redis debian
介绍 (Introduction)
Redis is an in-memory key-value store known for its flexibility, performance, and wide language support. This tutorial demonstrates how to install, configure, and secure Redis on a Debian 10 server.
Redis是一个内存键值存储,以其灵活性,性能和广泛的语言支持而闻名。 本教程演示了如何在Debian 10服务器上安装,配置和保护Redis。
先决条件 (Prerequisites)
To complete this guide, you will need access to a Debian 10 server that has a non-root user with sudo privileges and a basic firewall configured. You can set this up by following our Initial Server Setup guide.
要完成本指南,您将需要访问Debian 10服务器,该服务器具有一个具有sudo特权的非root用户,并配置了基本防火墙。 您可以按照我们的初始服务器安装指南进行设置 。
When you are ready to begin, log in to your server as your sudo-enabled user and continue below.
准备开始时,以启用sudo的用户身份登录到服务器,然后继续。
第1步-安装和配置Redis (Step 1 — Installing and Configuring Redis)
In order to get the latest version of Redis, we will use apt to install it from the official Debian repositories.
为了获得最新版本的Redis,我们将使用apt从官方Debian存储库中安装它。
Update your local apt package cache and install Redis by typing:
通过键入以下内容来更新本地apt软件包缓存并安装Redis:
- sudo apt update sudo apt更新
- sudo apt install redis-server sudo apt安装redis服务器
This will download and install Redis and its dependencies. Following this, there is one important configuration change to make in the Redis configuration file, which was generated automatically during the installation.
这将下载并安装Redis及其依赖项。 然后,在Redis配置文件中进行一项重要的配置更改,该更改是在安装过程中自动生成的。
Open this file with your preferred text editor:
使用首选的文本编辑器打开此文件:
- sudo nano /etc/redis/redis.conf 须藤nano /etc/redis/redis.conf
Inside the file, find the supervised directive. This directive allows you to declare an init system to manage Redis as a service, providing you with more control over its operation. The supervised directive is set to no by default. Since you are running Debian, which uses the systemd init system, change this to systemd:
在文件中,找到受supervised指令。 该指令允许您声明一个初始化系统来将Redis作为服务进行管理,从而为您提供对其操作的更多控制。 默认情况下, supervised指令设置为no 。 由于您正在运行使用systemd初始化系统的Debian,请将其更改为systemd :
. . .
# If you run Redis from upstart or systemd, Redis can interact with your
# supervision tree. Options:
# supervised no - no supervision interaction
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
# supervised auto - detect upstart or systemd method based on
# UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready."
# They do not enable continuous liveness pings back to your supervisor.
supervised systemd
. . .That’s the only change you need to make to the Redis configuration file at this point, so save and close it when you are finished. Then, reload the Redis service file to reflect the changes you made to the configuration file:
这是您目前唯一需要对Redis配置文件进行的更改,因此请在完成后保存并关闭它。 然后,重新加载Redis服务文件以反映您对配置文件所做的更改:
- sudo systemctl restart redis sudo systemctl重新启动redis
With that, you’ve installed and configured Redis and it’s running on your machine. Before you begin using it, though, it’s prudent to first check whether Redis is functioning correctly.
这样,您已经安装并配置了Redis,并且它在您的计算机上运行。 但是,在开始使用它之前,先检查一下Redis是否运行正常是明智的。
第2步-测试Redis (Step 2 — Testing Redis)
As with any newly-installed software, it’s a good idea to ensure that Redis is functioning as expected before making any further changes to its configuration. We will go over a handful of ways to check that Redis is working correctly in this step.
与任何新安装的软件一样,在对其配置进行任何进一步更改之前,最好确保Redis能够按预期运行。 我们将介绍几种方法来检查Redis在此步骤中是否正常工作。
Start by checking that the Redis service is running:
首先检查Redis服务是否正在运行:
- sudo systemctl status redis sudo systemctl状态redis
If it is running without any errors, this command will produce output similar to the following:
如果它正在运行而没有任何错误,那么此命令将产生类似于以下内容的输出:
Output
● redis-server.service - Advanced key-value store
Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2018-09-05 20:19:44 UTC; 41s ago
Docs: http://redis.io/documentation,
man:redis-server(1)
Process: 10829 ExecStopPost=/bin/run-parts --verbose /etc/redis/redis-server.post-down.d (code=exited, status=0/SUCCESS)
Process: 10825 ExecStop=/bin/kill -s TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 10823 ExecStop=/bin/run-parts --verbose /etc/redis/redis-server.pre-down.d (code=exited, status=0/SUCCESS)
Process: 10842 ExecStartPost=/bin/run-parts --verbose /etc/redis/redis-server.post-up.d (code=exited, status=0/SUCCESS)
Process: 10838 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=0/SUCCESS)
Process: 10834 ExecStartPre=/bin/run-parts --verbose /etc/redis/redis-server.pre-up.d (code=exited, status=0/SUCCESS)
Main PID: 10841 (redis-server)
Tasks: 3 (limit: 4915)
CGroup: /system.slice/redis-server.service
└─10841 /usr/bin/redis-server 127.0.0.1:6379
. . .
