{"id":8206,"date":"2021-09-03T11:32:22","date_gmt":"2021-09-03T16:32:22","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=8206"},"modified":"2021-09-03T11:32:22","modified_gmt":"2021-09-03T16:32:22","slug":"setting-up-redis-sandbox","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=8206","title":{"rendered":"Setting up redis sandbox"},"content":{"rendered":"\n

To set up my redis sandbox in Docker, I created two folders — conf and data. The conf will house the SSL stuff and configuration file. The data directory is used to store the redis data. <\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

I first needed to generate a SSL certificate. The public and private keys of the pair are stored in a pem and key file. The public key of the CA that signed the cert is stored in a “ca” folder. <\/p>\n\n\n\n

Then I created a redis configuation file — note that the paths are relative to the Docker container<\/p>\n\n\n

\n################################## MODULES #####################################\n\n################################## NETWORK #####################################\n# My web server is on a different host, so I needed to bind to the public \n#   network interface. I think we'd *want* to bind to localhost in our\n#   use case. \n# bind 127.0.0.1\n# Similarly, I think we'd want 'yes' here\nprotected-mode no\n\n# Might want to use 0 to disable listening on the unsecure port\nport 6379\n\n\ntcp-backlog 511\ntimeout 10\ntcp-keepalive 300\n################################# TLS\/SSL #####################################\ntls-port 6380\n\ntls-cert-file \/opt\/redis\/ssl\/memcache.pem\ntls-key-file \/opt\/redis\/ssl\/memcache.key\ntls-ca-cert-dir \/opt\/redis\/ssl\/ca\n\n# I am not auth'ing clients for simplicity\ntls-auth-clients no\ntls-auth-clients optional\n\ntls-protocols "TLSv1.2 TLSv1.3"\ntls-prefer-server-ciphers yes\ntls-session-caching no\n\n# These would only be set if we were setting up replication \/ clustering\n# tls-replication yes\n# tls-cluster yes\n################################# GENERAL #####################################\n# This is for docker, we may want to use something like systemd here. \ndaemonize no\nsupervised no\n\n#loglevel debug\nloglevel notice\n\nlogfile "\/var\/log\/redis.log"\nsyslog-enabled yes\nsyslog-ident redis\nsyslog-facility local0\n\n# 1 might be sufficient -- we *could* partition different apps into different databases\n# But I'm thinking, if our keys are basically "user:target:service" ... then report_user:RADD:Oracle\n# from any web tool would be the same cred. In which case, one database suffices. \ndatabases 3\n################################ SNAPSHOTTING  ################################\nsave 900 1\nsave 300 10\nsave 60 10000\n\nstop-writes-on-bgsave-error yes\n\nrdbcompression yes\nrdbchecksum yes\n\ndbfilename dump.rdb\n\n\n# \ndir .\/\n\n################################## SECURITY ###################################\n# I wasn't setting up any sort of authentication and just using the facts that\n#  (1) you are on localhost and\n#  (2) you have the key to decrypt the stuff we stash\n#  to mean you are authorized. \n\n############################## MEMORY MANAGEMENT ################################\n# This is what to evict from the dataset when memory is maxed\nmaxmemory-policy volatile-lfu\n############################# LAZY FREEING ####################################\n\nlazyfree-lazy-eviction no\nlazyfree-lazy-expire no\nlazyfree-lazy-server-del no\nreplica-lazy-flush no\nlazyfree-lazy-user-del no\n\n############################ KERNEL OOM CONTROL ##############################\noom-score-adj no\n############################## APPEND ONLY MODE ###############################\n\nappendonly no\nappendfsync everysec\n\nno-appendfsync-on-rewrite no\n\nauto-aof-rewrite-percentage 100\nauto-aof-rewrite-min-size 64mb\n\naof-load-truncated yes\n\naof-use-rdb-preamble yes\n\n############################### ADVANCED CONFIG ###############################\nhash-max-ziplist-entries 512\nhash-max-ziplist-value 64\n\nlist-max-ziplist-size -2\n\nlist-compress-depth 0\n\nset-max-intset-entries 512\n\nzset-max-ziplist-entries 128\nzset-max-ziplist-value 64\n\nhll-sparse-max-bytes 3000\n\nstream-node-max-bytes 4096\nstream-node-max-entries 100\n\nactiverehashing yes\n\nclient-output-buffer-limit normal 0 0 0\nclient-output-buffer-limit replica 256mb 64mb 60\nclient-output-buffer-limit pubsub 32mb 8mb 60\n\ndynamic-hz yes\n\naof-rewrite-incremental-fsync yes\n\nrdb-save-incremental-fsync yes\n\n########################### ACTIVE DEFRAGMENTATION #######################\n# Enabled active defragmentation\nactivedefrag no\n\n# Minimum amount of fragmentation waste to start active defrag\nactive-defrag-ignore-bytes 100mb\n\n# Minimum percentage of fragmentation to start active defrag\nactive-defrag-threshold-lower 10\n\n<\/pre><\/div>\n\n\n
