NodeJS - securely connect to external redis server

主宰稳场 提交于 2020-01-06 15:18:56

问题


On my main server, I fetch data from an external/seperate redis server which is accessed through an api https://localhost:7000/api/?token=**** which works. However token and api is not secure. And since I want to have redis server to be separate, this technique isn't suited for my case.

In my case I want to have 2 independent servers A and B.
A should load data from B without using an api or url call... Instead it should use port (e.g. //server:123). This way server B can only be accessed from A.

I want this approach to work for both development and production. AWS has "Server Groups" I believe, but that's production only...


So is there a way to create this kind of connection with nodejs? I also want to know if this is only possible having a running server already, since I don't have one yet.

Note: In case you are wondering, I use redis to store private keys for encryption, so I need a secure, separate server which can be controlled independently


回答1:


It is not very clear what you're trying to do since accessing data from another server without using an API does not really make sense. Anything you do to access it is some type of API.

If you want to make it so that only server A can access server B, then you have a number of choices to make that secure:

  1. Require authentication whenever server B is accessed and make it so that only server A has those authentication credentials.

  2. Assuming server A and server B are in your same server infrastructure, put the server B API on a port that is not available to the outside world, but is only available from within your server infrastructure (this usually involves picking a port that your firewall to the outside is blocking access to).

  3. On server A, only accept connections on its API from the specific IP address of server B.

You can even implement more than one of these options at once. For example, it's not uncommon to use 1) and 2) together.




回答2:


Stunnel is built for that ! basically speaking it's a vpn ! but not for machines for ports ! it's a bit complicated , you will have to deal with certificates and a couple of other things (config both servers...) but once it's done it's a breeze to launch and reuse (just launch a file) give it a try !

and see this link : https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu

you should also consider adding an ip table rule at the database server to allow access to your server only.

Edit:

Keep in mind that redis was designed to be used in a trusted environment . This means that the security layer will not be redis itself but a third party software that u'll need to setup.

For dev purpose no need to make this bulletproof. And even if you want to , it's kinda hard to do . because the security of your app is mainly depending on the infrastructure of the company that will host your app.

That being said , if you want to secure a redis instance in a localhost environment . a rule at the ip table allowing only the localhost to access your port 6379 will be suffcient.

The other thing that could compromise the security of your redis DB is the app itself . An important aspect of this is to validate EVERYTHING , it should be a good start.

Finally if you want to dive a bit deeper take a look at this link

https://www.digitalocean.com/community/tutorials/how-to-secure-your-redis-installation-on-ubuntu-14-04

hope this helps !



来源:https://stackoverflow.com/questions/38088503/nodejs-securely-connect-to-external-redis-server

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!