介绍 (Introduction)
Redis is an in-memory key-value store known for its flexibility, performance, and wide language support. This quickstart tutorial demonstrates how to install, configure, and secure Redis on an Ubuntu 20.04 server.
Redis是一个内存键值存储,以其灵活性,性能和广泛的语言支持而闻名。 本快速入门教程演示了如何在Ubuntu 20.04服务器上安装,配置和保护Redis。
先决条件 (Prerequisites)
To complete this guide, you will need access to an Ubuntu 20.04 server that has a non-root user with sudo
privileges and a firewall configured with ufw
. You can set this up by following our Initial Server Setup guide for Ubuntu 20.04.
要完成本指南,您将需要访问Ubuntu 20.04服务器,该服务器具有一个具有sudo
特权的非root用户和一个使用ufw
配置的防火墙。 您可以按照我们的Ubuntu 20.04初始服务器安装指南进行设置 。
第1步-安装和配置Redis (Step 1 — Installing and Configuring Redis)
Begin by updating your local apt
package cache:
首先更新本地apt
软件包缓存:
- sudo apt update sudo apt更新
Then install Redis by typing:
然后通过键入以下命令安装Redis:
- sudo apt install redis-server sudo apt安装redis服务器
Next, open up the Redis configuration file with your preferred text editor:
接下来,使用首选的文本编辑器打开Redis配置文件:
- sudo nano /etc/redis/redis.conf 须藤nano /etc/redis/redis.conf
Inside the file, find the supervised
directive which allows you to declare an init system to manage Redis as a service. Since you are running Ubuntu, which uses the systemd init system, change its value from no
to systemd
:
在文件中,找到受supervised
指令,该指令使您可以声明一个初始化系统来将Redis作为服务进行管理。 由于您正在运行使用systemd初始化系统的Ubuntu,因此将其值从no
更改为systemd
:
. . .
# If you run Redis from upstart or systemd, Redis can interact with your
# supervision tree. Options:
# supervised no - no supervision interaction
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
# supervised auto - detect upstart or systemd method based on
# UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready."
# They do not enable continuous liveness pings back to your supervisor.
supervised systemd
. . .
Save and close the file when you are finished. If you used nano
to edit the file, do so by pressing CTRL + X
, Y
, then ENTER
.
完成后保存并关闭文件。 如果您使用nano
编辑文件,请按CTRL + X
, Y
,然后按ENTER
。
Then, restart the Redis service to reflect the changes you made to the configuration file:
然后,重新启动Redis服务以反映您对配置文件所做的更改:
- sudo systemctl restart redis.service sudo systemctl重新启动redis.service
To test that Redis is functioning correctly, connect to the server using redis-cli
, Redis’s command-line client:
要测试Redis是否正常运行,请使用Redis的命令行客户端redis-cli
连接到服务器:
- redis-cli redis-cli
In the prompt that follows, test connectivity with the ping
command:
在随后的提示中,使用ping
命令测试连接性:
- ping ping
Output
PONG
This output confirms that the server connection is active. Next, check that you’re able to set keys by running:
此输出确认服务器连接处于活动状态。 接下来,运行以下命令检查您是否可以设置密钥:
- set test "It's working!" 设置测试“它正在工作!”
Output
OK
Retrieve the value by typing:
通过键入以下内容来检索值:
- get test 得到测试
Assuming everything is working, you will be able to retrieve the value you stored:
假设一切正常,您将能够检索存储的值:
Output
"It's working!"
After confirming that you can fetch the value, exit the Redis prompt to get back to the shell:
在确认您可以获取该值之后,退出Redis提示符以返回到Shell:
- exit 出口
第2步-配置Redis密码 (Step 2 — Configuring a Redis Password)
You can configure a Redis password directly in Redis’s configuration file, /etc/redis/redis.conf
. Open that file again with your preferred editor:
您可以直接在Redis的配置文件/etc/redis/redis.conf
配置Redis密码。 使用您喜欢的编辑器再次打开该文件:
- sudo nano /etc/redis/redis.conf 须藤nano /etc/redis/redis.conf
Scroll to the SECURITY
section and look for a commented directive that reads:
滚动到SECURITY
部分,然后查找带有注释的指令,该指令为:
. . .
# requirepass foobared
. . .
Uncomment it by removing the #
, and change foobared
to a secure password:
通过删除#
取消注释,并将foobared
更改为安全密码:
. . .
requirepass your_redis_password
. . .
After setting the password, save and close the file, then restart Redis:
设置密码后,保存并关闭文件,然后重新启动Redis:
- sudo systemctl restart redis.service sudo systemctl重新启动redis.service
To test that the password works, open up the Redis client:
要测试密码是否有效,请打开Redis客户端:
- redis-cli redis-cli
The following shows a sequence of commands used to test whether the Redis password works. The first command tries to set a key to a value before authentication:
以下显示了用于测试Redis密码是否有效的一系列命令。 第一条命令尝试在验证之前将密钥设置为一个值:
- set key1 10 设置key1 10
That won’t work because you didn’t authenticate, so Redis returns an error:
因为您没有进行身份验证,所以该操作不起作用,因此Redis返回错误:
Output
(error) NOAUTH Authentication required.
