Home > Developer > Redis

Redis Research (13)-Security and communication protocols

Source: Internet
Author: User
Tags telnet program
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

First, security

Redis's author, Salvatore Sanfilippo, once published The Redis Manifesto, which mentions that Redis is beautiful in simplicity. Also, Redis does not do too much work on the security level.

1. Trusted environment
The security design for Redis is based on the premise that Redis is running in a trusted environment, and that it is not allowed to connect directly to the Redis server while the production environment is running, but that it should be relayed through the application and running in a trusted environment is the most important way to ensure redis security.

The default configuration for Redis accepts requests sent from any address, that is, to start the Redis server on any server that has a public IP, which can be accessed directly by the outside world. To change this setting, modify the bind parameter in the configuration file, such as allowing only native apps to connect to Redis, you can change the bind parameter to:

[HTML]View Plaincopyprint?
    1. Bind 127.0.0.1

The bind parameter can bind only one address. If you want to set access rules more freely, it needs to be done through a firewall.
Note: Redis may support binding multiple addresses in version 2.8, see https://github.com/antirez/redis/issues/274.


2. Database Password
In addition, you can set a password for Redis through the Requirepass parameter in the configuration file. For example:

[HTML]View Plaincopyprint?
    1. Requirepass TAFK (@~!ji^xalq (SYH5XIWTN5DS7JF

The client will need to send a password each time it connects to Redis, or Redis will refuse to execute commands sent by the client. For example:

[HTML]View Plaincopyprint?
    1. Redis>get Foo
    2. (Error) ERR Operation not permitted


Sending a password requires the use of the auth command, just like this:

[HTML]View Plaincopyprint?
    1. AUTH TAFK (@~!ji^xalq (SYH5XIWTN5DS7JF
    2. Ok


You can then execute any command:

[HTML]View Plaincopyprint?
    1. Redis>get Foo
    2. "1"


Because of the high performance of Redis and the fact that Redis does not actively delay after entering the wrong password (considering the single-threaded model of Redis), attackers can hack the Redis password by brute-lifting (1 seconds to try a hundred thousand of passwords), so be sure to select a complex password when setting up.
When you configure Redis replication if the primary database has a password set, you need to set the primary database password from the database's configuration file with the Masterauth parameter to automatically use AUTH command authentication when connecting to the primary database from the database.


3. Naming commands
Redis supports renaming commands in a configuration file, such as renaming the Flushall command to a more complex name to ensure that only your own app can use the command. Just like this:

[HTML]View Plaincopyprint?
    1. Rename-command Flushall oyfekmjvmwxq5a9c8usofuo369x0it2k


If you want to disable a command directly, you can rename the command to an empty string:

[HTML]View Plaincopyprint?
    1. Rename-command Flushall ""


Note: Whether you set a password or rename a command, you need to ensure the security of the configuration file, otherwise there is no point.


II. Communication Protocols

The Redis communication protocol is the language that the Redis client communicates with Redis, and the communication protocol specifies the format of the command and return values. Understanding the Redis communication protocol not only allows you to understand the format of the AoF file and the contents of the master database to be sent from the database during master-slave replication, but also to develop your own Redis client (although there are corresponding Redis clients in almost all common languages). There is really not a lot of opportunity to work directly with Redis using communication protocols.

Redis supports two communication protocols, one is a binary security Unified request Protocol (Unified Request Protocol), and the other is a straightforward protocol that is easy to enter in a Telnet program. The two protocols are only different in the format of the command, and the command return value is in the same format.

1. Simple protocol
Simple protocols are suitable for communication with Redis in the Telnet program. The command format for a simple protocol is to separate commands from each parameter using spaces, such as "EXISTS foo", "SET foo bar", and so on. Because Redis parses simple protocols simply by separating the arguments with a space, binary characters cannot be entered. We can test through the Telnet program:

[HTML]View Plaincopyprint?
    1. TELNET 127.0.0.1 6379  
    2. trying  127.0.0.1...  
    3. CONNECTED  TO LOCALHOST.  
    4. escape character is  ' ^] '  .  
    5. set foo bar   
    6. +ok  
    7. GET FOO  
    8. $3  
    9. BAR  
    10. lpush plist 1 2 3  
    11. :3   
    12. lrange plist 0 -1  
    13. *3  
    14. $ 1  
    15. 3  
    16. $1  
    17. 2  
    18. $1  
    19. 1  
    20. errorcommand  
    21. -err unknown command   ' Errorcommand '   


