00:32:59 GMT anyone? 00:33:01 GMT :( 15:32:25 GMT JOIN 17:04:35 GMT is there any security best practices documentation available? 17:04:38 GMT a default config maybe thats out there? etc 17:04:41 GMT something like: must use tls for all connections, must use auth, run as low priv user, etc 17:04:46 GMT looking for a safe way to deploy this out to an enterprise and im not overtly familiar with the application/service 17:46:21 GMT crayon: there should be docs on the website regarding securing redis, not sure if it covers TLS as redis itself does not support that, but i've seen stunnel being recommended 17:51:47 GMT antirez posted a great article here: http://www.antirez.com/news/96 17:51:57 GMT aye 17:52:03 GMT but im really curious about additional layers of security that may be available 17:52:35 GMT well, since redis doesn't offer those it's up to third party tools and firewalls and vpns depending on what you do 17:53:21 GMT any general ideas or areas that come to mind immediately? 17:53:23 GMT i'm not sure if there's any proxies that allow restricting the set of available commands and providing logins 17:54:28 GMT i also want to make sure that i'm not overlooking obvious configurations shipped with redis (i.e. disabling options that may not always be necessary by default) 17:55:42 GMT trying to minimize looking at 3rd party security 17:56:02 GMT so anything that could be shipped in the config im considering first 17:56:21 GMT well, you can rename commands in the config 17:56:37 GMT you could rename the config command and protect the config from being changed 17:56:52 GMT that's a pretty big win in case anything with access to redis is compromised 17:56:54 GMT wow, that's really creative 17:57:02 GMT i thought you could only alias? 17:57:39 GMT no, you can only rename it 17:57:56 GMT what'd be the point to aliasing it 17:59:01 GMT can you give an example of what that might look like? i thought it was something like this: redis_alias_commands: [ 'bgrewriteaof', 'bgsave', 'debug', 'del', 'flushall', 'flushdb', 'keys', 'pexpire', 'rename', 'save', 'shutdown', 'spop', 'srem' ] 17:59:39 GMT i agree, i just read that if it was excluded on the redis_alias_commands line it would be essentially disabled 18:00:13 GMT i guess whatever you're using there will rename it to random names (32 char or so) 18:00:27 GMT i.e. you could still use them if you know the new name 18:00:32 GMT i.e. if redis_alias_prefix is an empty string, all of the commands on the list will be disabled. 18:00:45 GMT mh 18:00:45 GMT oh i see 18:01:16 GMT can you share with me how you were thinking to directly disable config? 18:01:34 GMT ah, rename-command CONFIG "" 18:01:55 GMT ah! okay cool same wavelength here then since i defined redis_alias_prefix to "" 18:02:01 GMT fyi, the default config has lots of comments and best practices if you haven't looked at that 18:02:49 GMT i really appreciate your help and assistance with thinking through this aloud with me :) 18:03:45 GMT are you gonna be working with redis or just adminning it 18:04:10 GMT just admin 18:04:36 GMT i expect our engs to be working with it regularly though since it is a tech consideration right now 18:08:03 GMT cool. it's pretty nice to work with. can't say much about cluster or HA deployments though, as i'm more on the engineering side 18:08:35 GMT yeah we're working in k8s 18:08:41 GMT its.... rather interesting 18:08:42 GMT lol 18:08:53 GMT k8s? 18:09:13 GMT kubernetes 18:10:26 GMT oh, i'd like to have a less manual environment too. well, at least we do have ansible to do the usual deployments with "one click" 18:11:51 GMT it has been very uphill for me 18:12:22 GMT a lot of re-engineering and re-architechting as we gear to be more security conscious 18:12:37 GMT some things have become really challenging 22:34:11 GMT join