This is an old revision of the document!
Redis
General Information
Redis is “an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker.”
Official Site: https://redis.io/
Checklist
- Enterprise Linux 7
Server: Install
Install redis
yum install redis
Start and Enable
systemctl enable redis
systemctl start redis
Verify service is available locally
[root@server01 ~]# redis-cli 127.0.0.1:6379> exit
- By default, redis will listen on localhost (127.0.0.1) only
Server: Configure
Different Redis server options to configure that are not defaults.
The config file is located at: /etc/redis.conf
Bind Interface
The default bind/listen interface is localhost (127.0.0.1).
If you would like clients to be able to connect over the network, you will need to change this.
- Caution: There is no security/encryption by default, but a number of protection measures to take if changing the bind interface. See the security section.
Change the bind interface
bind 192.168.1.100
Security
Redis was designed to be deployed on trusted networks. It is recommended to NOT expose Redis to the internet.
That being said, there are some protection measures that can be taken.
Firewall
- Use firewalld to only allow certain networks access to the Redis port
# Allow only the 192.168.1.0/24 network firewall-cmd --zone=internal --add-source=192.168.1.0/24 --permanent # To the Redis port firewall-cmd --zone=internal --add-port=6379/tcp --permanent # Reload rules firewall-cmd --reload
Authentication (password) for clients
- Clients must authenticate before sending commands
requirepass c5bdeb2b550e038740466ec0c8dc03df3e8bb629bde539251840da1af6ee62d2
- Recommended to use the hash of something to set a complicated password that can't be memorized if seen. Example
echo "this is the coolest password ever" | sha256sum c5bdeb2b550e038740466ec0c8dc03df3e8bb629bde539251840da1af6ee62d2
Disable Certain Commands
- Certain commands can be disabled for clients by renaming them
- Renamed command for hard to guess CONFIG
rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
- Disabling the CONFIG command completely
rename-command CONFIG ""
Encryption Tunneling
- Redis traffic can be piped through an encrypted tunnel using spiped
- - to do
General
Daemonize
- Enable redis to run as a daemon
daemonize yes
Supervisor Interaction
- Enable redis to send signals to systemd
supervised systemd