The next command authenticates with the password specified in the Redis configuration file:
下一条命令使用Redis配置文件中指定的密码进行身份验证:
auth your_redis_password
验证your_redis_password
Redis acknowledges:
Redis承认:
Output
OK
After that, running the previous command again will succeed:
之后,再次运行前面的命令将成功:
- set key1 10 设置key1 10
Output
OK
get key1
queries Redis for the value of the new key.
get key1
Redis查询新密钥的值。
- get key1 取得key1
Output
"10"
After confirming that you’re able to run commands in the Redis client after authenticating, you can exit redis-cli
:
确认身份验证后可以在Redis客户端中运行命令后,可以退出redis-cli
:
- quit 退出
第3步-重命名危险命令 (Step 3 — Renaming Dangerous Commands)
The other security feature built into Redis involves renaming or completely disabling certain commands that are considered dangerous. Some of the commands that are considered dangerous include: FLUSHDB
, FLUSHALL
, KEYS
, PEXPIRE
, DEL
, CONFIG
, SHUTDOWN
, BGREWRITEAOF
, BGSAVE
, SAVE
, SPOP
, SREM
, RENAME
, and DEBUG
. By disabling or renaming these and other commands, you make it more difficult for unauthorized users to reconfigure, destroy, or otherwise wipe your data.
Redis内置的另一个安全功能涉及重命名或完全禁用某些被认为是危险的命令。 一些被认为是危险的命令包括: FLUSHDB
, FLUSHALL
, KEYS
, PEXPIRE
, DEL
, CONFIG
, SHUTDOWN
, BGREWRITEAOF
, BGSAVE
, SAVE
, SPOP
, SREM
, RENAME
和DEBUG
。 通过禁用或重命名这些命令和其他命令,可以使未经授权的用户更难以重新配置,销毁或擦除您的数据。
To rename or disable Redis commands, open the configuration file once more:
要重命名或禁用Redis命令,请再次打开配置文件:
- sudo nano /etc/redis/redis.conf 须藤nano /etc/redis/redis.conf
Warning: The following steps showing how to disable and rename commands are examples. You should only choose to disable or rename the commands that make sense for you. You can review the full list of commands for yourself and determine how they might be misused at redis.io/commands.
警告:以下示例显示了如何禁用和重命名命令的示例。 您应该只选择禁用或重命名对您有意义的命令。 您可以自己查看命令的完整列表,并在redis.io/commands中确定如何滥用它们 。
To disable a command, simply rename it to an empty string (signified by a pair of quotation marks with no characters between them), as shown below:
要禁用命令,只需将其重命名为一个空字符串(由一对引号引起,它们之间没有字符),如下所示:
. . .
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
. . .
To rename a command, give it another name as shown in the examples below. Renamed commands should be difficult for others to guess, but easy for you to remember:
要重命名命令,请给其另一个名称,如下面的示例所示。 重命名的命令对于其他人来说应该很难猜到,但让您容易记住:
. . .
# rename-command CONFIG ""
rename-command SHUTDOWN SHUTDOWN_MENOT
rename-command CONFIG ASC12_CONFIG
. . .
Save your changes and close the file.
保存您的更改并关闭文件。
After renaming a command, apply the change by restarting Redis:
重命名命令后,通过重新启动Redis来应用更改:
- sudo systemctl restart redis.service sudo systemctl重新启动redis.service
To test the new command, enter the Redis command line:
要测试新命令,请输入Redis命令行:
- redis-cli redis-cli
Then authenticate:
然后进行身份验证:
auth your_redis_password
验证your_redis_password
Output
OK
Assuming that you renamed the CONFIG
command to ASC12_CONFIG
as in the preceding example, try using the original CONFIG
command. It should fail, because you’ve renamed it:
假定您像前面的示例一样将CONFIG
命令重命名为ASC12_CONFIG
,请尝试使用原始的CONFIG
命令。 它应该失败,因为您已将其重命名:
- config get requirepass 配置获取requirepass
Output
(error) ERR unknown command `config`, with args beginning with:
Calling the renamed command, however, will be successful. It is not case-sensitive:
但是,调用重命名的命令将成功。 它不区分大小写:
- asc12_config get requirepass asc12_config获取requirepass
Output
1) "requirepass"
2) "your_redis_password"
结论 (Conclusion)
In this quickstart tutorial, you installed and configured Redis, validated that your Redis installation is functioning correctly, and used its built-in security features to make it less vulnerable to attacks from malicious actors.
在本快速入门教程中,您安装并配置了Redis,验证您的Redis安装是否正常运行,并使用其内置的安全功能使其较不容易受到恶意行为者的攻击。