in this case, to create an SSH tunnel. It's pretty important to set up at least one user, so much so the console reminds you:

Click on Add a user or Users in the left hand tab bar. You'll get to here:

Users tab

This is the Users view from where you can add a user. You'll have to click on Add user to start creating a user. You'll be presented with this:

Add user dialog

The Title is a descriptive name for your user for your reference. It isn't used anywhere but for you to know who's keys they are so make sure it's unique.

The Key text field is where we need to put the public part of our key in - you will need to copy the contents of the ida_rsa.pub file to that area. There are a few ways to do this. On a Mac, you can use the pbcopy command to load it into the clipboard like so:

pbcopy < ~/.ssh/id_rsa.pub  

And then click in the key field and press Command-V to paste it in. On Linux, you could install xclip and then run:

xclip -sel clip < ~/.ssh/id_rsa.pub  

To copy the file to the clipboard and Control-V to paste it in. Or you can just display the file in the terminal and cut-and-paste the output into the text area. The public key begins with ssh-rsa and a space and then is one long sequence of various characters ending in another space and finally the email address you used when you created it. You'll need all of this text, including the ssh-rsa and email address when you copy and paste.

When you've got that in click the Add user button and your new SSH user will be created.

Create the SSH tunnel

The SSH tunnel will run from your system to the SSH portal and then on to your Redis deployment. The instructions are actually on your Compose console overview of your deployment. Let's go back and have a look:

Deployment overview with SSH

Creating the tunnel is achieved with the SSH Tunnel Connection section. Using this command, in this case it's

ssh -N compose@sl-eu-lon-2-portal.2.dblayer.com -p 10203 \  
-L 127.0.0.1:6379:10.0.26.101:5000 

The -N says just forward ports. the compose@sl-eu-lon-2-portal.2.dblayer.com is the fixed user name (compose) used to connect to the portal and the DNS name of the server. That's followed by -p 10203 which says to create our tunnel on port 10203. Finally the -L 127.0.0.1:6379:10.0.26.101:5000 says that a connection locally to port 6379 should be forwarded to port 5000 of 10.0.26.101 at the other end of the tunnel. What's that IP address for you may wonder. If you scroll down your deployment's overview page you'll find the Deployment Topology:

Deployment Topology

And if you look down the list, you'll find 10.0.26.101 belongs the TCP haproxy portal which handles the normal unencrypted traffic. It has another attribute which is that it can forward traffic to whichever Redis is leader, which is why the SSH tunnel forwards traffic there.

Now you understand what the command it doing, let's run it. You'll be asked to confirm the machine you are connecting to is the one you expected and give the password that you gave when you generated the SSH key earlier. That command will now hold open the tunnel, so go to a new terminal.

To use the redis-cli command listed under SSH command line, you'll need to have installed Redis locally. On Linux, Redis should be available through the distributions packaging system while on Mac OS X, we recommend using the Brew package manger and brew install redis. Now, you can issue the command, after revealing the deployment's password (by clicking show next to the password. Pro-tip, this also fills in the password in the example command lines). So, over on that new terminal we can go:

$ redis-cli -p 6379 -a NOTMYPASSWORD
127.0.0.1:6379> scan 0  
1) "0"  
2) 1) "x"  
   2) "y"
   3) "q"
127.0.0.1:6379>  

That localhost connection will have gone in through the encrypted SSH tunnel and arrived at the haproxy portal inside the private network for the deployment. You can now use this tunnel for all your traffic. But...

Whitelist the SSH portal...

While we have a secure connection to the Redis database, the TCP haproxy portal is still accepting connections from unencrypted clients. Now, you may want this configuration or, more likely, you will want to ensure that only connections from the SSH tunnel are accepted. If that's the case, then the next steps are simple. Although we can't turn it off, we just need to stop the TCP portal talking to anything but the SSH tunnel.

For that, we can use the TCP Whitelist in the Security settings. If you go to the Security tab you'll see this under the portal switches:

Whitelist view

We want to add an IP address to our whitelist, so click Add IP. This takes us to the Add IP screen:

Add IP view

We can add a description for the IP address we're adding; it's purely for information purposes. The important part is the IP address which we can get from the Deployment Topology chart earlier. The SSH proxy has an IP address of 10.0.26.102; your proxy will obviously have a different address, but whatever it is enter it and click on the Add IP button.

... and the Compose services

Now, connections can come only through the SSH portal. The whitelist will block any other connections from other IP addresses. Things will work through the SSH tunnel, and you can set up multiple SSH tunnels between sites.

But, Compose's own tools, such as the data-browser, are also cut off when you turn on the whitelist. You will have to give them permission to work too, but that's super easy because if you go back to the Security tab you'll find this has appeared:

No Service

Click the button to whitelist the Compose services and you'll be good to go with Redis and SSH tunneled secure connections.