Add Redis password

[Yasser]

This is not an issue, but it would be nice to get people thinking about security by adding authentication to the Redis container. This can be done easily through the compose/.env files and minimal changes to the application, Redis, and Sidekiq configs.

.env.example:
#export REDIS_URL=redis://redis:6379/1 #export REDIS_PASSWORD=password

docker-compose.yml:
services: redis: command: > --requirepass ${REDIS_PASSWORD:-password}

application.rb:
config.cache_store = :redis_cache_store, { url: ENV.fetch("REDIS_URL") { "redis://redis:6379/1" }, namespace: "cache", password: ENV.fetch("REDIS_PASSWORD") { "password" } }

redis.rb:
@redis ||= Redis.new(url: ENV.fetch("REDIS_URL") { "redis://redis:6379/1" }, password: ENV.fetch("REDIS_PASSWORD") { "password" })

sidekiq.rb:
sidekiq_config = { url: ENV.fetch("REDIS_URL") { "redis://redis:6379/1" }, password: ENV.fetch("REDIS_PASSWORD") { "password" } }

cable.yml:
default: &default password: "<%= ENV.fetch("REDIS_PASSWORD") { "password"} %>"

Even though ACLs are the preferred method for authentication in Redis 6+, best practice should probably be to use some form of authentication, even in development.

[nickjj]

Yep that's a good idea to document, thanks!

In our case the Docker Compose file doesn't publish any Redis ports so technically Redis is only accessible within the Docker Compose network, but running with no password could be dangerous for folks if they publish - "6379:6379" because then the internet would be able to redis-cli into EXTERNAL_SERVER_IP:6379 freely unless you put a cloud firewall in front of your server to block that port.