First, security
Redis's author, Salvatore Sanfilippo, once published The Redis Manifesto, which mentions that Redis is beautiful in simplicity. Also, Redis does not do too much work on the security level.
1. Trusted environment
The security design for Redis is based on the premise that Redis is running in a trusted environment, and that it is not allowed to connect directly to the Redis server while the production environment is running, but that it should be relayed through the application and running in a trusted environment is the most important way to ensure redis security.
The default configuration for Redis accepts requests sent from any address, that is, to start the Redis server on any server that has a public IP, which can be accessed directly by the outside world. To change this setting, modify the bind parameter in the configuration file, such as allowing only native apps to connect to Redis, you can change the bind parameter to:
[HTML]View Plaincopyprint?
- Bind 127.0.0.1
The bind parameter can bind only one address. If you want to set access rules more freely, it needs to be done through a firewall.
Note: Redis may support binding multiple addresses in version 2.8, see https://github.com/antirez/redis/issues/274.
2. Database Password
In addition, you can set a password for Redis through the Requirepass parameter in the configuration file. For example:
[HTML]View Plaincopyprint?
- Requirepass TAFK (@~!ji^xalq (SYH5XIWTN5DS7JF
The client will need to send a password each time it connects to Redis, or Redis will refuse to execute commands sent by the client. For example:
[HTML]View Plaincopyprint?
- Redis>get Foo
- (Error) ERR Operation not permitted
Sending a password requires the use of the auth command, just like this:
[HTML]View Plaincopyprint?
- AUTH TAFK (@~!ji^xalq (SYH5XIWTN5DS7JF
- Ok
You can then execute any command:
[HTML]View Plaincopyprint?
- Redis>get Foo
- "1"
Because of the high performance of Redis and the fact that Redis does not actively delay after entering the wrong password (considering the single-threaded model of Redis), attackers can hack the Redis password by brute-lifting (1 seconds to try a hundred thousand of passwords), so be sure to select a complex password when setting up.
When you configure Redis replication if the primary database has a password set, you need to set the primary database password from the database's configuration file with the Masterauth parameter to automatically use AUTH command authentication when connecting to the primary database from the database.
3. Naming commands
Redis supports renaming commands in a configuration file, such as renaming the Flushall command to a more complex name to ensure that only your own app can use the command. Just like this:
[HTML]View Plaincopyprint?
- Rename-command Flushall oyfekmjvmwxq5a9c8usofuo369x0it2k
If you want to disable a command directly, you can rename the command to an empty string:
[HTML]View Plaincopyprint?
- Rename-command Flushall ""
Note: Whether you set a password or rename a command, you need to ensure the security of the configuration file, otherwise there is no point.
II. Communication Protocols
The Redis communication protocol is the language that the Redis client communicates with Redis, and the communication protocol specifies the format of the command and return values. Understanding the Redis communication protocol not only allows you to understand the format of the AoF file and the contents of the master database to be sent from the database during master-slave replication, but also to develop your own Redis client (although there are corresponding Redis clients in almost all common languages). There is really not a lot of opportunity to work directly with Redis using communication protocols.
Redis supports two communication protocols, one is a binary security Unified request Protocol (Unified Request Protocol), and the other is a straightforward protocol that is easy to enter in a Telnet program. The two protocols are only different in the format of the command, and the command return value is in the same format.
1. Simple protocol
Simple protocols are suitable for communication with Redis in the Telnet program. The command format for a simple protocol is to separate commands from each parameter using spaces, such as "EXISTS foo", "SET foo bar", and so on. Because Redis parses simple protocols simply by separating the arguments with a space, binary characters cannot be entered. We can test through the Telnet program:
[HTML]View Plaincopyprint?
- TELNET 127.0.0.1 6379  
- trying 127.0.0.1...
- CONNECTED  TO LOCALHOST.  
- escape character is ' ^] ' .
- set foo bar
- +ok
- GET FOO  
- $3
- BAR  
- lpush plist 1 2 3
- :3
- lrange plist 0 -1
- *3  
- $ 1
- 3  
- $1
- 2  
- $1
- 1  
- errorcommand
- -err unknown command ' Errorcommand '
Versions prior to Redis 2.4 for some commands, you can enter binary security parameters in a special way similar to simple protocols, such as:
[HTML]View Plaincopyprint?
- C:set Foo 3
- C:bar
- S:+ok
Where C: Indicates what the client is emitting, S: Indicates what is being emitted by the server. The last parameter of the first line represents the length of the string, the second line is the actual content of the string, because the length is specified, so the second line of the string can contain binary characters. But the deal has been scrapped and replaced by a new unified request agreement. The word "unified" means that all commands use the same request method and no longer use special methods for certain commands, and the uniform Request protocol should be used if you need to include binary characters in the parameters.
The 5 commands we entered in the Telnet program show exactly the format of the 5 types of return values of Redis, which were previously redis-cli encapsulated, and the above content is the format that Redis really returns. The following are described separately.
(1) Error reply
Error reply (Reply) starts with a-and then follows the error message, ending with \ r \ n:
[HTML]View Plaincopyprint?
- -err unknown command ' errorcommand ' \ r \ n
(2) Status reply
Status reply starts with a + and follows the status information, ending with \ r \ n:
[HTML]View Plaincopyprint?
- +ok\r\n
(3) Integer reply
Integer reply to: begins with a number followed by the following, ending with \ r \ n:
[HTML]View Plaincopyprint?
- : 3\r\n
(4) String reply
The string reply (bulk Reply) starts with $ and follows the length of the string, separated by \ r \ n, followed by the contents of the string and \ r \ n:
[HTML]View Plaincopyprint?
- $3\r\nbar\r\n
If the return value is nil, the $-1 is returned to be distinguished from the empty string.
(5) Multi-line string reply
A multiline string reply (Multi-bulk Reply) starts with a * and follows the number of groups that the string replies to, separated by \ r \ n. And then followed by the specific contents of the string reply:
[HTML]View Plaincopyprint?
- *3\r\n1\r\n3\r\n1\r\n2\r\n1\r\n1\r\n
2. Unified Request Agreement
The unified request Protocol was added from Redis 1.2, and its command format is similar to that of a multiline string reply, such as the Uniform Request protocol for Set Foo bar is "*3\r\n3\r\nset\r\n3\r\nfoo\r\n3\r\nbar\r\n". Or use Telnet for the demo:
[HTML]View Plaincopyprint?
- Telnet 127.0.0.1 6379
- Trying 127.0.0.1 ...
- Connected to localhost.
- Escape character is ' ^] '.
- *
- $
- SET
- $
- Foo
- $
- Bar
- +ok
- Http://www.youyuanapp.com/thread-11419-1-1.html
Http://www.youyuanapp.com/thread-11418-1-1.html
Http://www.youyuanapp.com/thread-11417-1-1.html
Http://www.youyuanapp.com/thread-11412-1-1.html
Http://www.youyuanapp.com/thread-11409-1-1.html
Http://www.youyuanapp.com/thread-11404-1-1.html
Http://www.youyuanapp.com/thread-11403-1-1.html
Http://www.youyuanapp.com/thread-11398-1-1.html
Http://www.youyuanapp.com/thread-11397-1-1.html
Http://www.youyuanapp.com/thread-11395-1-1.html
http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101147963/
http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101251829/
http://yishujiayuanq.blog.163.com/blog/static/244725061201502510133740/
http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101653328/
http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101718995/
http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101738627/
http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101822599/
http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101841318/
http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101927982/
http://yishujiayuanq.blog.163.com/blog/static/244725061201502510197287/
Redis Research (13)-Security and communication protocols