03:19:03 GMT <minimalism> Can anyone recommend an example of a hardened redis.conf?
04:47:18 GMT <solrize> hardened against what?
04:48:23 GMT <solrize> minimalism, redis has no security to speak of except you can set an authentication password for new connections.  basically you're supposed to run it on localhost and/or firewall it so that only your intended client can connect to it
04:49:23 GMT <minimalism> solrize: Just generally hardened to make things a little more secure. I know it's not the same as hardening a system or anything, but there must be some recommended configuration for security.
04:49:52 GMT <minimalism> For one, disabling any command that could wipe out your database. I believe there was something about binding for the sake of security
04:49:54 GMT <solrize> yeah there's some info in the docs, but basically anything that can connect to it can pwn it
04:50:14 GMT <solrize> i dunno about disabling commands but you can rename them
04:50:15 GMT <minimalism> You're really inspiring confidence in redis
04:50:30 GMT <solrize> so you can rename delete to some random 20-char unguessable string
04:50:39 GMT <solrize> redis is not supposed to be exposed to untrusted users
04:50:54 GMT <minimalism> Of course not, but you should always do everything you can to make something secure
04:50:57 GMT <solrize> how do you secure your car against someone who has the keys to it?
04:51:08 GMT <solrize> secure against what?
04:51:19 GMT <minimalism> Anything. Just less openings for exploitation.
04:51:26 GMT <solrize> exploitation by who?
04:51:29 GMT <minimalism> I just have my worries the default config even with a password is not all that safe
04:51:37 GMT <solrize> use a strong random password
04:51:49 GMT <solrize> but yeah, passwords aren't great since they're sent in the clear
04:52:01 GMT <solrize> you can proxy redis through ssh or stunnel or something but that gives you a speed hit
04:52:25 GMT <solrize> really it should be on the same host as the connecting application if possible, or else the same LAN or at worst VPN
04:53:27 GMT <solrize> might be useful to add a challenge-response protocol to authenticate connections, but an active attacker could take over an authenticated connection once you opened it
04:54:07 GMT <minimalism> I'm reading this one article right now that mentions renaming all commands like flushdb, flushall, etc.
04:54:16 GMT <minimalism> And also mentions binding to localhost instead of default of all connections
04:55:35 GMT <solrize> yeah
04:55:45 GMT <solrize> that's the most useful thing
04:55:53 GMT <solrize> it means your client has to be on the same host though
04:56:16 GMT <minimalism> I just want to know all the obvious things one should do to increase security. Not a convoluted moon shot or anything.
04:56:32 GMT <minimalism> I have my doubts these articles are up to date though. I'm just comparing redis.conf files between distros and operating systems
16:10:37 GMT <ch01ce> Hey! I'm trying to connect to redis inside a docker container over a unix socket which is exposed from the docker volume. Any combination of unixsocketperms and redis versions has so far been unsuccessful. I'm always getting Connection refused (error 61). Connecting to the unit socket inside the container works fine.
16:12:46 GMT <ch01ce> I'd expect this to be the safest way to connect to Redis, but if it doesn't work I'll take the regular route.
16:13:09 GMT <minus> docker is kinda overkill for redis anyway
16:13:23 GMT <ch01ce> I didn't ask for your opinion on docker
16:13:24 GMT <minus> lemme give it a shot
16:14:30 GMT <minus> then again i'd need a properly preconfigured redis in docker and building an image for that isn't fun
16:14:58 GMT <ch01ce> https://gist.github.com/lauripiisang/e9f48419cf923bc8e48b52368a76a7ea
16:14:59 GMT <ch01ce> here you go
16:15:37 GMT <ch01ce> the only thing you need to change from the example configuration file on redis' homepage is `unixsocket /tmp/redis/myredis.sock`
16:17:12 GMT <ch01ce> do you have any insight into why what I have described might not work?
16:17:31 GMT <ch01ce> From my understanding, a socket is a socket, no matter where it is
16:18:15 GMT <ch01ce> I get the distinct feeling that redis tries to ensure only the local host is connecting to that socket
16:18:16 GMT <minus> unix sockets are not restricted by network namespaces, so they should work
16:22:58 GMT <minus> docker run --rm -ti -v /tmp/redis:/tmp/redis redis:3.2 /usr/local/bin/redis-server --unixsocket /tmp/redis/redis.sock
16:23:00 GMT <minus> sudo redis-cli -s redis/redis.sock
16:23:02 GMT <minus> works at least
16:25:11 GMT <markuman> you run docker as user, but needs root privilegs to connect to the socket?
16:25:41 GMT <minus> redis inside the docker runs as root in this case
16:26:38 GMT <minus> if you don't call it with the full path (i.e. as redis-server only) the entrypoint script will change user to `redis`. redis couldn't create the socket then so i just bypassed that and ran as root
16:27:04 GMT <minus> i can control docker without sudo because i do have permissions on its control socket, i.e. i'm in the docker group
16:27:29 GMT <ch01ce> connecting with docker is easy, as demonstrated in the composefile I sent you 13 minutes ago.
16:28:02 GMT <ch01ce> connecting without docker is what I asked about. Using local redis-cli to connect to that socket
16:29:31 GMT <minus> that redis-cli was outside of docker
16:30:22 GMT <ch01ce> oh
16:33:02 GMT <ch01ce> Odd that unixsocketperm 777 has no effect on this
16:35:30 GMT <minus> i couldn't chmod the socket permissions from the outside fwiw
16:37:39 GMT <ch01ce> even so, I'm unable to connect
16:38:19 GMT <ch01ce> Could not connect to Redis at /tmp/redis/redis.sock: Connection refused
19:10:41 GMT <t0th_-_> hi
19:11:05 GMT <t0th_-_> i am using redis with my php aplication, but sometimes the server are stoped, how i can solve this?
19:11:07 GMT <t0th_-_> memory problem?
19:12:58 GMT <t0th_-_> ?
20:03:38 GMT <minus> "sometimes the server are stoped" is not an accurate problem description
21:18:04 GMT <Toger> Is anyone running Redis Cluster in AWS?  Are you instantiating the cluster with Chef or Cloudforrmation?