Redis Client On Mac

In this article, I will explain how to secure your Redis databases using SSL (Secure Sockets Layer). In production, it is a good practice to use SSL to protect the data that are moving between various computers (client applications and Redis servers). Transport Level Security (TLS) guarantees that only allowed applications/computers are connected to the database, and also that data is not viewed or altered by a middle man process.

You can secure the connections between your client applications and Redis cluster using:

Sudo yum install epel-release yum-utils. Sudo yum install http: // rpms.remirepo.net / enterprise / remi-release- 7.rpm. Next, enable the config manager package with the following command: 1. Sudo yum-config-manager -enable remi. Last but not least, complete the Redis installation using yum: 1. QuickRedis is a free forever Redis gui tool. It supports direct connection, sentinel, and cluster mode, supports multiple languages, supports hundreds of millions of keys, and has an amazing UI. Supports both Windows, Mac OS X and Linux platform. Download URL: quick123.net/article/quickredis/quickredis-introduction-en/. 2X Client RDP connects with the 2X ApplicationServer XG to publish any Windows application to Mac desktops. How to Install & Configure Redis on Mac OS X via Homebrew. By using Homebrew, you greatly reduce the cost of setting up and configuring Redis on Mac OSX. Mac安装Redis可视化工具-Redis Desktop Manager.

  • One-Way SSL: the client (your application) get the certificate from the server (Redis cluster), validate it, and then all communications are encrypted
  • Two-Way SSL: (aka mutual SSL) here both the client and the server authenticate each other and validate that both ends are trusted.

In this article, I will focus on the Two-Way SSL, and using Redis Enterprise.

Prerequisites:

  • A Redis Enterprise 5.4.x database, (my database is protected by the password secretdb01, and listening on port 12000)
  • redis-cli to run basic commands
  • Python, Node, and Java installed if you want to test various languages.

Simple Test

Let’s make sure that the database is available:

This should print the Server information.

1- Get the Certificate from Redis Cluster

You have access to the Redis Enterprise Cluster, you go to one of the nodes to retrieve the certificate (that is a self-generated one by default).

The cluster certificate is located at: /etc/opt/redislabs/proxy_cert.pem.

You have to copy it on each client machine; note that once it is done you can use this certificate to connect using “One-Way SSL”, but not the purpose of this article.

In my demonstration I am using Docker and copy the certificate using this command from my host:

2- Generate a New Client Certificate

Using the Two-Way SSL you need to have a certificate for the client that will be used by Redis database proxy to trust the client.

Mac

In this article I will use a self-signed certificate using OpenSSL, in this example, we are creating a certificate for an application named app_001.

You can create as many certificates as you want, or reuse this one for all servers/applications.

Open a terminal and run the following commands:

This command generate a new client key (client_key_001.pem) and certificate (client_cert_001.pem) with no passphrase.

3- Configure the Redis Database

The next step is to take the certificate and add it to the database you want to protect.

Let’s copy the certificate and paste it into the Redis Enterprise Web Console.

Copy the certificate in your clipboard:

Mac:

Linux:

Windows:

Go to the Redis Enterprise Admin Web Console and enable TLS on your database:

  1. Edit the database configuration
  2. Check TLS
  3. Select “Require TLS for All communications”
  4. Check “Enforce client authentication”
  5. Paste the certificate in the text area
  6. Click the Save button to save the certificate
  7. Click the Update button to save the configuration.

The database is now protected, and it is mandatory to use the SSL certificate to connect to it.

4- Connect to the Database using the Certificate

In all following examples, I am using a “self-signed” certificate, so I do not check the validity of the hostname.You should adapt the connections/TLS information based on your certificate configuration.

4.1 Using Redis-CLI

To connect to a SSL protected database using redis-cli you have to use stunnel.

Create a stunnel.conf file with the following content:

Start stunnel using the command

This will start a process that listen to port 6380 and used as a proxy to the Redis Enterprise database on port 12000.

4.2 Using Python

Using Python, you have to set the SSL connection parameters:

More information in the documentation “Using Redis with Python”.

4.3 Using Node.JS

For Node Redis, use the TLS library to configure the client connection:

More information in the documentation “Using Redis with Node.js”.

