I'm trying to configure Redis (redis.conf, bind parameter) to accept access only from certain ips. In my case I want to enable access for the loopback network interface (127.0.0.1/::1) and for the ip 192.168.56.101 (192.168.56.102 is the ip of the Redis server). According to all the documentation that I have read so far the configuration below should work...
bind 127.0.0.1 ::1 192.168.56.101
... but that's not what happens.
I've tried several other configurations...
bind 127.0.0.1 192.168.56.101 ::1
bind 127.0.0.1 192.168.56.101
bind 192.168.56.101
bind 192.168.56.0
bind 192.168.0.0
... and nothing works. =|
The only configuration that worked was this...
bind 0.0.0.0
But, this configuration opens access to any ip!
NOTE: The protected-mode parameter (redis.conf) has a no value.
Any idea what might be happening?
REFERENCE:
Redis bind to more than one IP
https://redis.io/topics/security
http://download.redis.io/redis-stable/redis.conf
FURTHER QUESTION:
How could I enable access for an IP range (bind parameter)? Something like...
bind 192.168.56.0
... or...
bind 192.168.56.0/24
In these examples any machine with an ip starting at "192.168.56" will have access to the Redis server.
#Carl Dacosta
#Jacky
Thanks!
I think you misunderstand the bind configuration and IP-whitelist.
The bind configuration specifies the IP addresses that Redis listens to. If you bind Redis to loopback interface, only local clients can access Redis. If you want other hosts to access Redis, you have to bind Redis to all network interfaces (i.e. 0.0.0.0), or some specified network interfaces.
What's you need is IP-whitelist, which lists the IP addresses that can access Redis. AFAIK, so far, Redis DOES NOT support that (correct me, if I'm wrong).
There are other solutions to limit the access to Redis (all these solution needs Redis NOT to bind on loopback interface).
Limit access by authentication
You can use the requirepass configuration to set a password for Redis. Only clients with the password can access Redis.
Limit access by OS utility
On Linux, you can use iptables to control the network access. With this utility, you can only allow specified hosts to access the port that Redis bind to.
Related
I am trying to host typesense in a self-hosted virtual machine. I don't want to expose the typesense to the public. I want to restrict access from localhost
only. How can I restrict the typesense from accessing outside?
You want to set the --api-address and --peering-address to 127.0.0.1 to ensure that Typesense is only listening for inbound connections from localhost.
These two parameters are documented here: https://typesense.org/docs/0.23.1/api/server-configuration.html#using-command-line-arguments
--api-address
Address to which Typesense API service binds. Default: 0.0.0.0
--peering-address
Internal IP address to which Typesense peering service binds. If this parameter is not specified, Typesense will attempt to use the first available internal IP.
I have a broadband connection and it changes my ip address pretty frequently but will always be from xx.yy.0.0 to xx.yy.255.255
I want to use a CIDR address format like xx.yy.0.0/16
When i configure like this, redis server doesn't start up.
One alternative i have in mind is to allow redis on 0.0.0.0 but allow the port 6379 at the firewall to only xx.yy.0.0/16
I will end up doing like this, if redis doesn't support CIDR address binding out of the box.
please suggest.
log:Creating Server TCP listening socket (myip:port): bind: Cannot assign requested address
my redis.conf
bind 10.114.234.11
when i cofig like this
bind 127.0.0.1
it works well
You likely do not currently have any interfaces set up for the 10.x.x.x subnet. If you're on any flavor of Linux, ifconfig should be able to tell you which interfaces are currently set up. For example, I'm running Mint 17:
$ ifconfig | grep "inet addr"
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
So I (like you) would not be able to bind Redis (or most any other service requesting a TCP socket) to 10.x.x.x. If you are really trying to listen for connections on that subnet, you will need to change your network setup (how exactly that would be done depends largely on your operating system).
I also faced same issue while setting up redis for remote access. I was using google cloud platform and we created Google compute engine VM instance where we installed our Redis server. Redis doesn't ship with by default with security configured. You have to perform some steps to secure it. By updating IP address in redis.conf in bind will allow access only from that IP addresses. When we were doing it, we were getting same error.
To solve this issue we haven't added IP addresses in redis.conf file instead in Google cloud firewall rules when we add port open record in network -> IP ranges you can specify IP address which you want allow to access redis. In redis.conf file update from bind 127.0.0.1 to bind 0.0.0.0. So basically we will restrict it from Google cloud firewall rules dashboard.
Below are steps to add IP address restrictions:
Login to your google cloud console
Navigate to VPC Network -> Firewall Rules
Click on CREATE FIREWALL RULE or edit existing one if it's already there
In Source IP ranges add your IP address to allow access only - See below screenshot
Once you create this rule add this source tags under your VM instances network type and you are done.
