Securing Heroku Redis

Last updated 02 September 2015

Heroku Redis provides access to Redis, an in-memory, key-value store that has excellent support for all of the official languages on Heroku. It has a number of powerful data types and focuses on maximizing throughput. As a result, Redis is designed to run in trusted environments with trusted clients. This means that Redis lacks encryption, has minimal access controls, and the authentication layer consists only of a plain-text password with no challenge-response.

To make sure that the data that developers produce and work with is safe, we’re recommending everyone that wants to connect to Redis install a Heroku-provided Stunnel buildpack. This build pack will create an SSL tunnel between your dynos and your Heroku Redis instance.

While you can connect to Heroku Redis without the Stunnel buildpack, it is not recommend. The data traveling over the wire will be unencrypted.

Stunnel Overview

Stunnel is software that’s installed on each Heroku Redis instance. What it does is create a proxy between the running Redis process and the SSL connection. An associated Stunnel needs to be created on the dynos that are running your application so that transport level security is taken care of. Generally, the benefit of using Stunnel is that it adds encryption to your application without any changes to the application code.

SSL for Heroku Redis is only available on production tier plans. The hobby-tier plans are meant for testing and staging environments, not production.

Setting up the Stunnel buildpack

As mentioned before, Stunnel is already setup on all production-tier Heroku Redis instances. The other half of the tunnel needs to be set up on the dynos that need to interact with Heroku Redis. At a high level, a buildpack needs to be installed and each process type that interacts with Heroku Redis needs to have it’s command prefaced with bin/start-stunnel. The Heroku Redis Buildpack README has all of the details of adding the buildpack to your application.

You can disable the stunnel buildpack on your staging or development environment by setting STUNNEL_ENABLED to false using heroku config:set STUNNEL_ENABLED=false -a sushi

Heroku Redis CLI

The Heroku Redis CLI uses the underlying redis-cli binary to connect to your Heroku Redis instance. Because Redis does not have any built in security, this also applies to redis-cli. When you connect to your Heroku Redis instance via the CLI, a warning message will be given asking for confirmation:

$ heroku redis:cli -a sushi
 ▸    WARNING: Insecure Action
 ▸    All data, including the redis password, will be unencrypted.
 ▸    To proceed, type sushi or re-run this command with --confirm sushi
>

At the command line, the --confirm flag can be used to bypass the confirmation message and connect directly to the Redis CLI:

$ heroku redis:cli --confirm sushi
Connecting to: REDIS_URL
ec2-11-11-11-11.compute-1.amazonaws.com:6699>
heroku redis redis

Feedback

Log in to submit feedback.