Redis in Laravel - password protection

Published 1 year ago by jeffz2016

I am unsure - despite reading - what is a proper handling of Redis security in Laravel.

I know, that I can set password for Redis using redis-cli:

redis-cli config set requirepass some-password-here

I know, I can set password directly in Redis own redis.conf file using directive requirepass.

I know, that if I use Redis directly, e.g. using redis-cli and when I have password set, I have to pass that password, e.g.:

redis-cli -a some-password-here get name

I know these things, but when it comes to Laravel, I am a bit confused.

If I set Redis password in :

  1. Redis redis.conf file
  2. and I inform Laravel framework about this password by setting .env REDIS_PASSWORD

Does that mean, that Laravel will use that password to automatically protect Redis powered Laravel:

  • echo (broadcasting)
  • queues
  • sessions
  • cache
  • database

I would appreciate some info on this one, or pointer to some online article explaining that.

Best Answer (As Selected By jeffz2016)
ohffs

If redis is running on the same server as your laravel code - you're probably better making it bind to 127.0.0.1 only, if it isn't already.

Using the password is (afair) mostly there if you end up having to expose redis to the internet - which is generally a Bad Idea(tm).

ohffs
ohffs
1 year ago (243,930 XP)

If redis is running on the same server as your laravel code - you're probably better making it bind to 127.0.0.1 only, if it isn't already.

Using the password is (afair) mostly there if you end up having to expose redis to the internet - which is generally a Bad Idea(tm).

jeffz2016

Interesting. I am using Redis version where binding to localhost is enabled already by default. But I must say, I did not know, that it makes password unnecessary.

Thank you for pointing this for me. I still need to do more reading on this. Thanks again.

Ruffles
Ruffles
1 year ago (289,160 XP)

@ohffs How would you deploy Redis in production?

ohffs
ohffs
1 year ago (243,930 XP)

@Ruffles none of my redis instances are internet-facing so that saves a lot of hassle.

99% bind to localhost and are either directly used by code sitting on the same box, or have a very thin API wrapper round them if an external service needs to talk to them.

There are a few instances which are exposed on private networks which I do have passwords on "just in case" though. Given the speed you can hammer redis with and that the wire protocol isn't encrypted - it's more of a token gesture though.

Ruffles
Ruffles
1 year ago (289,160 XP)

Any ideas if I use Redis on AWS or any other hosting (except shared hosting)?

ohffs
ohffs
1 year ago (243,930 XP)

@Ruffles I don't use AWS I'm afraid :-/ But I seem to remember from toying with it that you could set up your own private networks that weren't internet-accessable. I've totally lost track of all the AWS terminology these days, but maybe this :

https://aws.amazon.com/vpc/ ("Host multi-tier web applications")

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html

Please sign in or create an account to participate in this conversation.