From 645ec1281c18091084590e8061de7c14f97e7830 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Ma=CC=88der?= <cma@nine.ch>
Date: Mon, 13 Aug 2018 15:19:29 -0700
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Use=20a=20default=20Redis=20passwor?=
 =?UTF-8?q?d?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Although it does not provide any additional security, it shows how to
configure Redis with a password and how to use Netbox using a password
protected redis server. Something that might be considered in a classic
production deployment. (But is mostly irrelevant in e.g. a Kubernetes /
OpenShift deployment as the isolation is usually on a network level.)
---
 README.md          | 18 ++++++++++++------
 docker-compose.yml |  6 +++++-
 netbox.env         |  1 +
 redis.env          |  1 +
 4 files changed, 19 insertions(+), 7 deletions(-)
 create mode 100644 redis.env

diff --git a/README.md b/README.md
index 00b8eeb..9e607d0 100644
--- a/README.md
+++ b/README.md
@@ -71,12 +71,12 @@ For example defining `ALLOWED_HOSTS=localhost ::1 127.0.0.1` would allows access
 The default settings are optimized for (local) development environments.
 You should therefore adjust the configuration for production setups, at least the following variables:
 
-* `ALLOWED_HOSTS`: Add all URLs that lead to your NetBox instance.
-* `DB_*`: Use a persistent database.
+* `ALLOWED_HOSTS`: Add all URLs that lead to your NetBox instance, space separated. E.g. `ALLOWED_HOSTS=netbox.mycorp.com server042.mycorp.com 2a02:123::42 10.0.0.42 localhost ::1 127.0.0.1` (It's good advice to always allow localhost connections for easy debugging, i.e. `localhost ::1 127.0.0.1`.)
+* `DB_*`: Use your own persistent database. Don't use the default passwords!
 * `EMAIL_*`: Use your own mailserver.
 * `MAX_PAGE_SIZE`: Use the recommended default of 1000.
-* `SUPERUSER_*`: Only define those variables during the initial setup, and drop them once the DB is set up.
-* `REDIS_*`: Use a persistent redis.
+* `SUPERUSER_*`: Only define those variables during the initial setup, and drop them once the DB is set up. Don't use the default passwords!
+* `REDIS_*`: Use your own persistent redis. Don't use the default passwords!
 
 ### Running on Docker Swarm / Kubernetes / OpenShift
 
@@ -284,6 +284,7 @@ REDIS_HOST=redis
 Then make sure that the `redis` container and at least one `netbox-worker` are running.
 
 ```
+# check the container status
 $ docker-compose ps
 
 Name                           Command               State                Ports             
@@ -293,11 +294,16 @@ netbox-docker_netbox_1          /opt/netbox/docker-entrypo ...   Up
 netbox-docker_nginx_1           nginx -c /etc/netbox-nginx ...   Up      80/tcp, 0.0.0.0:32776->8080/tcp
 netbox-docker_postgres_1        docker-entrypoint.sh postgres    Up      5432/tcp
 netbox-docker_redis_1           docker-entrypoint.sh redis ...   Up      6379/tcp
+
+# connect to redis and send PING command:
+$ docker-compose run --rm -T redis sh -c 'redis-cli -h redis -a $REDIS_PASSWORD ping'
+Warning: Using a password with '-a' option on the command line interface may not be safe.
+PONG
 ```
 
 If `redis` and the `netbox-worker` are not available, make sure you have updated your `docker-compose.yml` file!
 
-Everything's up and running? Then check the log of the `netbox-worker` and/or `redis`:
+Everything's up and running? Then check the log of `netbox-worker` and/or `redis`:
 
 ```bash
 docker-compose logs -f netbox-worker
@@ -307,7 +313,7 @@ docker-compose logs -f redis
 Still no clue? You can connect to the `redis` container and have it report any command that is currently executed on the server:
 
 ```bash
-docker-compose run --rm -T redis redis-cli -h redis monitor
+docker-compose run --rm -T redis sh -c 'redis-cli -h redis -a $REDIS_PASSWORD monitor'
 
 # Hit CTRL-C a few times to leave
 ```
diff --git a/docker-compose.yml b/docker-compose.yml
index 76a5764..ec075ab 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -45,7 +45,11 @@ services:
     - netbox-postgres-data:/var/lib/postgresql/data
   redis:
     image: redis:4-alpine
-    command: redis-server --appendonly yes
+    command:
+    - sh
+    - -c # this is to evaluate the $REDIS_PASSWORD from the env
+    - redis-server --appendonly yes --requirepass $$REDIS_PASSWORD ## $$ because of docker-compose
+    env_file: redis.env
     volumes:
     - netbox-redis-data:/data
 volumes:
diff --git a/netbox.env b/netbox.env
index 1f9d4ef..f44c328 100644
--- a/netbox.env
+++ b/netbox.env
@@ -14,6 +14,7 @@ NAPALM_PASSWORD=
 NAPALM_TIMEOUT=10
 MAX_PAGE_SIZE=0
 REDIS_HOST=redis
+REDIS_PASSWORD=H733Kdjndks81
 SECRET_KEY=r8OwDznj!!dci#P9ghmRfdu1Ysxm0AiPeDCQhKE+N_rClfWNj
 SUPERUSER_NAME=admin
 SUPERUSER_EMAIL=admin@example.com
diff --git a/redis.env b/redis.env
new file mode 100644
index 0000000..44a1987
--- /dev/null
+++ b/redis.env
@@ -0,0 +1 @@
+REDIS_PASSWORD=H733Kdjndks81