summitdb
summitdb copied to clipboard
Q: is raft traffic secured (by TLS or other)
If I run a summitdb cluster on AWS EC2, I would want the raft traffic secured. Is that on by default, or where would that be added?
Thanks!
Summit is designed to be accessed by trusted clients inside trusted environments. If there's access to the ip/port, then there's full access to the database. This would be a problem if you have an open network.
For EC2 you'll need to configure a security group to create a virtual firewall to put the Summit instances behind.
Another option that I haven't tried is to use spiped or stunnel in front of the Summit. This is how some people secure their Redis servers.
I may add some type of authentication or encryption in the future.
Thanks for clarifying; it makes sense to me that not all users will need security; if you are already behind a webserver for instance.
I wrote a Go library to do direct ssh tunneling https://github.com/glycerine/sshego. This is similar to stunnel, but all in a Go library, so one doesn't need a separate process. If you're interested in having ssh as a security option, I may be able to do a PR.
👍 This is definitely interesting to me. Along with SummitDB, I have another project that this might find this useful. I'll look into it some more and let you know.
After looking at the redcon code, I added unixdomain socket support to sshego so as to minimize the needed code changes. This should make tunneling over a ssh pretty trivial configuration change. (Moreover it turns out unixdomain socket support is even standard in openssh after version 6.7, so one may not even need a new firewall rule/just reuse port 22 if the sshd is new enough.)