Webdis
A Redis HTTP interface with JSON output
Install / Use
/learn @nicolasff/WebdisREADME
About Webdis
A very simple web server providing an HTTP interface to Redis. It embeds hiredis, jansson (with some local changes), and http-parser. It also depends on libevent, to be installed separately.
Build and run from source
Building Webdis requires the libevent development package. You can install it on Ubuntu by typing sudo apt-get install libevent-dev or on macOS by typing brew install libevent.
To build Webdis with support for encrypted connections to Redis, see Building Webdis with SSL support.
$ make clean all
$ ./webdis &
$ curl http://127.0.0.1:7379/SET/hello/world
→ {"SET":[true,"OK"]}
$ curl http://127.0.0.1:7379/GET/hello
→ {"GET":"world"}
$ curl -d "GET/hello" http://127.0.0.1:7379/
→ {"GET":"world"}
Configuration
Webdis is configured by a configuration file in JSON format, provided to the server as a command-line parameter:
./webdis /path/to/webdis.json
At start-up, Webdis will look for a file named webdis.json in the current directory if no file is specified on the command line.
This repository comes with a sample configuration file named webdis.json, to be used for local evaluation. Another file, webdis.prod.json, is provided as a starting point to build a production configuration file. Do not use either of these files in production without reviewing them.
The various features of Webdis are documented in this README.
Try in Docker
$ docker run --name webdis-test --rm -d -p 127.0.0.1:7379:7379 nicolas/webdis
0d2ce311a4834d403cc3e7cfd571b168ba40cede6a0e155a21507bb0bf7bee81
$ curl http://127.0.0.1:7379/PING
{"PING":[true,"PONG"]}
# To stop it:
$ docker stop webdis-test
0d2ce311a483
Docker repositories and Docker Content Trust
Webdis images are published on Docker Hub and Amazon ECR.
Docker Hub
$ docker pull nicolas/webdis:0.1.22
$ docker pull nicolas/webdis:latest
Starting from release 0.1.12 and including latest, Docker Hub images are signed (download public key). You should see the following key ID if you verify the trust:
$ docker trust inspect nicolas/webdis:0.1.22 --pretty
Signatures for nicolas/webdis:0.1.22
SIGNED TAG DIGEST SIGNERS
0.1.22 5a7d342e3a9e5667fe05f045beae4b5042681d1d737f60843b7dfd11f96ab72f (Repo Admin)
List of signers and their keys for nicolas/webdis:0.1.22
SIGNER KEYS
nicolasff dd0768b9d35d
Administrative keys for nicolas/webdis:0.1.22
Repository Key: fed0b56b8a8fd4d156fb2f47c2e8bd3eb61948b72a787c18e2fa3ea3233bba1a
Root Key: 40be21f47831d593892370a8e3fc5bfffb16887c707bd81a6aed2088dc8f4bef
The signing keys are listed on this documentation page; please make sure they match what you see. The same documentation page details how to verify the signatures of multi-architecture images, and the tree of manifests used to build them.
Amazon Elastic Container Registry (ECR)
$ docker pull public.ecr.aws/nicolas/webdis:0.1.22
$ docker pull public.ecr.aws/nicolas/webdis:latest
A note on ECR and trust: AWS does not support Notary v2 at the time of this writing, although a security talk from 2020 mentions that the feature could be available in 2021.
The consequence is that Webdis images on ECR are not signed at this time.
They can still be verified, since the images uploaded there use the exact same hash as the ones on Docker Hub, which are signed. This means that you can verify the signature using the docker trust inspect command described above, as long as you also make sure that the image hash associated with the image on ECR matches the one shown on Docker Hub.
For more details about Content Trust validation with ECR images, refer to the article titled Webdis and Docker Content Trust in the Webdis documentation.