I have faced the same issue when I changed the default redis.conf to custom Redis conf and after changing the bind as below then it started working, Please be aware that the below conf will open the Redis connection from all sources.
bind 127.0.0.1 -::1 to bind 0.0.0.0 -::1
At /etc/redis/redis.conf
Please change
bind 127.0.0.1 ::1
to
bind 0.0.0.0
then restart
/etc/init.d/redis-server restart
It's work to me
Okay so I have been on Google for about an hour or so trying to figure this one out.
I have a L2TP/IPSec vpn setup. When clients connect a new interface is created for that client the issue is durning boot and most of the time these interfaces do not exist. My vpn range starts at 10.24.1.1 I want sshd to listen on 10.24.1.1 but when there is no client connected it failes to bind address
/var/log/secure:
Apr 15 01:38:26 arija sshd[28068]: error: Bind to port 22 on 10.24.1.1 failed: Cannot assign requested address.
which makes sense. My Question is. Is there a way to create some sort of dummy interface or just assign 10.24.1.1 so sshd will listen on it? Thanks for the help!!
Also Server is CentOs 6 64bit
you can just add the ip address you need to the interface during startup
the configuration depends on which linux flavor you're using, as an example for ubuntu it's located in /etc/network/interfaces.d/eth0.cfg.
Make sure you're excluding this address from the address pool you are using to provision IP Addresses to the L2tP clients
First of all, you need to understand, that in common situation service can listen only on 'up-and-running' interface with assigned IP. The reason of this is Linux core limitations. You can change this behavior at runtime with:
sysctl net.ipv4.ip_nonlocal_bind=1
or at boot time by setting same parameter in /etc/sysctl.conf:
...
net.ipv4.ip_nonlocal_bind=1
...
But there is simpler way for you: you can bind sshd to 0.0.0.0 in their config /etc/ssh/sshd_config:
...
ListenAddress 0.0.0.0
...
In the redis.conf the normal setting is
bind 127.0.0.1
I want redis to listen to another ip too (say my local development address)
I tried
bind 127.0.0.1, 123.33.xx.xx
but this does not work. I cannot find any relevant in the document or by googling. Hope someone can help.
Binding to multiple IPs is indeed possible since Redis 2.8. Just separate each IP by whitespace (not commas).
bind 127.0.0.1 123.33.xx.xx
Source: Official default config
This answer is not outdated and will work for both older and newer versions
The problem in understanding is that Redis binding doesn't show the client machine's address, but shows the interface through which connection should be established. In your example, if your local development (client) address is 123.33.xx.xx, it doesn't mean that you have to put exactly the same address as a binding, otherwise Redis service will not start.
So if ifconfig on your Redis server machine shows that you have some network interface similar to this:
eth0 Link encap:Ethernet HWaddr 00:0c:...
inet addr:192.168.1.110 Bcast:192.168.1.255 Mask:255.255.255.0
you can put the interface's address 192.168.1.110 as a binding and every request to Redis, which pass through this interface, should succeed.
Since:
--[ Redis 2.8 Release Candidate 1 (2.7.101) ] Release date: 18 Jul 2013
you can:
[NEW] Ability to bind multiple IP addresses.
Cheers!!
Edit: it seems that the correct way is, still, only one line and one or more IPs separated by space
This way:
bind 127.0.0.1 10.150.220.121
EDIT: This is an outdated answer. Please check newer answers for solution.
You cannot set redis to listen on specific multiple interfaces. If multiple interfaces are required just remove the bind line.
As #taro pointed out use firewall to restrict access.
I tried finding that answer too, as it stands, it's not possible to do this, I found this while searching for the answer on multiple (but not all interfaces). This is what turned up http://code.google.com/p/redis/issues/detail?id=497 stating it will not be supported by redis itself.
In conjunction with haproxy that makes it impossible to put it in front of redis in one go. You need to use a different port, or the other or choose to bind on 1 IP.
The only way this worked for me, was by adding separate lines:
bind 111.222.33.44
bind 127.0.0.1 ::1
bind 127.0.0.1 192.168.152.2
Note, I have to put the 127.0.0.1 first otherwise the 192.x will not be bound at system boot. However another systemctl restart redis will suffice -- might be a bug? (Debian 10 and Redis 5.0.3)
For macOS Homebrew installation, make sure you are editing /usr/local/etc/redis.conf instead of the template file: /usr/local/Cellar/redis/6.2.6/.bottle/etc/redis.conf