using to secure redis
使用 来增强 redis 的安全性
foreword
前言
What do you do if you want to secure access to your Redis ?
想要安全访问 Redis 的话,你都会采取哪些手段呢?
Plain password authentication (i.e. the command) only gets you so far and in some cases you need something a little stronger.
直接使用密码验证 (例如,使用授权认证命令 ) 这种解决方法在某些特定的领域可以行得通,但另一些情境下安全系数更高的方法才能满足需求
There are several ways you could go about that , such as firewalling your Redis or using spiped (security-pipe),
but (post-Heartbleed) SSL is still one of my favorites.
有很多方法可以获得更高的安全性,比如说为 Redis 设置防火墙或是使用安全管道进行通信,
但是本人最喜欢的是(通过多节点间传送心跳方法实现的) (加密套接字协议层)
The following article explains how to set up a secure (read authenticated and encrypted) communication
channel between your Redis client and server .
下面的文章用来展示如何在 Redis 的客户端和服务器之间创建加密消息的通信管道
encryp vt. 将……译成密码
Naturally , this is the Do-It-Yourself hardcore approach, so if you want to have Redis and SSL without
the heavy lifting, check out our plans and Redis clients that natively support SSL .
如果你想让 Redis 支持 SSL ,但又不想为其增加负担(由于代码过多而造成性能下降),自然而然你就会想到自己动手编写底层代码,
如果是这样的话看看我们的设计方案,你就会发现 Redis 的客户端与生俱来就是支持 SSL 的
-- Itamar
Lately if you have been paying attention to tech or even mainstream media you might have seen a few stories about data breaches.
如果留意一下技术媒体播报,或者,哪怕是主流媒体的话,你会发现最近一段时间内有很多与数据泄露相关的消息
Sometimes these data breaches have allowed attackers to gather unencrypeted passwords or credit card numbers.
有时候,正是由于数据泄露才让不法分子获取到未经加密的密码或是信用卡账号
In the past these types of attacks still happened, but there was not as many attacks as today and when they happened they were kept secret .
过去类似的事情也又发生过,但是不法之徒的数量远没有当今之多,并且这些数据泄密是"秘密" 进行的。
With more and more internet based services becoming part of peoples lives, there is even more targets
for attackers who are looking to get sensitive data .
源自于互联网不断增多的服务项目已经成为人们日常生活中的一部分,这也意味着将有更多的敏感数据成为不法分子窃取数据的目标
These attackers can often be quite crafty on the ways they get this data many times they do it by
gaining access to database but another common place to capture and steal data is through unencrypeted network traffic.
这些数据安全攻击者在处理他们获取敏感数据来源的方法方面十分的奸诈 : 前几次通过窃取数据库中数据的方式来获取,
但是下几次又有可能通过抓包截取网络数据流来窃取其中未经加密的密码数据信息
crafty adj. 狡猾的;灵巧的
There are many commonly used services that either do not suport SSL encryption or that option is rarely used.
在互联网众多常用的服务中,要么就是不提供 SSL 数据加密功能,要么就很少使用SSL 对数据进行加密操作
Redis a distributed memory cache is a newer service that at this time does not support SSL connections.
Redis 是一个分布式告诉缓冲存储系统,在它刚被开发出来的时并不具备 SSL 数据加密功能
I've been using Redis lately on one of my side projects, but I keep finding myself limited by the lack of SSL encryption
前不久我一直将 Redis 用于我所在企业的编外项目中,我觉得我自己正在被 Redis 中缺少 SSL 加密这一功能所束缚着。
2015/6/1
redis security
redis 的安全性
Redis has been designed for use within a trusted private network , and does not support SSL encrypted connectins .
Redis 的设计一直以来是在可信、私有的网络平台上进行的,所以它并不支持通过 SSL 来进行加密网络连接 .
While that is ok for many implementations , it does not lend well to cloud based implementations.
虽然基于Redis(不支持 SSL 进行加密网络连接)可以开发出来许多应用,但是却很难不做任何改动就将这些应用移植到云计算平台(分布式-节点间需要网络通信、协作)上
While some cloud providers offer private networks , not all of them do .
有些云计算平台的运营商们会为开发者提供私有网络,但是并不是所有的运营商都是这样.
So if you want to run a Redis master on one server and your application on another, you have no choice but
leave that connection unencrypted.
所以,如果你想实现在服务器上运行 Redis 主程序,并且让运行于另一台主机上的应用程序与之通信的话,除了让这两台进行裸连接(无任何安全措施的连接-对应于加密连接)你别无选择 .
Leaving that sensitive traffic to be sent across the cloud providers network or even the general internet with
no protection from someone with a network sniffer.
(使用裸连接便意味着)将包含敏感数据信息的网络通信,交付给未加任何防御网络数据探测器保护措施的云计算私有网络,或哪怕是一般的网络供应商来进行.
In this article I am going to show you how to secure your redis connections with stunnel , this article should
handle the SSL part of securing a connection but you should also follow the other recommendations in Redis Security.
在这篇文章中我将向你展示如何通过使用 stunnel 这款应用来为 redis 的通信进行加密,这篇文章主要是介绍使用 SSL 技术来为网络连接进行加密的,
(如果你想知道除 SSL 加密以外的连接加密方法)同样可以参考其他推荐文档 'Redis 的安全性'
What is stunnel
stunnel 是什么 ?
The stunnel application is a SSL encryption wrapper that can tunnel unencrypted traffic (like redis)
through a SSL encrypted tunnel to another server.
stunnel 这款应用就是封装了 SSL 加密功能的封装器,该封装器提供一个使用 SSL 加密的安全链路,
经由该链路可以让未加密的网络通信应用(如 redis )把数据信息安全地发送给另一端的计算机.
While stunnel adds SSL encryption it does not guarantee 100% that the traffic will never be
captured uncrypted.
即便在 stunnel 中增添了 SSL-加密 的功能,但这并不能百分之百确保未经加密的网络通信信息不会被捕捉到
If an attacker was able to compromise either the server or client server they could capture unencrypted
local traffic as it is being sent to stunnel.
如果攻击者能在在服务器或是客户端二者之间周转得当的话,他便能够从通信双方的本地数据中来截取到还未来得及
发送给 stunnel 进行加密的数据信息.
原文链接 : https://redislabs.com/blog/using-stunnel-to-secure-redis#.VWMj77H9M2w
つづく
阅读(1631) | 评论(0) | 转发(0) |