Multi-architecture images
Starting with release 0.1.19, Docker images for Webdis are published as manifest lists supporting multiple architectures. Each release points to an x86-64 image and an ARM64v8 image:
$ docker manifest inspect nicolas/webdis:0.1.19 | jq -r '.manifests | .[] | .platform.architecture + " -> " + .digest'
amd64 -> sha256:2ced2d99146e1bcaf10541d17dbac573cffd02237c3b268875be1868138d3b54
arm64 -> sha256:d026c5675552947b6a755439dfd58360e44a8860436f4eddfe9b26d050801248
By default docker pull will download only the relevant image for your architecture, but you can specify the platform to download the image for a specific architecture, e.g.
$ docker pull nicolas/webdis:0.1.19 --platform linux/arm64/v8
Build and run a Docker image locally
Clone the repository and open a terminal in the webdis directory, then run:
$ docker build -t webdis:custom .
[...]
$ docker run --name webdis-test --rm -d -p 127.0.0.1:7379:7379 webdis:custom
f0a2763fd456ac1f7ebff80eeafd6a5cd0fc7f06c69d0f7717fb2bdcec65926e
$ curl http://127.0.0.1:7379/PING
{"PING":[true,"PONG"]}
To stop it:
$ docker stop webdis-test
f0a2763fd456
Docker images and embedded Redis
:information_source: The Docker images provided on Docker Hub under nicolas/webdis contain both Webdis and an embedded Redis server. They were built this way to make it easy to try Webdis without having to configure a Docker deployment with two containers, but this is likely not the best way to run Webdis in production.
The following documentation pages cover various such use cases:
- Running Webdis in Docker with an external Redis instance
- Running Webdis and Redis in Docker Compose
- Running Webdis and Redis in Docker Compose with SSL connections
More articles are available in the Webdis documentation.
Building Webdis with SSL support
Webdis needs libraries that provide TLS support to encrypt its connections to Redis:
- On Alpine Linux, install
openssl-devwithapk-add openssl-dev. - On Ubuntu, install
libssl-devwithapt-get install libssl-dev. - On macOS with HomeBrew, install OpenSSL with
brew install openssl@1.1.
Then, build Webdis with SSL support enabled:
$ make SSL=1
Configuring Webdis with SSL
Once Redis is configured with SSL support (see this guide for step-by-step instructions), you can configure Webdis to connect to Redis over encrypted connections.
Add a block to webdis.json under a key named "ssl" placed at the root level, containing the following object:
{
"enabled": true,
"ca_cert_bundle": "/path/to/ca.crt",
"path_to_certs": "/path/to/trusted/certs",
"client_cert": "/path/to/redis.crt",
"client_key": "/path/to/redis.key",
"redis_sni": "redis.mydomain.tld"
}
This means that "ssl" should be at the same level as "redis_host", "redis_port", etc.
Important: the presence of the "ssl" configuration block alone does not necessarily enable secure connections to Redis. The key "enabled" inside this block must also be set to true, otherwise Webdis will keep using unencrypted connections.
Use the following table to match the Redis configuration keys to the fields under "ssl" in webdis.json:
| Redis field | Webdis field | Purpose |
| ------------------ | ---------------- | --------------------- |
| tls-cert-file | client_cert | Client certificate |
| tls-key-file | client_key | Client key |
| tls-ca-cert-file | ca_cert_bundle | CA certificate bundle |
Two other keys have no equivalent in redis.conf:
path_to_certsis an optional directory path where trusted CA certificate files are stored in an OpenSSL-compatible format.redis_sniis an optional Redis server name, used as a server name indication (SNI) TLS extension.
See also the Hiredis docs and Hiredis source code for more information.
Running Redis and Webdis with SSL in Docker Compose
For a full tutorial showing how to configure and run Redis and Webdis under Docker Compose with SSL connections between the two services, head to the docs folder and open Running Webdis & Redis in Docker Compose with SSL connections.
SSL troubleshooting
Follow this table to diagnose issues with SSL connections to Redis.
| Error message or issue | Cause | Solution |
| ---------------------- | ----- | -------- |
| Unexpected key or incorrect value in webdis.json: 'ssl' | Webdis is not compiled with SSL support | Build webdis with make SSL=1 |
| Unexpected key or incorrect value under 'ssl'