Here, you can see that Redis is running and is already enabled, meaning that it is set to start up every time the server boots.
在这里,您可以看到Redis正在运行并且已经启用,这意味着它被设置为在每次服务器启动时启动。
Note: This setting is desirable for many common use cases of Redis. If, however, you prefer to start up Redis manually every time your server boots, you can configure this with the following command:
注意:对于Redis的许多常见用例,此设置是理想的。 但是,如果您希望每次服务器启动时都手动启动Redis,则可以使用以下命令进行配置:
- sudo systemctl disable redis sudo systemctl禁用redis
To test that Redis is functioning correctly, connect to the server using the command-line client:
要测试Redis是否正常运行,请使用命令行客户端连接到服务器:
- redis-cli redis-cli
In the prompt that follows, test connectivity with the ping command:
在随后的提示中,使用ping命令测试连接性:
- ping ping
Output
PONG
This output confirms that the server connection is still alive. Next, check that you’re able to set keys by running:
此输出确认服务器连接仍然有效。 接下来,运行以下命令检查您是否可以设置密钥:
- set test "It's working!" 设置测试“它正在工作!”
Output
OK
Retrieve the value by typing:
通过键入以下内容来检索值:
- get test 得到测试
Assuming everything is working, you will be able to retrieve the value you stored:
假设一切正常,您将能够检索存储的值:
Output
"It's working!"
After confirming that you can fetch the value, exit the Redis prompt to get back to the shell:
在确认您可以获取该值之后,退出Redis提示符以返回到Shell:
- exit 出口
As a final test, we will check whether Redis is able to persist data even after it’s been stopped or restarted. To do this, first restart the Redis instance:
作为最后的测试,我们将检查Redis即使在停止或重新启动之后也能够持久保存数据。 为此,请首先重新启动Redis实例:
- sudo systemctl restart redis sudo systemctl重新启动redis
Then connect with the command-line client once again and confirm that your test value is still available:
然后再次与命令行客户端连接,并确认您的测试值仍然可用:
- redis-cli redis-cli
- get test 得到测试
The value of your key should still be accessible:
您的密钥值仍应可访问:
Output
"It's working!"
Exit out into the shell again when you are finished:
完成后再次退出外壳:
- exit 出口
With that, your Redis installation is fully operational and ready for you to use. However, some of its default configuration settings are insecure and provide malicious actors with opportunities to attack and gain access to your server and its data. The remaining steps in this tutorial cover methods for mitigating these vulnerabilities, as prescribed by the official Redis website. Although these steps are optional and Redis will still function if you choose not to follow them, it is strongly recommended that you complete them in order to harden your system’s security.
这样,您的Redis安装就可以完全运行并可以使用了。 但是,其某些默认配置设置是不安全的,并为恶意行为者提供了攻击和获得对服务器及其数据的访问的机会。 本教程的其余步骤介绍了Redis官方网站所规定的缓解这些漏洞的方法。 尽管这些步骤是可选的,并且如果您选择不遵循这些步骤,则Redis仍将起作用,但强烈建议您完成这些步骤,以增强系统的安全性。
第3步-绑定到本地主机 (Step 3 — Binding to localhost)
By default, Redis is only accessible from localhost. However, if you installed and configured Redis by following a different tutorial than this one, you might have updated the configuration file to allow connections from anywhere. This is not as secure as binding to localhost.
默认情况下,只能从localhost访问Redis。 但是,如果您通过遵循与本教程不同的教程来安装和配置Redis,则可能已更新了配置文件以允许从任何地方进行连接。 这不如绑定到localhost安全。
To correct this, open the Redis configuration file for editing:
要更正此问题,请打开Redis配置文件进行编辑:
- sudo nano /etc/redis/redis.conf 须藤nano /etc/redis/redis.conf
Locate this line and make sure it is uncommented (remove the # if it exists):
找到此行,并确保其未注释(删除#如果存在)):
bind 127.0.0.1Save and close the file when finished (press CTRL + X, Y, then ENTER).
