Michael Buckbee
12 Oct 2023
Wafris uses Redis to store and process your application's request data, so it's essential to configure your Redis instance correctly.
Wafris Hub is the web application that you'll use to view real time data about the requests hitting your site and to take action by setting rules to block malicious requests. This requires that your Redis instance be accessible from Wafris Hub.
Your web application will send HTTP request data to a Redis instance as defined in your Wafris client configuration. Typically this is a Redis instance that you've set up yourself or a cloud Redis provider.
The latency between your web application and your Redis instance is important. If your Redis instance is too far away from your web application, you may experience increased latency and request processing times.
In practice, if the Wafris client connection to Redis is adding more than a few milliseconds to your request processing time, you should consider moving your Redis instance closer to your web application.
For both ease of management and security, it's recommended that you use a dedicated Redis instance for Wafris.
The exception to this is if you're self-hosting in which case it may make more sense to have a single Redis server with multiple databases, one for Wafris and one for your applications.
Wafris uses the Redis connection URL format to connect to your Redis instance (both in the Wafris client configuration and in Wafris Hub).
The format is as follows:
redis://[:password]@host:port/db
From within Wafris Hub, you can view your current Redis usage and sizing recommendations based on how much memory each request takes in your application.
Redis memory used per request varies widely between applications. Applications with fewer unique paths + parameters used use less memory per request. Applications with more unique paths + parameters use more memory per request.
Wafris uses Redis' key expiration features to hold a sliding window of your most recently received requests. For this to function correctly, ensure that your Redis instance is configured to evict keys based on their expiration time and not on other attributes.
The two Redis configuration values that need to be set are maxmemory
and maxmemory-policy
.
If you're using a cloud Redis provider, this is typically set to your plan memory usage limit.
If you're self-hosting Redis, you must set this to a value that makes sense for your server.
maxmemory 1gb
This should be set to volatile-ttl
to ensure that Redis will evict keys based on their expiration time and not on other attributes.
maxmemory-policy volatile-ttl
The following providers have all been tested to work in production with Wafris installs.
To set the maxmemory policy on Redis Enterprise Cloud, from the web dashboard of your Redis instance, navigate to "Edit" and under the "Durability" section, set the "Data eviction policy" to "Volatile TTL".
Note: Heroku periodically rotates their Redis credentials, which results in the Wafris Hub Redis setting needing to be reset.
Setting maxmemory policy on Heroku Redis requires the use of the Heroku CLI.
heroku redis:maxmemory YOUR_REDIS_INSTANCE_NAME --policy volatile-ttl
From within the Memetria dashboard, you can navigate to "Settings" and set the Maxmemory policy to "Volatile TTL".
Azure Cache for Redis supports Redis 6+ and streams. To connect from Wafris Hub, you'll need to follow the configuration guide here for connecting to Azure Redis from outside of Azure.
Configuration Documentation: https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-best-practices-memory-management
GCP's Memorystore supports Redis 6+ and streams. To connect from Wafris Hub, you'll need to follow the configuration guide here for connecting to Memorystore from outside of GCP.
Alternatively, you can use a GCP VM instance with Redis installed and configured that's outside of your VPC.
maxmemory policy setting - https://cloud.google.com/memorystore/docs/redis/supported-redis-configurations
Note: maxmemory-gb is the config, not maxmemory, and takes integers to denote values of in GB.
The following providers have been tested and do not work with Wafris.
Configuring AWS Elasticache to allow access from Wafris Hub isn't currently possible.
AWS Wafris users are currently either configuring a standalone EC2 instance with Redis installed outside of their VPC or using a cloud Redis provider like Redis Enterprise Cloud, both of which work with Wafris.
We're on a mission to better secure every web app on internet. Here's some ways you can jump in:
Wafris is the free open source WAF that you can use to understand and visualize the requests hitting your apps and then take steps to protect them. It's still in early development, but you can signup for the waitlist to get early access at wafris.org
Bad bots and probes hit sites within minutes of being put on the Internet. Sort the good from the bad by identifying request IPs as coming from bots, Tor networks, VPNs, proxies and malware hosts at wafris.org/ip-lookup
If you have any questions or need help finding the right way to handle web app security issues, please let us know at: help@wafris.org