Published 1 year ago by jeffz2016
I am unsure - despite reading - what is a proper handling of Redis security in Laravel.
I know, that I can set password for Redis using redis-cli:
redis-cli config set requirepass some-password-here
I know, I can set password directly in Redis own redis.conf file using directive requirepass.
I know, that if I use Redis directly, e.g. using redis-cli and when I have password set, I have to pass that password, e.g.:
redis-cli -a some-password-here get name
I know these things, but when it comes to Laravel, I am a bit confused.
If I set Redis password in :
Does that mean, that Laravel will use that password to automatically protect Redis powered Laravel:
I would appreciate some info on this one, or pointer to some online article explaining that.
If redis is running on the same server as your laravel code - you're probably better making it bind to 127.0.0.1 only, if it isn't already.
Using the password is (afair) mostly there if you end up having to expose redis to the internet - which is generally a Bad Idea(tm).
@Ruffles none of my redis instances are internet-facing so that saves a lot of hassle.
99% bind to localhost and are either directly used by code sitting on the same box, or have a very thin API wrapper round them if an external service needs to talk to them.
There are a few instances which are exposed on private networks which I do have passwords on "just in case" though. Given the speed you can hammer redis with and that the wire protocol isn't encrypted - it's more of a token gesture though.
@Ruffles I don't use AWS I'm afraid :-/ But I seem to remember from toying with it that you could set up your own private networks that weren't internet-accessable. I've totally lost track of all the AWS terminology these days, but maybe this :
https://aws.amazon.com/vpc/ ("Host multi-tier web applications")