完成后保存并关闭文件(按CTRL + X , Y ,然后按ENTER )。
Then, restart the service to ensure that systemd reads your changes:
然后,重新启动服务以确保systemd读取您的更改:
- sudo systemctl restart redis sudo systemctl重新启动redis
To check that this change has gone into effect, run the following netstat command:
要检查此更改是否已生效,请运行以下netstat命令:
- sudo netstat -lnp | grep redis 须藤netstat -lnp | grep redis
Output
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 10959/redis-server
This output shows that the redis-server program is bound to localhost (127.0.0.1), reflecting the change you just made to the configuration file. If you see another IP address in that column (0.0.0.0, for example), then you should double check that you uncommented the correct line and restart the Redis service again.
此输出显示redis-server程序已绑定到localhost ( 127.0.0.1 ),反映了您刚对配置文件进行的更改。 如果您在该列中看到另一个IP地址(例如0.0.0.0 ),则应再次检查是否取消注释正确的行,然后再次重新启动Redis服务。
Now that your Redis installation is only listening in on localhost, it will be more difficult for malicious actors to make requests or gain access to your server. However, Redis isn’t currently set to require users to authenticate themselves before making changes to its configuration or the data it holds. To remedy this, Redis allows you to require users to authenticate with a password before making changes via the Redis client (redis-cli).
现在,您的Redis安装仅在localhost上进行侦听,对于恶意参与者而言,发出请求或访问您的服务器将更加困难。 但是,Redis当前未设置为要求用户在更改其配置或保存的数据之前进行身份验证。 为了解决这个问题,Redis允许您要求用户通过密码进行身份验证,然后才能通过Redis客户端( redis-cli )进行更改。
步骤4 —配置Redis密码 (Step 4 — Configuring a Redis Password)
Configuring a Redis password enables one of its two built-in security features — the auth command, which requires clients to authenticate to access the database. The password is configured directly in Redis’s configuration file, /etc/redis/redis.conf, so open that file again with your preferred editor:
配置Redis密码可启用其两个内置安全功能之一auth命令,该命令要求客户端进行身份验证才能访问数据库。 密码是直接在Redis的配置文件/etc/redis/redis.conf配置的,因此请使用您喜欢的编辑器再次打开该文件:
- sudo nano /etc/redis/redis.conf 须藤nano /etc/redis/redis.conf
Scroll to the SECURITY section and look for a commented directive that reads:
滚动到SECURITY部分,然后查找带有注释的指令,该指令为:
# requirepass foobaredUncomment it by removing the #, and change foobared to a secure password.
通过删除#取消注释,然后将foobared更改为安全密码。
Note: Above the requirepass directive in the redis.conf file, there is a commented warning:
注意:在redis.conf文件中的requirepass指令上方,有一条注释警告:
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#Thus, it’s important that you specify a very strong and very long value as your password. Rather than make up a password yourself, you can use the openssl command to generate a random one, as in the following example. By piping the output of the first command to the second openssl command, as shown here, it will remove any line breaks produced by that the first command:
因此,重要的是要指定一个非常强且很长的值作为密码。 您可以使用openssl命令生成一个随机的密码,而不用自己openssl密码,如以下示例所示。 通过将第一个命令的输出传递给第二个openssl命令,如下所示,它将删除由第一个命令产生的任何换行符:
- openssl rand 60 | openssl base64 -A openssl rand 60 | openssl base64 -A
Your output should look something like:
您的输出应类似于:
Output
RBOJ9cCNoGCKhlEBwQLHri1g+atWgn4Xn4HwNUbtzoVxAYxkiYBi7aufl4MILv1nxBqR4L6NNzI0X6cE
After copying and pasting the output of that command as the new value for requirepass, it should read:
在将该命令的输出复制并粘贴为requirepass的新值requirepass ,它应显示为:
/etc/redis/redis.conf
requirepass RBOJ9cCNoGCKhlEBwQLHri1g+atWgn4Xn4HwNUbtzoVxAYxkiYBi7aufl4MILv1nxBqR4L6NNzI0X6cE
After setting the password, save and close the file, then restart Redis:
设置密码后,保存并关闭文件,然后重新启动Redis:
- sudo systemctl restart redis.service sudo systemctl重新启动redis.service
To test that the password works, access the Redis command line:
要测试密码是否有效,请访问Redis命令行:
- redis-cli redis-cli
The following shows a sequence of commands used to test whether the Redis password works. The first command tries to set a key to a value before authentication:
以下显示了用于测试Redis密码是否有效的一系列命令。 第一条命令尝试在验证之前将密钥设置为一个值:
- set key1 10 设置key1 10
That won’t work because you didn’t authenticate, so Redis returns an error:
因为您没有进行身份验证,所以该操作不起作用,因此Redis返回错误:
Output
(error) NOAUTH Authentication required.