4.4 Using Java
Redis Client On MacClient

In Java, to be able to connect using SSL, you have to install all the certificates in the Java environment using the keytool utility.

Create a keystore file that stores the key and certificate you have created earlier:

As you can see the keystore is used to store the credentials associated with you client; it will be used later with the -javax.net.ssl.keyStore system property in the Java application.

In addition to the keys tore, you also have to create a trust store, that is used to store other credentials for example in our case the redis cluster certificate.

Create a trust store file and add the Redis cluster certificate to it

The trustore will be used later with the -javax.net.ssl.trustStore system property in the Java application.

You can now run the Java application with the following environment variables:

For this example and simplicity, I will hard code these property in the Java code itself:

  • line 8-12, the system environment variables are set to point to the keystore and trust store (this should be externalized)
  • line 14, the Redis URL start with rediss with 2 s to indicate that the connection should be encrypted
  • line 17, set the database password

More information in the documentation “Using Redis with Java”.

Conclusion

Mac Os Redis Client

In this article, you have learned how to:

  • retrieve the Redis Server certificate
  • generate a client certificate
  • protect your database to enforce transport level security (TLS) with 2 ways authentication
  • connect to the database from redis-cli, Python, Node and Java

This document provides information about how Redis handles clients from the point of view of the network layer: connections, timeouts, buffers, and other similar topics are covered here.

The information contained in this document is only applicable to Redis version 2.6 or greater.

*How client connections are accepted

Redis accepts clients connections on the configured listening TCP port and on the Unix socket if enabled. When a new client connection is accepted the following operations are performed:

  • The client socket is put in non-blocking state since Redis uses multiplexing and non-blocking I/O.
  • The TCP_NODELAY option is set in order to ensure that we don't have delays in our connection.
  • A readable file event is created so that Redis is able to collect the client queries as soon as new data is available to be read on the socket.

After the client is initialized, Redis checks if we are already at the limit of the number of clients that it is possible to handle simultaneously (this is configured using the maxclients configuration directive, see the next section of this document for further information).

In case it can't accept the current client because the maximum number of clients was already accepted, Redis tries to send an error to the client in order to make it aware of this condition, and closes the connection immediately. The error message will be able to reach the client even if the connection is closed immediately by Redis because the new socket output buffer is usually big enough to contain the error, so the kernel will handle the transmission of the error.

*In what order clients are served

The order is determined by a combination of the client socket file descriptor number and order in which the kernel reports events, so the order is to be considered as unspecified.

However Redis does the following two things when serving clients:

  • It only performs a single read() system call every time there is something new to read from the client socket, in order to ensure that if we have multiple clients connected, and a few are very demanding clients sending queries at an high rate, other clients are not penalized and will not experience a bad latency figure.
  • However once new data is read from a client, all the queries contained in the current buffers are processed sequentially. This improves locality and does not need iterating a second time to see if there are clients that need some processing time.

*Maximum number of clients

In Redis 2.4 there was a hard-coded limit for the maximum number of clients that could be handled simultaneously.

In Redis 2.6 this limit is dynamic: by default it is set to 10000 clients, unless otherwise stated by the maxclients directive in Redis.conf.

However, Redis checks with the kernel what is the maximum number of file descriptors that we are able to open (the soft limit is checked). If the limit is smaller than the maximum number of clients we want to handle, plus 32 (that is the number of file descriptors Redis reserves for internal uses), then the number of maximum clients is modified by Redis to match the amount of clients we are really able to handle under the current operating system limit.

When the configured number of maximum clients can not be honored, the condition is logged at startup as in the following example:

When Redis is configured in order to handle a specific number of clients it is a good idea to make sure that the operating system limit to the maximum number of file descriptors per process is also set accordingly.

Under Linux these limits can be set both in the current session and as a system-wide setting with the following commands:

  • ulimit -Sn 100000 # This will only work if hard limit is big enough.
  • sysctl -w fs.file-max=100000

*Output buffers limits

Redis needs to handle a variable-length output buffer for every client, since a command can produce a big amount of data that needs to be transferred to the client.

However it is possible that a client sends more commands producing more output to serve at a faster rate at which Redis can send the existing output to the client. This is especially true with Pub/Sub clients in case a client is not able to process new messages fast enough.

