＞＞技术应用：Redis运维优化最佳实践

优化

Redis 是完全开源的，遵守 BSD 协议，是一个高性能的 key-value 数据库，每个数据库对应一个redisDb结构。Redis能读的速度是110000次/s,写的速度是81000次/s。
优化分为访问控制、安全审计、资源控制、入侵防护等四个方面来处理。

1.1 访问控制

• 主目录权限

描述：建议redis数据库严格限制redis主目录权限，权限值<=755

• 配置文件

描述：建议redis数据库严格限制配置文件目录权限<=644

• 日志文件目录以及文件

描述：建议redis数据库严格限制日志文件目录权限<=644

1.2 安全审计

• 日志保留时间满足6个月以上

描述：建议 redis数据库审计日志保留时间满足6个月以上

定时删除日志文件

• appendonly.aof权限

描述：建议 appendonly.aof 访问权限为600

702
703 # The name of the append only file (default: "appendonly.aof")
704
705 appendfilename "appendonly.aof"

• logfile 权限

描述：建议logfile xxx访问权限为600
在适当的位置创建 logs目录，然后创建redis.log日志文件，redis默认不写日志文件。例如我mac创建的目录为 /REDIS_HOME/logs 日志文件名称为 redis.log。

> cd /REDIS_HOME/

> mkdir logs

> cd logs

> touch redis.log

> pwd 

> /REDIS_HOME/logs

redis.conf配置文件中 GENERAL模块

 168
 169 # Specify the log file name. Also the empty string can be used to force
 170 # Redis to log on the standard output. Note that if you use standard
 171 # output for logging but daemonize, logs will be sent to /dev/null
 172 logfile "/REDIS_HOME/logs/redis.log"
 173

1.3 资源控制

• 空闲超时时间

描述：建议redis数据库合理配置会话空闲超时锁定功能，在/REDIS_HOME/redis.conf文件中设置timeout参数，建议值300。

建议修改优化配置**redis.conf **配置文件中 NETWORK模块

 112 # Close the connection after a client is idle for N seconds (0 to disable)
 113 # timeout 0
 114 timeout 300

1.4 入侵防护

• redis数据库限制应用服务器Threads数量

描述：redis数据库限制应用服务器Threads数量，在redis.conf文件中配置maxclients值，建议值为128

建议修改配置为指定优化配置**redis.conf **配置文件中 CLIENTS模块

 529 ################################### CLIENTS ####################################
 530
 531 # Set the max number of connected clients at the same time. By default
 532 # this limit is set to 10000 clients, however if the Redis server is not
 533 # able to configure the process file limit to allow for the specified limit
 534 # the max number of allowed clients is set to the current file limit
 535 # minus 32 (as Redis reserves a few file descriptors for internal uses).
 536 #
 537 # Once the limit is reached Redis will close all the new connections sending
 538 # an error 'max number of clients reached'.
 539 #
 540 # maxclients 10000
 541 maxclients 128

• 重命名关键命令

描述：reddis数据库修改错误文件信息，防止信息泄漏，配置：重命名关键命令，在/REDIS_HOME/redis.conf文件中,使用rename-command命令重命名或禁用以下命令FLUSHDB, FLUSHALL, KEYS,PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM。

建议修改配置为指定优化配置**redis.conf **配置文件中SECURITY模块

 495 ################################## SECURITY ###################################
 496
 497 # Require clients to issue AUTH <PASSWORD> before processing any other
 498 # commands.  This might be useful in environments in which you do not trust
 499 # others with access to the host running redis-server.
 500 #
 501 # This should stay commented out for backward compatibility and because most
 502 # people do not need auth (e.g. they run their own servers).
 503 #
 504 # Warning: since Redis is pretty fast an outside user can try up to
 505 # 150k passwords per second against a good box. This means that you should
 506 # use a very strong password otherwise it will be very easy to break.
 507 #
 508 # requirepass foobared
 509 
 510
 511 # Command renaming.
 512 #
 513 # It is possible to change the name of dangerous commands in a shared
 514 # environment. For instance the CONFIG command may be renamed into something
 515 # hard to guess so that it will still be available for internal-use tools
 516 # but not available for general clients.
 517 #
 518 # Example:
 519 #
 520 # rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
 521 #
 522 # It is also possible to completely kill a command by renaming it into
 523 # an empty string:
 524 #
 525 # rename-command CONFIG ""
 526 #
 527 # Please note that changing the name of commands that are logged into the
 528 # AOF file or transmitted to replicas may cause problems.

重新命名下面的命令为空（线上要清空命令）

rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command KEYS ""
rename-command PEXPIRE ""
rename-command DEL ""
rename-command CONFIG ""
rename-command SHUTDOWN ""
rename-command BGREWRITEAOF ""
rename-command BGSAVE ""
rename-command SAVE ""
rename-command SPOP ""
rename-command SREM ""

• 限定登录Redis服务器的IP地址

描述：redis数据库对redis管理后台操作进行登陆源限制，配置：在/REDIS_HOME/redis.conf文件中，取消注释# bind 127.0.0.1 #，并更改IP

建议修改配置为指定IP地址可以登录redis.conf配置文件中NETWORK模块

  46 ################################## NETWORK #####################################
  47
  48 # By default, if no "bind" configuration directive is specified, Redis listens
  49 # for connections from all the network interfaces available on the server.
  50 # It is possible to listen to just one or multiple selected interfaces using
  51 # the "bind" configuration directive, followed by one or more IP addresses.
  52 #
  53 # Examples:
  54 #
  55 
  56 # bind 127.0.0.1
  57 bind 192.168.2.38

• redis安全补丁

描述：redis数据库及时更新redis安全补丁，推荐版本： >=4.0.14