New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enable redis connection via unix domain socket instead of tcp #204

Closed
swis opened this Issue Apr 13, 2012 · 12 comments

Comments

Projects
None yet
10 participants
@swis

swis commented Apr 13, 2012

atm, there seems no possibility to use unix domain socket instead of tcp socket to connect to redis.

due to speed issues, that'd be a great benefit

@wdamron

This comment has been minimized.

wdamron commented Apr 14, 2012

You can make some edits to your redis.conf file so that servers listen on a socket; e.g.

# 0 = do not listen on a port
port 0

# listen on localhost only
bind 127.0.0.1

# create a unix domain socket to listen on
unixsocket /tmp/redis.sock

# set permissions for the socket
unixsocketperm 755

Then, within your Node app, you can do the following to connect to your Redis server:

var redis = require('redis');

var redisClient = redis.createClient('/tmp/redis.sock');
@swis

This comment has been minimized.

swis commented Apr 14, 2012

ah, great. thank you.

@chakrit

This comment has been minimized.

Contributor

chakrit commented Aug 23, 2013

Can this be documented in README also? So it can be easier and obvious to find.

@brycebaril

This comment has been minimized.

Member

brycebaril commented Aug 28, 2013

@chakrit If you want to write up a small pull request for the README I'll accept it :)

@chakrit

This comment has been minimized.

Contributor

chakrit commented Oct 11, 2013

@brycebaril @mranney There you go ^

Hope 2 months' not too late :p

@apotek

This comment has been minimized.

apotek commented Nov 23, 2015

I could not get it to work without setting the socket to 777, which is a shame, but 755 make it impossible to disconnect.

Before with unixsocketperm 755 set in /etc/redis/redis.conf:

    $ redis-cli -s /var/run/redis/redis.sock
    Could not connect to Redis at /var/run/redis/redis.sock: Permission denied
    not connected> quit

After, with unixsocketperm 777 set in /etc/redis/redis.conf:

$ redis-cli -s /var/run/redis/redis.sock
redis /var/run/redis/redis.sock>

I suppose the more secure way to do this would be to add redis server and your application user to the same group and make the group owner of the socket mirror that group, and then set the socket to 775.

@BridgeAR

This comment has been minimized.

Member

BridgeAR commented Mar 18, 2016

@apotek there is not much that node_redis itself is able to do about the socket permissions. This depends on how you set everything up.

@kwidholm-tm

This comment has been minimized.

kwidholm-tm commented Mar 18, 2016

there is not much that node_redis itself is able to do about the socket permissions. This depends on how you set everything up.

@BridgeAR I agree node_redis can't do anything about how socket permissions are set up. Of course that is the case. However, 1) A node application shouldn't have to run as root. Do we agree? 2) If we agree on 1, and a node application is not running as root, under the default socket permissions 755, node_redis cannot use the socket. 3) Changing the socket permissions to 777 fixes this, but is not secure.

My conclusion is that without node_redis being able to work with a socket set to 755 while sharing that resource with the user the node app is running as, it is impossible to use node_redis over a socket securely.

The most secure fix possible at the moment is to set the socket to 775, and add the user that the node application is running as to the redis group. Or, run the node app as the redis user (which could cause other problems).

The issue is that the socket needs both the redis user and the node app user to write to it. Most sockets don't do this. One user writes, and other users read. See mysql socket for example. You can connect to it as a 755 socket regardless of who you are, because you don't have to write to it.

So my point is to see if node_redis could be refactored to not force the node app that is using it to write to the socket.

@kulicuu

This comment has been minimized.

kulicuu commented Mar 28, 2016

If this was on Stackoverflow I would upvote it.

@BridgeAR

This comment has been minimized.

Member

BridgeAR commented Mar 29, 2016

@kwidholm-tm as far as I see it, the reason why you need higher permissions is the directory of your socket file. This has nothing to do with node_redis. It is perfectly fine to run a socket without root rights, if you place the file somewhere else than in /var/run/. Please have a look at the redis configuration example.

I might implement a check to test the privileges on the socket file to improve the error message though.

@agathver

This comment has been minimized.

agathver commented Jul 11, 2016

What about using setfacl for setting permissions on linux ? We can add the user running a redis client to a list somewhere. This is done by php-fpm for instance.

We tend to run different types node workers under different groups. So we could just authorize specific group to write into redis

@knoxcard

This comment has been minimized.

knoxcard commented Sep 15, 2018

Also, once connected to Redis via socket, check if everything is running accordingly.

redis-cli > monitor
OK

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment