How to secure Redis Cluster?
SSH tunnel may be an easy solution:
- You don't need to expose the redis port to the outside world. only the ssh one.
- SSH support data compression, which can reduce the transfer between data centers.
Quick Example:
ssh -f -L 1234:localhost:6379 server.com -NC
This will route any incoming connection to localhost:1234 to the remote server.com:6379. So, you can replace server.com:6379 with localhost:1234 in your redis config file.
You could check man ssh for more information.
If any protocol flies over the internet you would need encryption ("ssl") e.g across data- centers . This in general will effect performance. In the current security spec of Redis -
http://redis.io/topics/security
it is advised that ssl is not supported and you would require a SSL proxy. This should in general cause a system performance hit e.g. latency that you would have to take into account.
So ideally cluster nodes should be co-located. If they cannot be then the cluster should be designed so that it limits cross site data transport or does it off line without any real time constraints.
I have also chosen to disable/enable commands on a need only basis for each node (see details in the security spec above). I am not sure it this is supported in cluster mode or not.