Q: is raft traffic secured (by TLS or other)

[glycerine]

If I run a summitdb cluster on AWS EC2, I would want the raft traffic secured. Is that on by default, or where would that be added?

Thanks!

[tidwall]

Summit is designed to be accessed by trusted clients inside trusted environments. If there's access to the ip/port, then there's full access to the database. This would be a problem if you have an open network.

For EC2 you'll need to configure a security group to create a virtual firewall to put the Summit instances behind.

Another option that I haven't tried is to use spiped or stunnel in front of the Summit. This is how some people secure their Redis servers.

I may add some type of authentication or encryption in the future.

[glycerine]

Thanks for clarifying; it makes sense to me that not all users will need security; if you are already behind a webserver for instance.

I wrote a Go library to do direct ssh tunneling https://github.com/glycerine/sshego. This is similar to stunnel, but all in a Go library, so one doesn't need a separate process. If you're interested in having ssh as a security option, I may be able to do a PR.

[tidwall]

👍 This is definitely interesting to me. Along with SummitDB, I have another project that this might find this useful. I'll look into it some more and let you know.

[glycerine]

After looking at the redcon code, I added unixdomain socket support to sshego so as to minimize the needed code changes. This should make tunneling over a ssh pretty trivial configuration change. (Moreover it turns out unixdomain socket support is even standard in openssh after version 6.7, so one may not even need a new firewall rule/just reuse port 22 if the sshd is new enough.)