The next command authenticates with the password specified in the Redis configuration file:
下一条命令使用Redis配置文件中指定的密码进行身份验证:
auth your_redis_password
验证your_redis_password
Redis acknowledges:
Redis承认:
Output
OK
After that, running the previous command again will succeed:
之后,再次运行前面的命令将成功:
- set key1 10 设置key1 10
Output
OK
get key1 queries Redis for the value of the new key.
get key1 Redis查询新密钥的值。
- get key1 取得key1
Output
"10"
After confirming that you’re able to run commands in the Redis client after authenticating, you can exit the redis-cli:
确认身份验证后可以在Redis客户端中运行命令后,可以退出redis-cli :
- quit 退出
Next, we’ll look at renaming Redis commands which, if entered by mistake or by a malicious actor, could cause serious damage to your machine.
接下来,我们将研究重命名Redis命令,如果错误或由恶意参与者输入Redis命令,可能会严重损坏您的计算机。
第5步—重命名危险命令 (Step 5 — Renaming Dangerous Commands)
The other security feature built into Redis involves renaming or completely disabling certain commands that are considered dangerous.
Redis内置的另一个安全功能涉及重命名或完全禁用某些被认为是危险的命令。
When run by unauthorized users, such commands can be used to reconfigure, destroy, or otherwise wipe your data. Like the authentication password, renaming or disabling commands is configured in the same SECURITY section of the /etc/redis/redis.conf file.
当由未经授权的用户运行时,此类命令可用于重新配置,销毁或擦除您的数据。 像身份验证密码一样,重命名或禁用命令在/etc/redis/redis.conf文件的同一SECURITY部分中进行/etc/redis/redis.conf 。
Some of the commands that are considered dangerous include: FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME, and DEBUG. This is not a comprehensive list, but renaming or disabling all of the commands in that list is a good starting point for enhancing your Redis server’s security.
一些被认为是危险的命令包括: FLUSHDB , FLUSHALL , KEYS , PEXPIRE , DEL , CONFIG , SHUTDOWN , BGREWRITEAOF , BGSAVE , SAVE , SPOP , SREM , RENAME和DEBUG 。 这不是一个完整的列表,但是重命名或禁用该列表中的所有命令是增强Redis服务器安全性的一个很好的起点。
Whether you should disable or rename a command depends on your specific needs or those of your site. If you know you will never use a command that could be abused, then you may disable it. Otherwise, it might be in your best interest to rename it.
是否应该禁用或重命名命令取决于您的特定需求或站点的需求。 如果您知道永远不会使用可能会被滥用的命令,则可以将其禁用。 否则,重命名可能是您的最大利益。
To enable or disable Redis commands, open the configuration file once more:
要启用或禁用Redis命令,请再次打开配置文件:
- sudo nano /etc/redis/redis.conf 须藤nano /etc/redis/redis.conf
Warning: The following steps showing how to disable and rename commands are examples. You should only choose to disable or rename the commands that make sense for you. You can review the full list of commands for yourself and determine how they might be misused at redis.io/commands.
警告:以下示例显示了如何禁用和重命名命令的示例。 您应该只选择禁用或重命名对您有意义的命令。 您可以自己查看命令的完整列表,并在redis.io/commands中确定如何滥用它们 。
To disable a command, simply rename it to an empty string (signified by a pair of quotation marks with no characters between them), as shown below:
要禁用命令,只需将其重命名为一个空字符串(由一对引号引起,它们之间没有字符),如下所示:
. . .
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
. . .To rename a command, give it another name as shown in the examples below. Renamed commands should be difficult for others to guess, but easy for you to remember:
要重命名命令,请给其另一个名称,如下面的示例所示。 重命名的命令对于其他人来说应该很难猜到,但让您容易记住:
. . .
# rename-command CONFIG ""
rename-command SHUTDOWN SHUTDOWN_MENOT
rename-command CONFIG ASC12_CONFIG
. . .Save your changes and close the file.
