1. Advent of NoSQL
old times:
<
1.1 Pressure
cpu & memory pressure
io pressure
1.2 Characteristic
no support for ACID
Transaction 4 chars:
Atomicity, Consistency, Isolation, Durability
2. Offcial site
2.1 Get Start - Exploring Redis with the CLI
External programs talk to Redis using a TCP socket and a Redis specific protocol. This protocol is implemented in the Redis client libraries for the different programming languages. However to make hacking with Redis simpler Redis provides a command line utility that can be used to send commands to Redis. This program is called redis-cli.
外部程序使用TCP套接字和Redis特定协议与Redis对话。这个协议是在不同编程语言的Redis客户端库中实现的。然而,为了使黑客攻击Redis变得更简单,Redis提供了一个命令行工具,可以用来向Redis发送命令。这个程序被称为 redis-cli。
The first thing to do in order to check if Redis is working properly is sending a PING command using redis-cli:
$ redis-cli ping
PONG
Running redis-cli followed by a command name and its arguments will send this command to the Redis instance running on localhost at port 6379.
Another interesting way to run redis-cli is without arguments: the program will start in interactive mode. You can type different commands and see their replies.
2.2 Get Start - Securing Redis
(Getting Started - Securing Redis)
By default Redis binds to all the interfaces and has no authentication at all.
By default, if no “bind” configuration directive is specified, Redis listens for connections from {all available network interfaces [on the host machine}.
– comments in redis.conf of 6.2
If you use Redis in a very controlled environment, separated from the external internet and in general from attackers, that’s fine. However if an unhardened Redis is exposed to the internet, it is a big security concern. If you are not 100% sure your environment is secured properly, please check the following steps in order to make Redis more secure, which are enlisted in order of increased security.
- Make sure the port Redis uses to listen for connections (by default 6379 and additionally 16379 if you run Redis in cluster mode, plus 26379 for Sentinel) is firewalled, so that it is not possible to contact Redis from the outside world.
- Use a configuration file where the
binddirective is set /in order to guarantee that/ Redis listens on only the network interfaces you are using. For example only the loopback interface (127.0.0.1) if you are accessing Redis just locally from the same computer, and so forth1. - Use the
requirepassoption. - Use spiped or another SSL tunneling software in order to encrypt traffic between Redis servers and Redis clients if your environment requires encryption.
2.3 Using Redis from your application
Of course using Redis just from the command line interface is not enough as the goal is to use it from your application. In order to do so you need to download and install a Redis client library for your programming language. You’ll find a full list of clients for different languages in this page.
For instance if you happen to use the Ruby programming language our best advice is to use the Redis-rb client. You can install it using the command gem install redis.
These instructions are Ruby specific but actually many library clients for popular languages look quite similar:
>> require 'rubygems'
=> false
>> require 'redis'
=> true
>> r = Redis.new
=> #<Redis client v4.5.1 for redis://127.0.0.1:6379/0>
>> r.ping
=> "PONG"
>> r.set('foo','bar')
=> "OK"
>> r.get('foo')
=> "bar"
2.4 Managing Redis - Security
(Redis Security Security model and features in Redis)
This document covers the access control provided by Redis, code security concerns, attacks that can be triggered from the outside by selecting malicious inputs, and other similar topics. You can learn more about access control, data protection and secure by taking the Redis University security course.
Security model
Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.
For instance, in the common context of a web application implemented using Redis as a database, cache, or messaging system, the clients inside the front-end (web side) of the application will query Redis to generate pages or to perform operations requested or triggered by the web application user.
In this case, the web application mediates2 access between Redis and untrusted clients (the user browsers accessing the web application).
In general, untrusted access to Redis should always be mediated by a layer implementing ACLs, validating user input, and deciding what operations to perform against the Redis instance.
Network security
Access to the Redis port should be denied to everybody but trusted clients in the network, so the servers running Redis should be directly accessible only by the computers implementing3 the application using Redis.
In the common case of a single computer directly exposed to the internet, such as a virtualized Linux instance (Linode, EC2, …), the Redis port /on EC2/ should be firewalled to prevent access from the outside. Clients [will still be able to access Redis [using the loopback interface /local, 127…0.0.1/.
Note that it is possible to bind Redis to a single interface by adding a line like the following to the redis.conf file:
bind 127.0.0.1
Failing to protect the Redis port from the outside can have a big security impact because of the nature of Redis. For instance, a single FLUSHALL command can be used by an external attacker to delete the whole data set.
Protected mode
Unfortunately, many users fail to protect Redis instances from being accessed from external networks. Many instances are simply left exposed on the internet with public IPs. Since version 3.2.0, Redis enters a special mode called protected mode when it is executed with the default configuration (binding all the interfaces) and without any password in order to access it. In this mode, Redis only replies to queries from the loopback interfaces, and replies to clients connecting from other addresses with an error that explains the problem and how to configure Redis properly.
We expect protected mode to seriously decrease the security issues caused by unprotected Redis instances executed without proper administration. However, the system administrator can still ignore the error given by Redis and disable protected mode or manually bind all the interfaces.