Versions prior to Redis 2.4 for some commands, you can enter binary security parameters in a special way similar to simple protocols, such as:

[HTML]View Plaincopyprint?
    1. C:set Foo 3
    2. C:bar
    3. S:+ok

Where C: Indicates what the client is emitting, S: Indicates what is being emitted by the server. The last parameter of the first line represents the length of the string, the second line is the actual content of the string, because the length is specified, so the second line of the string can contain binary characters. But the deal has been scrapped and replaced by a new unified request agreement. The word "unified" means that all commands use the same request method and no longer use special methods for certain commands, and the uniform Request protocol should be used if you need to include binary characters in the parameters.


The 5 commands we entered in the Telnet program show exactly the format of the 5 types of return values of Redis, which were previously redis-cli encapsulated, and the above content is the format that Redis really returns. The following are described separately.


(1) Error reply
Error reply (Reply) starts with a-and then follows the error message, ending with \ r \ n:

[HTML]View Plaincopyprint?
    1. -err unknown command ' errorcommand ' \ r \ n


(2) Status reply
Status reply starts with a + and follows the status information, ending with \ r \ n:

[HTML]View Plaincopyprint?
    1. +ok\r\n


(3) Integer reply
Integer reply to: begins with a number followed by the following, ending with \ r \ n:

[HTML]View Plaincopyprint?
    1. : 3\r\n


(4) String reply
The string reply (bulk Reply) starts with $ and follows the length of the string, separated by \ r \ n, followed by the contents of the string and \ r \ n:

[HTML]View Plaincopyprint?
    1. $3\r\nbar\r\n

If the return value is nil, the $-1 is returned to be distinguished from the empty string.


(5) Multi-line string reply
A multiline string reply (Multi-bulk Reply) starts with a * and follows the number of groups that the string replies to, separated by \ r \ n. And then followed by the specific contents of the string reply:

[HTML]View Plaincopyprint?
    1. *3\r\n1\r\n3\r\n1\r\n2\r\n1\r\n1\r\n



2. Unified Request Agreement
The unified request Protocol was added from Redis 1.2, and its command format is similar to that of a multiline string reply, such as the Uniform Request protocol for Set Foo bar is "*3\r\n3\r\nset\r\n3\r\nfoo\r\n3\r\nbar\r\n". Or use Telnet for the demo:

[HTML]View Plaincopyprint?
    2. Telnet 127.0.0.1 6379
    4. Trying 127.0.0.1 ...
    6. Connected to localhost.
    8. Escape character is ' ^] '.
    10. *
    12. $
    14. SET
    16. $
    18. Foo
    20. $
    22. Bar
    24. +ok
    25. Http://www.youyuanapp.com/thread-11419-1-1.html
      Http://www.youyuanapp.com/thread-11418-1-1.html
      Http://www.youyuanapp.com/thread-11417-1-1.html
      Http://www.youyuanapp.com/thread-11412-1-1.html
      Http://www.youyuanapp.com/thread-11409-1-1.html
      Http://www.youyuanapp.com/thread-11404-1-1.html
      Http://www.youyuanapp.com/thread-11403-1-1.html
      Http://www.youyuanapp.com/thread-11398-1-1.html
      Http://www.youyuanapp.com/thread-11397-1-1.html
      Http://www.youyuanapp.com/thread-11395-1-1.html
      http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101147963/
      http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101251829/
      http://yishujiayuanq.blog.163.com/blog/static/244725061201502510133740/
      http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101653328/
      http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101718995/
      http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101738627/
      http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101822599/
      http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101841318/
      http://yishujiayuanq.blog.163.com/blog/static/2447250612015025101927982/
      http://yishujiayuanq.blog.163.com/blog/static/244725061201502510197287/

Redis Research (13)-Security and communication protocols

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
scada communication protocols lte interfaces and protocols common ports and protocols ports and protocols wifi security protocols wifi security protocols protocols and functions
Related Article
How to efficiently insert large amounts of data into Redis (r...
Redis.exceptions.ConnectionError:Error connecting to localhos...
Redis List---Rpoplpush
The difference between the RDB and aof persistence for Redis ...
Why Redis is single-threaded and why is Redis so fast!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More