- 新しい順
- 投票が多い順
- コメントが多い順
Given that Redis is a database (yes, in-memory but that's the idea - for speed): We strongly recommend that you don't expose databases to the Internet directly. It opens them to attack, abuse, etc.
Could you limit access to Redis (or any database) to specific remote IP addresses? Yes. But it's pretty easy to make a mistake there; and if there are many users of the application then that becomes impractical and difficult to maintain.
Could you limit access using some sort of authentication (could be username/password; could be API key; etc.)? Yes. But now your database is open to brute-force attacks; potential DDoS; and so on.
If you allow access to Redis via a VPN (presumably site-so-site but client VPN also qualifies) and only allow access via the VPN then generally (from a security perspective) that's a "private" connection (the "P" in VPN") so you have controlled who can connect.
TL;DR: Security best practice says "don't allow access to databases over the Internet unless you really know what you're getting into".
Thanks for the information, that really helps in what I tell my manager.