From 6dcdbe67b194212b2583fafd342892510bf844dd Mon Sep 17 00:00:00 2001 From: tw-bert Date: Wed, 27 Feb 2019 23:59:42 +0100 Subject: [PATCH 1/3] Harden strunredis.sh by not using a local TCP port Your script is very helpful. However, it is not secure in a multiuser host. The script opens up a TCP port bound to the loopback device, which IMHO means that (at least without some ip[6]tables hardening) anyone on localhost can use the TCP port without having the cert and/or private key (in case of two-way trust TLS, which we use. `cert` and `key` in `stunnel`.). This might not seem relevant to (for example) a vagrant dev VM, but it's easy to avoid: just use a unix domain socket. `stunnel` as well as `redis-cli` supports it. **As a bonus:** the unix domain socket performs better as well. Sidenote: `stunnel` removes the socket file automatically, with a clean exit. Please judge yourself if a more resilient cleanup is needed (I don't think so, but could be wrong). --- stunredis.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/stunredis.sh b/stunredis.sh index 37cfe19..0f95246 100755 --- a/stunredis.sh +++ b/stunredis.sh @@ -17,7 +17,6 @@ # limitations under the License. DATABASE_URL=$1 -LOCALPORT=${2:-6830} # This is the location of the validation chain file lechain=./lechain.pem @@ -48,7 +47,7 @@ stunnelconf="" stunnelconf+=$"foreground=yes\n" stunnelconf+=$"[redis-cli]\n" stunnelconf+=$"client=yes\n" -stunnelconf+=$"accept=127.0.0.1:$LOCALPORT\n" +stunnelconf+=$"accept=${HOME}/${host}.${hostport}.${BASHPID}.sock\n" stunnelconf+=$"verifyChain=yes\n" stunnelconf+=$"checkHost=$host\n" stunnelconf+=$"CAfile=$lechain\n" @@ -65,7 +64,7 @@ stunnelpid=$! # Sleep a moment to let the connection establish sleep 1 # Now call redis-cli for the user to interact with -redis-cli -p $LOCALPORT -a ${pass} +redis-cli -s ${HOME}/${host}.${hostport}.${BASHPID}.sock # Once they leave that, kill the stunnel kill $stunnelpid From 215781d6471e904ab7a2ab23b650018d74cefa3f Mon Sep 17 00:00:00 2001 From: tw-bert Date: Thu, 28 Feb 2019 00:23:17 +0100 Subject: [PATCH 2/3] Small addendum - clean up UDS filename --- stunredis.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/stunredis.sh b/stunredis.sh index 0f95246..662773d 100755 --- a/stunredis.sh +++ b/stunredis.sh @@ -17,6 +17,7 @@ # limitations under the License. DATABASE_URL=$1 +REMOTEPORT=${2:-6830} # This is the location of the validation chain file lechain=./lechain.pem @@ -47,7 +48,7 @@ stunnelconf="" stunnelconf+=$"foreground=yes\n" stunnelconf+=$"[redis-cli]\n" stunnelconf+=$"client=yes\n" -stunnelconf+=$"accept=${HOME}/${host}.${hostport}.${BASHPID}.sock\n" +stunnelconf+=$"accept=${HOME}/${host}.${REMOTEPORT}.${BASHPID}.sock\n" stunnelconf+=$"verifyChain=yes\n" stunnelconf+=$"checkHost=$host\n" stunnelconf+=$"CAfile=$lechain\n" @@ -64,7 +65,7 @@ stunnelpid=$! # Sleep a moment to let the connection establish sleep 1 # Now call redis-cli for the user to interact with -redis-cli -s ${HOME}/${host}.${hostport}.${BASHPID}.sock +redis-cli -s ${HOME}/${host}.${REMOTEPORT}.${BASHPID}.sock # Once they leave that, kill the stunnel kill $stunnelpid From 28a2faaddba0400a6bff33f62f0cd157308ac5bd Mon Sep 17 00:00:00 2001 From: tw-bert Date: Fri, 1 Mar 2019 14:06:44 +0100 Subject: [PATCH 3/3] Restored Redis AUTH support, stripped accidentally --- stunredis.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/stunredis.sh b/stunredis.sh index 662773d..9a6b9b8 100755 --- a/stunredis.sh +++ b/stunredis.sh @@ -32,8 +32,10 @@ userpass="`echo $url | grep @ | cut -d@ -f1`" pass=`echo $userpass | grep : | cut -d: -f2` if [ -n "$pass" ]; then user=`echo $userpass | grep : | cut -d: -f1` + AUTH=" -a ${pass}" else user=$userpass + AUTH="" fi hostport=`echo $url | sed -e s,$userpass@,,g | cut -d/ -f1` port=`echo $hostport | grep : | cut -d: -f2` @@ -65,8 +67,6 @@ stunnelpid=$! # Sleep a moment to let the connection establish sleep 1 # Now call redis-cli for the user to interact with -redis-cli -s ${HOME}/${host}.${REMOTEPORT}.${BASHPID}.sock +redis-cli ${AUTH} -s ${HOME}/${host}.${REMOTEPORT}.${BASHPID}.sock # Once they leave that, kill the stunnel kill $stunnelpid - -