What is the recommended way to make a TLS/SSL connection to Redis sentinel using spring-data-redis and Jedis?
I'm using spring-data-redis 1.8.3.RELEASE with Jedis 2.9.0.
I understand that Redis does not provide direct support for TLS/SSL and instead recommends a secure proxy like spiped or stunnel. So lets assume I have setup the appropriate secure tunnels.
I can see that JedisConnectionFactory has a setUseSsl(boolean useSsl) method, but the value only seems to be used in createRedisPool() and not createRedisSentinelPool(), which leads me to think it is currently not possible with Redis sentinel.
Additionally, even when using standalone Redis and setting useSsl to true, there doesn't appear to be a way to set the SSLSocketFactory or parameters, so it will likely end up relying on the JVM's SSL system properties which is problematic if those aren't the SSL properties you wanted to use to connection to the secure tunnel.
Just trying to confirm if my above assumptions are correct, and if not then looking for pointers in the right direction. Thanks.
Related
Considering Redis Security Document, is my thoughts right?
Redis does not provide strong security functions by itself.
Redis already assumes that only trusted Redis clients are connecting in a secured network.
Simple security setting, for example, IP restriction settings in OS firewall is a way.
I don't think that Redis security is wrong. Basically, Redis is a backend program in a private network, just like Database servers are.
Redis security is weak, but security does matter.
It can be observed from the document itself that different methods are mentioned to address the weak points, such as, implementing authentication.
It is also mentioned that the "Redis is not optimized for maximum security but for maximum performance and simplicity". Hence, it is up to the developer to implement the security.
For example, setting the remote{} configuration, does that also set the transport that is used internally for cluster communication, for example, the heartbeat messages.
I am not asking for any use case purpose I am asking so I better understand what's happening behind the scenes.
At the moment (Akka.NET 1.3) uses its own protocol for remote communication on top of TCP connection - only a single connection is used by every node-to-node connection. This video discusses it in greater detail.
In future, it will probably change to match JVM version of akka - two major ideas are:
"lanes": multiple connections for each pair of nodes, to avoid head-of-line blocking, that is inherent problem of TCP.
Add support for other protocols, such as Aeron, which is also supported by akka on JVM.
I want to expose Redis HA service running in kubernetes to clients running outside the cloud. For this, I'm trying to setup envoy which supports Redis.
I'm using ambassador which is a wrapper around envoy for kubernetes. Followed this doc for the initial setup. I'm new to envoy and kubernetes.
How can I configure ambassador to act as proxy for my Redis service?
I'm guessing there is someplace to specify address of the Redis service in the proxy. Finding it hard to get this info.This page refers to Redis proxy in envoy documentation but I don't follow where to make the changes.
Also, I'm interested only in the edge proxy feature, not the service proxy feature of envoy for my use case.
I'd focus on your first sentence rather than your own conclusions which follow.
You want to expose Redis to the public network.
How you ended up with Envoy is beyond me; you probably only need a Kubernetes service with type set to LoadBalancer.
This is a terrible idea because Redis is unauthenticated by default, and the connection is in clear-text, don't say you haven't been warned ;-)
As for Envoy, sure, it does support Redis, but Ambassador has nothing to do with it, and if I understand your requirement correctly, is an entire overkill which seems to mostly distract you rather than help you get the job done.
https://kubernetes.io/docs/tutorials/stateless-application/expose-external-ip-address/
I am using ServiceStack 5.0.2 with Redis Sentinel (3 + 3) and having issues in case of a failover: commands being issued during or after a failover fail with timeout.
I have come up with an idea to implement retry pattern via custom IRedisClient. But probably there is a better strategy to employ in this case.
Answer given in the post How does ServiceStack PooledRedisClientManager failover work? does not seem to be the right way to go.
Thank you,
Redis Clients wrap a TCP connection with a Redis Server, a Redis Client that was connected with the instance that failed over will fail, but any new Redis Clients retrieved from the pool after failover will be connected to the new failed over instance.
I am trying to enable TLS for kafka broker exchanges and had a thought regarding Zookeeper TLS. Currently, on Apache Kafka Documentation I cannot see much mentioned about ZK TLS setup (ok, probably because it's a different apache project) and any possible performance impact.
The question is, can I not have the ONLY broker-client and inter-broker exchanges secured? Do I also need to add TLS to zookeeper? Extra security isn't bad, but is it really necessary to it even for zookeeper?
Zookeeper with TLS is only available in Zookeeper 3.5 which is still in beta. Therefore, Kafka isn't supporting TLS connections to zookeeper yet. Doesn't mean you can't do it but it does mean you won't find much documentation on it and if you run in it on something important, you are putting yourself at risk. In this case, I would say the extra security could hurt.