Redis is a flexible open-source, configurable key-value store, using an in-memory system data storage model to achieve high performance. It comes with an array of features including transactions, automatic failover, pub/sub, among other unique functionality. Redis is widely recognized for its performance, scalability, flexibility, and extensive support for languages.
It’s based on simplicity with a few lines of code that do a lot. Regardless of your work on memory, it has a reasonable fairy support for high availability and clustering that works well in ensuring your data is safe. Redis was made to serve clients who want a trusted and secure environment. This guide will provide direction on the process of installing and configuring Redis on a CentOS 7 server.
Before we get started, you will require the following:
- One dedicated server running a clean installation of CentOS7
- Two Droplets of any size.
- Access to your system through SSH with a sudo root user.
Note: dedicated servers are one of the best options for heavy-duty websites, and are able to support millions of page hits per month depending on configuration. On HostAdvice you can browse through the best dedicated hosting providers in the world, and compare user reviews, prices and features.
To install the necessary packages on CentOS7, start by running the following command:
$ yum install wget make gcc
Step 1: Install Redis
In this case, it is important to add the Extra Packages for Enterprise Linux (EPEL) and use it to install Redis. EPEL contains several open-source software packages.
Use YUM to Install EPEL:
$ sudo yum install epel-release
After installing EPEL, install Redis using yum:
$ sudo yum install redis -y
Wait for a couple of minutes for the process to complete, then start Redis:
$ sudo systemctl start redis.service
Optional: To starts Redis automatically on boot run the command below:
$ sudo systemctl enable redis
To check the status of Redis, run the following command:
$ sudo systemctl status redis.service
redis.service - Redis persistent key-value database Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; vendor preset: disabled) Drop-In: /etc/systemd/system/redis.service.d └─limit.conf Active: active (running) since Thu 2018-03-01 15:50:38 UTC; 7s ago Main PID: 3962 (redis-server) CGroup: /system.slice/redis.service └─3962 /usr/bin/redis-server 127.0.0.1:6379
Verify that Redis has installed successfully with by running the command:
$ redis-cli ping
If Redis is running, you should see the response PONG. This shows the Redis application is running successfully on your web server. We can now go ahead and configure it to increase its security in the system.
Step 2: Configuring Redis
The best way to ensure Redis is safe is to ensure the server it's running on is secure. This can be done by ensuring Redis is attached to a localhost or a reserved IP address. It is also important to ensure that the web server has firewall that is running successfully.
Start with opening the Redis configuration box and run the following command:
$ sudo vi /etc/redis.con
Look for a line that shows bind as follows:
/etc/redis.conf bind 127.0.0.1
If you plan to access Redis from a different host, it’s recommend to connect it with another IP address to increase its exposure to the outside parties. You should have something like this:
/etc/redis.conf bind your_private_ip
If you don’t plan to bind Redis with another host, there is no need to include additional Redis firewall rules. Reason being, any traffic directed towards Redis will be used in default mode unless the firewall guidelines openly permit them.
On the other hand, if you don’t plan to connect to Redis from a different host, it is important to adjust your firewall configuration by running the command below for your firewall:
$ sudo firewall-cmd --permanent --new-zone=redis
Specify the port you would like remain open. By default, Redis use port 6397:
$ sudo firewall-cmd --permanent --zone=redis --add-port=6379/tcp
Include any private but secure IP address that should access Redis:
$ sudo firewall-cmd --permanent --zone=redis -add source=client_server_private_IP
Reload the system firewall settings to apply these changes:
$ sudo firewall-cmd --reload
Using these configurations, a firewall will update and apply these rules in a specific Redis zone anytime it sees information from your client’s IP address.
Step 3: Configuration of the Redis Password
This process enables the functionality of its security components which require your clients to verify their identity before accessing any data in the system. In this case, the key passcode is directly configured in Redis’s as follows:
Open the file:
$ sudo vi /etc/redis.conf
Click on the SECURITY section then search for the text that reads:
/etc/redis.conf # requirepass foobared
Make sure you uncomment the directive by getting rid of # and change the section that reads footbared to a stronger password
When you enter the command above the same passcode will appear. So, you need to come up with a new password and make some changes in the words in quotes:
echo "HostAdvice" | sha256sum
The password should be strong and long to ensure your system is secure.
The command output should read like this:
/etc/redis.conf requirepass password_copied_from_output
Once you set the password, you can now access Redis:
To test whether the password you have created for Redis is working, run the following command to try to set-up a key value before the authentication process:
127.0.0.1:6379> set key1 10
If Redis have not been authenticated, it will return the following error:
Output (error) NOAUTH Authentication required.
The command below authenticates with your password in your Redis file:
127.0.0.1:6379> auth your_redis_password
Redis application will show that the password has been authenticated with the text “OK.”
Once it’s done, run the earlier command and ensure it is successful.
To exit the system, use the command
redis-cli. 127.0.0.1:6379> quit
Now, it should be hard for unauthorized people to gain access to your Redis files.
Step 4: Set-up of Data Ownership and Authorizations
In this section, we will go through several data ownership and file authorization you may need to change to secure the Redis Installation. This is to ensure only the authorized user access Redis.
You can do this by typing the command below:
$ ls -l /var/lib | grep redis
The output should look like this:
drwxr-xr-x 2 redis redis 4096 Aug 6 09:32 redis
To make sure the Redis user can access the data directory, change the permission setting to authorize file 770 as shown below:
$ sudo chmod 770 /var/lib/redis
Also, change the application configuration folder which has a file authorization of 644 in default mode. Run the command below:
$ ls -l /etc/redis.conf
The output should look like this:
rw-r--r-- 1 root root 30176 Jan 14 2014 /etc/redis.conf
The permission 664 may be readable which can present a critical security issue. So go ahead and configure file’s permissions. To do this run the command below:
sudo chown redis:redis /etc/redis.conf
Change ownership and authorization to make sure that only the Redi User can access the file:
$ sudo chmod 660 /etc/redis.conf
Verify the permissions using the command below:
$ ls -l /etc/redis.conf
The output should be like this:
total 40 -rw------- 1 redis redis 29716 Sep 22 18:32 /etc/redis.conf
Restart the Redis afresh to confirm it’s configured:
$ sudo service redis-server restart
Congratulations, you now have a fully installed and configured Redis, so your system is secure.
That’s enough to get you started with Redis installation on your server. With this, it can be easy to enjoy the security features that come with Redis. The most crucial security feature you should consider is the application’s firewall to prevent unauthorized users from accessing your server.