Redis app refuses private connections

I have deployed this redis app with little modification(for private networking) and I’m trying to connect to from a go app also running on fly. But it has refused all connection attempts.

the redis app configuration:

# fly.toml file generated for cache on 2021-05-07T21:26:24+02:00

app = "cache"

kill_signal = "SIGINT"
kill_timeout = 5

[[mounts]]
source      = "redis_server"
destination = "/data"

[env]

[experimental]
  auto_rollback = true
  private_network=true

[[services]]
  internal_port = 6379
  protocol      = "tcp"

  [services.concurrency]
    hard_limit = 25
    soft_limit = 20

  [[services.ports]]
    handlers = []
    port     = "10000"

  [[services.tcp_checks]]
    interval = 10000
    timeout  = 2000
``

My app is trying to connects via: `REDIS_URL=redis://:password@cache.internal:6379`

The app logs:
 

2021-05-07T20:32:44Z [info] time=“2021-05-07T20:32:44Z” level=fatal msg=“main: cannot initialize server err:could not establish redis connection: dial tcp [fdaa:0:1af2:a7b:a9a:0:1ce8:2]:6379: connect: connection refused”
2021-05-07T20:32:44Z [info] Starting clean up.
2021-05-07T20:32:44Z [info] Main child exited normally with code: 1
2021-05-07T20:32:46Z [info] Starting instance
2021-05-07T20:32:46Z [info] Configuring virtual machine
2021-05-07T20:32:46Z [info] Pulling container image
2021-05-07T20:32:47Z [info] Unpacking image
2021-05-07T20:32:47Z [info] Preparing kernel init


Is there something I'm doing wrong?

Is redis bound to 0.0.0.0 or 127.0.0.1?

It’s bound to 0.0.0.0

If you’re connecting over wireguard/private network, you need to bind to all IPv6 addresses. 0.0.0.0 is only IPv4. You can try binding to :: to get both.

Should I replace 0.0.0.0 with :: like so:

redis-server --requirepass $REDIS_PASSWORD --bind :: --dir /data/ --appendonly yes

Yes I think that’ll work. It seems like dropping the --bind arg entirely might work too!

The actual “bind to everything” address varies between server types, so there’s a chance Redis won’t respect :: and it needs something else.

@kurt not that it’s important but are there any Linux kernel hacks possible to allow apps binding to ipv4 localhost while behind the scenes it’s using your ipv6 network? Just for convenience. I guess many of your users will fall for this trap.

I wish! We’ve thought about putting an iptables rule or something in but we haven’t found any reliable way to solve this problem.