Authentication
The legacy4 authentication method is enabled by editing the redis.conf file, and providing a database password using the requirepass setting. This password is then used by all clients.
When the requirepass setting is enabled, Redis will refuse any query by unauthenticated clients.
2.5 Manging Redis - Configuration
Overview of redis.conf, the Redis configuration file
Redis is able to start without a configuration file using a built-in default configuration, however this setup is only recommended for testing and development purposes.
The proper way to configure Redis is by providing a Redis configuration file, usually called redis.conf.
The redis.conf file contains a number of directives that have a very simple format:
keyword argument1 argument2 ... argumentN
This is an example of a configuration directive:
replicaof 127.0.0.1 6380
It is possible to provide strings containing spaces as arguments using (double or single) quotes, as in the following example:
requirepass "hello world"
The list of configuration directives, and their meaning and intended usage is available in the self documented example redis.conf shipped into the Redis distribution.
Passing arguments via the command line
You can also pass Redis configuration parameters using the command line directly. The following is an example that starts a new Redis instance using port 6380 as a replica of the instance running at 127.0.0.1 port 6379.
./redis-server --port 6380 --replicaof 127.0.0.1 6379
The format of the arguments passed via the command line is exactly the same as the one used in the redis.conf file, with the exception that the keyword is prefixed with --.
Changing Redis configuration while the server is running
It is possible to reconfigure Redis on the fly without stopping and restarting the service, or querying the current configuration programmatically using the special commands CONFIG SET and CONFIG GET.
Not all of the configuration directives are supported in this way.
Config File Example
Note that in order to read the configuration file, Redis must be started with the file path as first argument
注意,为了读取配置文件,Redis必须以文件路径作为第一个参数启动。 /that means “./” ?/
./redis-server /path/to/redis.conf
Scraps of redis.conf:
\##### NETWORK ############################
<span style="background:#edf2f4">By default,</span> if no "bind" <span style="background:lightSteelBlue">configuration directive</span> is specified, Redis listens for connections from {**all** available network **interfaces [on** the host machine}.
It is possible to listen to just one or multiple selected interfaces using the "bind" <span style="background:lightSteelBlue">configuration directive</span>, followed by one or more IP addresses. *Each address can be prefixed by "-", which means that redis will not fail to start if the address is not available.*
Examples:
bind 192.168.1.100\<whitespace>10.0.0.1 # listens on two specific IPv4 addresses
bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6
bind * -::* # like the default, all available interfaces
\~~~ WARNING \~~~ If the computer running Redis is directly exposed to the internet, binding to all the interfaces is dangerous and will expose the instance to everybody on the internet. <span style="background:#edf2f4">So by default we uncomment the following bind directive,</span> that will force Redis to listen only on the
IPv4 and IPv6 (if available) loopback interface addresses (this means Redis will only be able to accept client connections from the same host that it is running on).
IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
JUST COMMENT OUT THE FOLLOWING LINE. \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
bind 127.0.0.1 -::1
Protected mode is a layer of security protection, in order to avoid that Redis instances left open on the internet are accessed and exploited.
When protected mode is on and if:
- The server is not binding explicitly to a set of addresses using the
“bind” directive. - No password is configured.
The server only accepts connections from clients connecting from the IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain sockets.
By default protected mode is enabled. You should disable it only if you are sure you want clients from other hosts to connect to Redis even if no authentication is configured, nor a specific set of interfaces {are explicitly listed [using the “bind” directive]}.
服务器只接受来自 IPv4 和 IPv6 的环回地址 127.0.0.1 和 ::1,以及从 Unix 域套接字连接的客户端的连接。
protected mode 默认为开启. 只有当你确定你想让其他主机的客户端连接到 Redis 时,(即使没有配置认证,也没有使用 "bind "指令明确列出一组特定的接口),你才应该禁用它。
2.6 User interfaces
(Learn how to use Redis interfaces)
The Redis command line interface (redis-cli) is a terminal program used to send commands to and read replies from the Redis server. It has two main modes: an interactive Read Eval Print Loop (REPL) mode where the user types Redis commands and receives replies, and a command mode where redis-cli is executed with additional arguments and the reply is printed to the standard output.
Host, port, password, and database
/我就想跟官网author说,这么重基础要的东西怎么不往前写啊大哥?谁能找到啊?/
By default, redis-cli connects to the server at the address 127.0.0.1 with port 6379. You can change the port using several command line options. To specify a different host name or an IP address, use the -h option. In order to set a different port, use -p.
$ redis-cli -h redis15.localnet.org -p 6379 PING
PONG
it’s possible to send a command that operates on a db no. other than the default no zero by using the -n <dbnum> option:
redis-cli -n 1 INCR a
(integer) 1
All of this information can also be provided by using the -u <uri> option and the URI pattern redis://user:password@host:port/dbnum:
$ redis-cli -u redis://LJenkins:p%40ssw0rd@redis-16379.hosted.com:16379/0 PING
PONG
100
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