Once I had the configuration data set up, I created the container. I’m using port 6380 for the SSL connection. For the sandbox, I also exposed the clear text port. I mapped volumes for both the redis data, the SSL files, and the redis.conf file<\/p>\n\n\n
\ndocker run --name redis-srv -p 6380:6380 -p 6379:6379 -v \/d\/docker\/redis\/conf\/ssl:\/opt\/redis\/ssl -v \/d\/docker\/redis\/data:\/data -v \/d\/docker\/redis\/conf\/redis.conf:\/usr\/local\/etc\/redis\/redis.conf -d redis redis-server \/usr\/local\/etc\/redis\/redis.conf --appendonly yes\n\n<\/pre><\/div>\n\n\n
Voila, I have a redis server ready. Quick PHP code to ensure it’s functional:<\/p>\n\n\n
\n<?php\n\n$sodiumKey   = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); \/\/ 256 bit\n$sodiumNonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); \/\/ 24 bytes\n\n#print "Key:\\n";\n#print sodium_bin2hex($sodiumKey);\n#print"\\n\\nNonce:\\n";\n#print sodium_bin2hex($sodiumNonce);\n#print "\\n\\n";\n\n$redis = new Redis();\n$redis->connect('tls:\/\/memcached.example.com', 6380); \/\/ enable TLS\n\/\/check whether server is running or not\necho "<PRE>Server is running: ".$redis->ping()."\\n<\/pre>";\n\n$checks = array(\n    "credValueGoesHere",\n        "cred2",\n        "cred3",\n        "cred4",\n        "cred5"\n);\n\n#$ciphertext = safeEncrypt($message, $key);\n#$plaintext = safeDecrypt($ciphertext, $key);\n\nforeach ($checks as $i => $value) {\n    usleep(100);\n    $key = 'credtest' . $i;\n    $strCryptedValue =  base64_encode(sodium_crypto_secretbox($value, $sodiumNonce, $sodiumKey));\n    $redis->setEx($key, 1800, $strCryptedValue);        \/\/ 30 minute timeout\n}\n\necho "<UL>\\n";\nfor($i = 0; $i < count($checks); $i++){\n        $key = 'credtest'.$i;\n        $strValue = sodium_crypto_secretbox_open(base64_decode($redis->get($key)),$sodiumNonce, $sodiumKey);\n        echo "<LI>The value on key $key is: $strValue \\n";\n}\necho "<\/UL>\\n";\n\necho "<P>\\n";\necho "<P>\\n";\necho "<UL>\\n";\n$objAllKeys = $redis->keys('*');        \/\/ all keys will match this.\nforeach($objAllKeys as $objKey){\n        print "<LI>The key $objKey has a TTL of " . $redis->ttl($objKey) . "\\n";\n}\necho "<\/UL>\\n";\nforeach ($checks as $i => $value) {\n    usleep(100);\n        $value = $value . "-updated";\n    $key = 'credtest' . $i;\n    $strCryptedValue =  base64_encode(sodium_crypto_secretbox($value, $sodiumNonce, $sodiumKey));\n    $redis->setEx($key, 60, $strCryptedValue);          \/\/ 1 minute timeout\n}\n\necho "<UL>\\n";\nfor($i = 0; $i < count($checks); $i++){\n        $key = 'credtest'.$i;\n        $strValue = sodium_crypto_secretbox_open(base64_decode($redis->get($key)),$sodiumNonce, $sodiumKey);\n        echo "<LI>The value on key $key is: $strValue \\n";\n}\necho "<\/UL>\\n";\n\n\necho "<P>\\n";\necho "<UL>\\n";\n$objAllKeys = $redis->keys('*');        \/\/ all keys will match this.\nforeach($objAllKeys as $objKey){\n        print "<LI>The key $objKey has a TTL of " . $redis->ttl($objKey) . "\\n";\n}\necho "<\/UL>\\n";\n\n\n\nforeach ($checks as $i => $value) {\n    usleep(100);\n        $value = $value . "-updated";\n    $key = 'credtest' . $i;\n    $strCryptedValue =  base64_encode(sodium_crypto_secretbox($value, $sodiumNonce, $sodiumKey));\n    $redis->setEx($key, 1, $strCryptedValue);          \/\/ 1 second timeout\n}\n\n\necho "<P>\\n";\necho "<UL>\\n";\n$objAllKeys = $redis->keys('*');        \/\/ all keys will match this.\nforeach($objAllKeys as $objKey){\n        print "<LI>The key $objKey has a TTL of " . $redis->ttl($objKey) . "\\n";\n}\necho "<\/UL>\\n";\n\nsleep(5); \/\/ Sleep so data ages out of redis\necho "<UL>\\n";\nfor($i = 0; $i < count($checks); $i++){\n        $key = 'credtest'.$i;\n        $strValue = sodium_crypto_secretbox_open(base64_decode($redis->get($key)),$sodiumNonce, $sodiumKey);\n        echo "<LI>The value on key $key is: $strValue \\n";\n}\necho "<\/UL>\\n";\n\n\n?>\n\n<\/pre><\/div>\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
To set up my redis sandbox in Docker, I created two folders — conf and data. The conf will house the SSL stuff and configuration file. The data directory is used to store the redis data. I first needed to generate a SSL certificate. The public and private keys of the pair are stored in …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33,623],"tags":[231,35,427],"class_list":["post-8206","post","type-post","status-publish","format-standard","hentry","category-coding","category-containerized-development-and-deployment","tag-docker","tag-php","tag-redis"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8206"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8206\/revisions"}],"predecessor-version":[{"id":8208,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8206\/revisions\/8208"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}