Question posted in
The official documentation can be found here.

Redis Cluster Create Replicas Bind Public IP

We have 6 redis servers running in ports (8001, 8002, 8003, 8004, 8005, 8006).
On the redis.conf of every Redis server we bind the ip in different ways like:

  • bind 0.0.0.0
  • bind PRIVATE PUBLIC
  • bind PUBLIC

If we access like it works fine:

redis-cli -h PUBLIC_IP -p 8001

But when we wanna create the clusters we run:

./src/redis-cli --cluster create PUBLIC_IP:8001 PUBLIC_IP:8002 PUBLIC_IP:8003 PUBLIC_IP:8004 PUBLIC_IP:8005 PUBLIC_IP:8006 --cluster-replicas 1

The console always shows and keeps in Waiting for the cluster forever:

Master[0] -> Slots 0 - 5460
Master[1] -> Slots 5461 - 10922
Master[2] -> Slots 10923 - 16383
Adding replica PUBLIC_IP:8005 to PUBLIC_IP:8001
Adding replica PUBLIC_IP:8006 to PUBLIC_IP:8002
Adding replica PUBLIC_IP:8004 to PUBLIC_IP:8003
>>> Trying to optimize slaves allocation for anti-affinity
[WARNING] Some slaves are in the same host as their master
M: 7ab009459f7f5cf6cef5f46b691748dc236e4c26 PUBLIC_IP:8001
   slots:[0-5460] (5461 slots) master
M: 0048ca2cd65c1315b8f0a7c952b69bfb494d5ace PUBLIC_IP:8002
   slots:[5461-10922] (5462 slots) master
M: c6ee023719f200b0d175f428fa15e5ab767d0e04 PUBLIC_IP:8003
   slots:[10923-16383] (5461 slots) master
S: cf636a1a46b1e947daec3e797cac524c613f08ca PUBLIC_IP:8004
   replicates 7ab009459f7f5cf6cef5f46b691748dc236e4c26
S: 5d4bd1041457114353b0b30dbefd86ab8e4ae020 PUBLIC_IP:8005
   replicates 0048ca2cd65c1315b8f0a7c952b69bfb494d5ace
S: 62f01289dc3f72cac4a1745fc77b7bd91ec5d107 PUBLIC_IP:8006
   replicates c6ee023719f200b0d175f428fa15e5ab767d0e04
Can I set the above configuration? (type 'yes' to accept): yes
>>> Nodes configuration updated
>>> Assign a different config epoch to each node
>>> Sending CLUSTER MEET messages to join the cluster
Waiting for the cluster to join

A lot of people says that we need to bind the private ip, but we wanna do it on public becase when we connect with the external machines the clustering redirect to the master that contains the key, if we bind the private ip the redirect will shows “redirect to PRIVATE_IP” and that will not work as expected.

Are we missing something to let the cluster join by public IP?

Tags:

2

Answers


  1. 0

    From redis security guide:

    Redis is designed to be accessed by trusted clients inside trusted environments.

    See also: How to connect to redis from remote guide

    When a server binds on its public ip, it can get requests from everyone, so unless you built some security around it anyone can access and manipulate your data.

    In redis cluster the rules are the same and the replicas which binds on public ips are exposed.

    The default use case for a redis cluster is that one machine (or multiple machines) access it from within it’s private network, and you shouldn’t divert from that unless you know what you are doing security wise.

    If it makes sense for your use case, you should make the machine which access the redis cluster a part of the cluster private network.

    Login or Signup to reply.
  2. 0

    What I would be doing if I were at your place is:

    • Bind all the servers with private ip and loopback ip i.e bind {{ private_ip }} 127.0.0.1
    • Enable ufw (or other any firewalling tool) on each server and do (for ufw) allow from {{ private_ip }} to any port {{ redis_port }} or similar.
    • My internal DNS will have entry for all the servers with their respective private ip.
    • Voila! create and access redis cluster securely without any security breach.

    NOTE: if you still want to access them over public network then you can do some workaround with SNAT

    WARNING: binding redis server to 0.0.0.0 or public ip might cause serious vulnerability issues like:

    PS: You can also follow this medium tutorial.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search