Both the conditions will cause the client output buffer to grow and consume more and more memory. For this reason by default Redis sets limits to the output buffer size for different kind of clients. When the limit is reached the client connection is closed and the event logged in the Redis log file.

There are two kind of limits Redis uses:

  • The hard limit is a fixed limit that when reached will make Redis closing the client connection as soon as possible.
  • The soft limit instead is a limit that depends on the time, for instance a soft limit of 32 megabytes per 10 seconds means that if the client has an output buffer bigger than 32 megabytes for, continuously, 10 seconds, the connection gets closed.

Different kind of clients have different default limits:

  • Normal clients have a default limit of 0, that means, no limit at all, because most normal clients use blocking implementations sending a single command and waiting for the reply to be completely read before sending the next command, so it is always not desirable to close the connection in case of a normal client.
  • Pub/Sub clients have a default hard limit of 32 megabytes and a soft limit of 8 megabytes per 60 seconds.
  • Slaves have a default hard limit of 256 megabytes and a soft limit of 64 megabyte per 60 second.

It is possible to change the limit at runtime using the CONFIG SET command or in a permanent way using the Redis configuration file redis.conf. See the example redis.conf in the Redis distribution for more information about how to set the limit.

*Query buffer hard limit

Every client is also subject to a query buffer limit. This is a non-configurable hard limit that will close the connection when the client query buffer (that is the buffer we use to accumulate commands from the client) reaches 1 GB, and is actually only an extreme limit to avoid a server crash in case of client or server software bugs.

*Client timeouts

By default recent versions of Redis don't close the connection with the client if the client is idle for many seconds: the connection will remain open forever.

However if you don't like this behavior, you can configure a timeout, so that if the client is idle for more than the specified number of seconds, the client connection will be closed.

You can configure this limit via redis.conf or simply using CONFIG SET timeout <value>.

Note that the timeout only applies to normal clients and it does not apply to Pub/Sub clients, since a Pub/Sub connection is a push style connection so a client that is idle is the norm.

Even if by default connections are not subject to timeout, there are two conditions when it makes sense to set a timeout:

  • Mission critical applications where a bug in the client software may saturate the Redis server with idle connections, causing service disruption.
  • As a debugging mechanism in order to be able to connect with the server if a bug in the client software saturates the server with idle connections, making it impossible to interact with the server.

Timeouts are not to be considered very precise: Redis avoids to set timer events or to run O(N) algorithms in order to check idle clients, so the check is performed incrementally from time to time. This means that it is possible that while the timeout is set to 10 seconds, the client connection will be closed, for instance, after 12 seconds if many clients are connected at the same time.

*CLIENT command

The Redis client command allows to inspect the state of every connected client, to kill a specific client, to set names to connections. It is a very powerful debugging tool if you use Redis at scale.

CLIENT LIST is used in order to obtain a list of connected clients and their state:

In the above example session two clients are connected to the Redis server. The meaning of a few of the most interesting fields is the following:

  • addr: The client address, that is, the client IP and the remote port number it used to connect with the Redis server.
  • fd: The client socket file descriptor number.
  • name: The client name as set by CLIENT SETNAME.
  • age: The number of seconds the connection existed for.
  • idle: The number of seconds the connection is idle.
  • flags: The kind of client (N means normal client, check the full list of flags).
  • omem: The amount of memory used by the client for the output buffer.
  • cmd: The last executed command.

See the CLIENT LIST documentation for the full list of fields and their meaning.

Once you have the list of clients, you can easily close the connection with a client using the CLIENT KILL command specifying the client address as argument.

The commands CLIENT SETNAME and CLIENT GETNAME can be used to set and get the connection name. Starting with Redis 4.0, the client name is shown in the SLOWLOG output, so that it gets simpler to identify clients that are creating latency issues.

Redis Gui Client Windows Free

*TCP keepalive

Redis Desktop Manager

Recent versions of Redis (3.2 or greater) have TCP keepalive (SO_KEEPALIVE socket option) enabled by default and set to about 300 seconds. This option is useful in order to detect dead peers (clients that cannot be reached even if they look connected). Moreover, if there is network equipment between clients and servers that need to see some traffic in order to take the connection open, the option will prevent unexpected connection closed events.