保存您的更改并关闭文件。
After renaming a command, apply the change by restarting Redis:
重命名命令后,通过重新启动Redis来应用更改:
- sudo systemctl restart redis sudo systemctl重新启动redis
To test the new command, enter the Redis command line:
要测试新命令,请输入Redis命令行:
- redis-cli redis-cli
Then, authenticate:
然后,验证:
auth your_redis_password
验证your_redis_password
Output
OK
Let’s assume that you renamed the CONFIG command to ASC12_CONFIG, as in the preceding example. First, try using the original CONFIG command. It should fail, because you’ve renamed it:
假设像前面的示例一样,将CONFIG命令重命名为ASC12_CONFIG 。 首先,尝试使用原始的CONFIG命令。 它应该失败,因为您已将其重命名:
- config get requirepass 配置获取requirepass
Output
(error) ERR unknown command 'config'
Calling the renamed command, however, will be successful. It is not case-sensitive:
但是,调用重命名的命令将成功。 它不区分大小写:
- asc12_config get requirepass asc12_config获取requirepass
Output
1) "requirepass"
2) "your_redis_password"
Finally, you can exit from redis-cli:
最后,您可以从redis-cli退出:
- exit 出口
Note that if you’re already using the Redis command line and then restart Redis, you’ll need to re-authenticate. Otherwise, you’ll get this error if you type a command:
请注意,如果您已经在使用Redis命令行,然后重新启动Redis,则需要重新进行身份验证。 否则,如果键入命令,则会出现此错误:
Output
NOAUTH Authentication required.
Regarding the practice of renaming commands, there’s a cautionary statement at the end of the SECURITY section in /etc/redis/redis.conf which reads:
关于重命名命令的做法,在/etc/redis/redis.conf的SECURITY部分的末尾有一条警告性声明,内容为:
Please note that changing the name of commands that are logged into the AOF file or transmitted to slaves may cause problems.
Please note that changing the name of commands that are logged into the AOF file or transmitted to slaves may cause problems.
Note: The Redis project chooses to use the terms “master” and “slave” while DigitalOcean generally prefers alternative descriptors. In order to avoid confusion we’ve chosen to use the terms used in the Redis documentation here.
注意: Redis项目选择使用术语“主”和“从”,而DigitalOcean通常更喜欢使用替代描述符。 为了避免混淆,我们选择在此处使用Redis文档中使用的术语。
That means if the renamed command is not in the AOF file, or if it is but the AOF file has not been transmitted to slaves, then there should be no problem.
这意味着,如果重命名的命令不在AOF文件中,或者如果该重命名的命令尚未将AOF文件传输到从属设备,则应该没有问题。
So, keep that in mind when you’re trying to rename commands. The best time to rename a command is when you’re not using AOF persistence, or right after installation, that is, before your Redis-using application has been deployed.
因此,在尝试重命名命令时,请记住这一点。 重命名命令的最佳时间是当您不使用AOF持久性时,或者在安装后即刚部署使用Redis的应用程序之前。
When you’re using AOF and dealing with a master-slave installation, consider this answer from the project’s GitHub issue page. The following is a reply to the author’s question:
当您使用AOF并处理主从安装时,请从项目的GitHub问题页面中考虑此答案 。 以下是对作者问题的答复:
The commands are logged to the AOF and replicated to the slave the same way they are sent, so if you try to replay the AOF on an instance that doesn’t have the same renaming, you may face inconsistencies as the command cannot be executed (same for slaves).
命令将被记录到AOF并以与发送命令相同的方式复制到从属服务器,因此,如果您尝试在没有相同重命名的实例上重播AOF,则可能会遇到不一致的情况,因为命令无法执行(奴隶也一样)
Thus, the best way to handle renaming in cases like that is to make sure that renamed commands are applied to all instances in master-slave installations.
因此,在这种情况下处理重命名的最佳方法是确保将重命名的命令应用于主从安装中的所有实例。
结论 (Conclusion)
In this tutorial, you installed and configured Redis, validated that your Redis installation is functioning correctly, and used its built-in security features to make it less vulnerable to attacks from malicious actors.
在本教程中,您已经安装并配置了Redis,验证了Redis安装是否正常运行,并使用其内置的安全功能使其较不容易受到恶意行为者的攻击。
Keep in mind that once someone is logged in to your server, it’s very easy to circumvent the Redis-specific security features we’ve put in place. Therefore, the most important security feature on your Redis server is your firewall (which you configured if you followed the prerequisite Initial Server Setup tutorial), as this makes it extremely difficult for malicious actors to jump that fence.
请记住,一旦有人登录到您的服务器,就很容易规避我们已部署的Redis特定的安全功能。 因此,Redis服务器上最重要的安全功能是防火墙(如果您遵循必备的《 初始服务器设置》教程,则需要配置防火墙),因为这使恶意行为者很难越过这一障碍。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-debian-10
redis debian
1100
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
