Shulou(Shulou.com)05/31 Report--

This article is to share with you about the use of bind in redis. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

I always thought that the purpose of bind in the redis configuration file is to restrict which servers (IP addresses) the redis server uses to receive redis connection requests, and only computers at the IP address specified by bind can access this redis server.

Facts have proved that the above conclusion is very wrong.

Today, when I was building a Redis service cluster, I found a misunderstanding of bind in Redis.

For example:

Bind 127.0.0.1 is used to restrict only native redis service connections.

Bind 0.0.0.0 is designed to allow any computer to connect to a redis service connection.

Note: the above understanding is wrong. They happen to be special cases, giving us an illusion.

If you don't believe it, you can have a try: (you'd better have a try)

Bind 10.0.0.1 (or any IP address except 127.0.0.1 and 0.0.0.0)

Then restart redis and you will find that it does not start.

As to why it doesn't start, you will understand why it doesn't start when you know what bind really means.

The correct understanding of bind in Redis is:

Bind: is the IP address bound to the local machine (exactly: the IP address corresponding to the local network card, each network card has an IP address), rather than the IP address that redis allows from other computers.

If bind is specified, only Redis requests from the specified network card are allowed. If not specified, it means that Redis requests from any network card can be accepted.

For example: if there are two network cards on the redis server (native), each network card corresponds to an IP address, such as IP1 and IP2. Note that both IP1 and IP2 are local IP addresses.

Our configuration file: bind IP1. Only if we access the redis server through IP1 will we be allowed to connect to the Redis server. If we access the Redis server through IP2, we will not be able to connect to Redis.

Check the IP address of the local network card: use the ifconfig command.

We can see from the above that we have two network cards, that is, we can only use the addresses with the most bind: 127.0.0.1 and 172.18.235.206, otherwise redis will not start.

This explains why the above example (bind 10.0.0.1) doesn't start because we don't have a corresponding network card IP address. This means that bind is not the IP address in the redis that specifies which server requests can be accepted.

Instead, bind is used to specify the IP address of the local network card.

Note:

Explanation of bind 127.0.0.1: (why only the local computer can connect, and others can not)

We can see from ifconfig: lo network card (corresponding to 127.0.0.1IP address): is a loopback address (Local Loopback), that is, only local access to this loopback address, and other computers can only access their own loopback address.

Then the computer from this lo network card is only local, so only the local computer can access it, and other computers cannot.

If bind 172.18.235.206, redis can be accessed as long as the Redis request comes from this network card address (172.18.235.206). I use Aliyun's server. If I request the IP address of redis-cli Ali Cloud Public Network on another server, I will connect to the redis server.

Because the request for the public network address: all pass through the network card address of this eth0 (172.18.235.206), thus receiving this redis request.

When you do not use that loopback address, basically external computers can access the local Redis server.

If we want to restrict that only specified hosts can connect to the redis, we can only control it through the firewall, not through the bind parameter in the redis.

Use Aliyun's security group to restrict the connection of specified hosts to port 6379.

Understanding of [protected-mode] in redis:

Redis itself cannot restrict [only specified hosts] from connecting to the redis, and as I said above, the bind assignment is only used to set the interface address (interfaces).

1. If your bind is set to: bind 127.0.0.1, this is very secure, because only this host can connect to the redis, even if you do not set a password, it is secure unless someone logs in to your server.

2. If your bind is set to: bind 0.0.0.0, all hosts can connect to the redis. (premise: your server must open the port of redis). At this time, set the password, there will be an extra layer of protection, only those who know the password can access it. That is, any host that knows the password can access your redis.

Protected-mode is a security layer of redis itself, and the purpose of this security layer is that only [native] can access redis, and nothing else can access redis. Three conditions must be met for this security layer to be enabled, otherwise the security layer will be turned off:

(1) protected-mode yes (on)

(2) there is no bind instruction. Original: The server is not binding explicitly to a set of addresses using the "bind" directive.

(3) No password is set. Original: No password is configured.

At this point, the protection mechanism of redis will be turned on. When enabled, only the local computer can access the redis. If any of the above three conditions are not met, the protection mechanism will not be turned on.

Thank you for reading! This is the end of this article on "what is the use of bind in redis?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.