1. 21

  2. 18

    To have to reconfigure an example server just to allow connections from other hosts is kinda a big price to pay

    A big price? I’m sorry, but changing “” to “*” is not a big price. I mean, if that’s a big price, then the price of moving the example config into place and using it must be enormous, but that’s what’s expected to get a secure config. How are new users to overcome such a challenge? Anybody just screwing around with redis for development is running it on the same machine anyway, so localhost only wouldn’t be a major impediment.

    1. 9

      Shodan lists 15.617 publicly accessible redis instances. I assume that a lot of them didn’t bother to change the defaults. I agree completely, changing that single default to bind to localhost would prevent a ton of people from shooting themselves in the foot.

    2. 6

      Honestly, the idea of a “trusted network” is wholly counter to a defense in depth strategy. It’s a damn shame to see that redis doesn’t provide sane defaults, and that the onus for that is falling on package maintainers. This isn’t a problem just with redis, it seems to be with many other caches as well. This seems like a gross oversight, since stealing or modifying cache contents could be a massive security issue.

      That said, I am happy to see that while they used to traditionally tell people to use a stunnel, the developers have revisited the issue and TLS support is coming.

      1. 2

        The varnish people have an relatively elaborated argument for not having SSL in their system core: https://www.varnish-cache.org/docs/trunk/phk/ssl.html