Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of "how Redis should be managed". The editor shows you the operation process through actual cases. The operation method is simple, fast and practical. I hope this article "how Redis should be managed" can help you solve the problem.

I. Safety

What do we think of when it comes to safety?

For example, a trusted environment will bring us sense of security, while an unfamiliar environment will make you feel unknown fear and loneliness.

For example, the domestic alternative to Xinchuang Project (Anke replacement), here I referred to as the National Chuang Chuang Project, is to achieve the goal of trust, safety, reliability and self-control.

The above talk so much (a lot of nonsense, I Guizhou donkey is poor), just to raise our awareness of safety.

Redis is beautiful in simplicity, as the founder once described it. But not much work has been done at the security level either.

One additional point here is that I didn't talk about how to gracefully shut down Redis services last time. Although you can kill the process to control it, it is recommended to close it in the following ways:

$/ opt/redis-6.0.8/src/redis-cli shutdown1, trusted environment

The security design of Redis is based on the premise that Redis runs in a trusted environment. When the production environment (official release environment) is running, it is not allowed to connect directly to the Redis server, so it should be transferred through the application. Running in a trusted environment is a very important way to ensure the security of Redis.

1.1Parameters bind

In Redis's default profile, redis.conf, only local network requests are accepted. However, by modifying the bind parameter in the configuration file to change this setting, the default bind setting is:

Bind:127.0.0.1

The bind parameter can also be bound to multiple IP addresses, with IP addresses separated by spaced spaces, as shown in the following example:

# Examples:# bind 192.168.1.100 10.0.0.The bind 127.0.0.1:: 11.2, protected-mode parameters

In the version of Redis3.2, a special mode, protected mode, is introduced to better ensure that Redis runs in a trusted environment. It is worth noting that protected mode is on by default.

Parameter settings:

# enable protected mode protected-mode yes# disable protected mode protected-mode no

Function:

Turn on protected mode: when receiving a command from a network client that is not bound by bind, if the client does not set a password, Redis will return an error refusal (DENIED) to execute the command.

Disable protection mode: protected-mode no prohibition can be used in the configuration.

Security: for the production environment, you need to ensure that shields (firewalls) are turned on to ensure that trusted clients connect to the server.

During testing, for example, I connect to the Redis service on my linux under Windows. To facilitate testing, temporarily close the protective wall firewalld at this time, or use the firewall-cmd command to join the 6379 default port and Redis service. For more information about firewalls, please refer to my previous article "firewalld and iptables Firewall tools":

# temporarily turn off firewall systemctl stop firewalld.service

Note: previous versions of Redis3.2 will bind all network interfaces by default, and any computer on the network (including the public network) can connect to the Redis server. For those who use the old version, it is best to modify this parameter or upgrade to the new version.

2. Database password

The database password function is provided in Redis. At first, I foolishly thought that I could connect directly. I didn't have a password. It was really insecure. It was not until later in practice that I found that this product could be used to set a password, but I didn't know it before. It is worth noting that multi-user rights control is supported in version 6.0.

2.1.Passage setting of Redis

It was also mentioned in my last article. The Redis database password is controlled by the parameter requirepass. The default version 6.0.8 is disabled and needs to be turned on manually.

# disabled by default # requirepass foobared# enable password requirepass 123456

The client needs to send a password every time it connects to the Redis, otherwise the Redis will refuse to execute the command sent by the client. For example, I use a Windows client connection:

Turn on the protected mode and start to prompt DENIED. Use bind to bind a trusted ip or disable protected mode, and finally prompt the password for authentication.

Example: set key sky,set "sky"hello redis"

# set skyset "sky"hello redis"

Restart the redis service (you need to read the redis.conf file) and you will be prompted to verify the password, as shown in the following figure.

# get skyget sky (error) NOAUTH Authentication required. # prompt that password authentication is required # authenticate auth 12345 to get skyget sky "hello redis" again

Although it is convenient to set passwords in the database, more fine-grained access control is often required in complex scenarios. For example:

Applications in a production environment should not have command permissions to execute CONFIG, FLUSHALL, or data security.

When multiple programs share a Redis service for different purposes, it is recommended to restrict one program from accessing keys generated by other programs.

Tips: for this reason, Redis6.0 has introduced the access Control list (ACL) function, which can support multiple users and set commands and key name rules that can be accessed by each user, and so on. You can set it through the configuration file, as follows:

Write ACL configuration directly in Redis configuration file

Write the ACL configuration in a separate file, and then introduce it in the Redis configuration file through the aclfile directive, for example:

Aclifile / opt/person/conf.acl2.1, Redis master-slave replication considerations

When configuring Redis replication, if the master database has set the password, you need to set the password of the master database through the masterauth parameter in the configuration file of the slave library, so that the slave database will automatically use the auth command to verify when connecting to the master library. The configuration is as follows.

Masterauth 3, naming command

Redis supports renaming commands in configuration files, such as renaming the FLUSHALL command to a more complex name to ensure that only its own applications can use the command. Of course, this feature can be seen as the absence of ACL before version 6. 0, as a supplement to command security. The configuration is as follows:

Rename-command FLUSHALL redisabcdsky1r2d3is

If you want to be direct, disable it directly by renaming it to an empty character

Rename-command FLUSHALL ""

Again: for security reasons, whether you set a password or rename commands, you should follow to ensure the security of the configuration file, otherwise it will be meaningless.

II. Communication protocols

We have learned about the master-slave replication of Redis and the format of persistent AOF files, and we can better understand Redis by understanding the Redis communication protocol.

Of course, Redis supports two communication protocols. As follows:

One is the binary secure Unified request Protocol (unified request protocol).

The second is a simple protocol that is intuitive and easy to enter in telnet programs.

1. Simple protocol

Simple protocols are suitable for communicating with Redis in telnet programs. The following is the communication with Redis through the telnet test:

Install telnet for Redhat series under linux through the yum command:

Yum-y install telnet

Windows enables telnet in enabling or disabling the Windows feature

[root@dywangk redis-6.0.8] # telnet 127.0.0.1 6379Trying 127.0.0.1...Connected to 127.0.0.1.Escape character is'^] .auth 123456 # also needs to verify the password. Previously set password + OKset foo bar + OKget foo$3bar# enter quit to exit telnet1.1, error reply

The error reply (error reply) begins with-followed by an error message:

-ERR unknown command ``, with args beginning with:1.2, status reply

Status reply (status reply) begins with +

+ OK1.3, integer reply

Integer reply (integer reply) begins with:

: 31.4, string reply

String (bulk reply) reply begins with $

$32. Unified request Protocol

The Unified request Protocol was added from Redis1.2, and its command format is similar to the multi-line string reply format. Also use telnet as an example to demonstrate:

[root@dywangk redis-6.0.8] # telnet 127.0.0.1 6379Trying 127.0.0.1...Connected to 127.0.0.1.Escape character is'^] .auth 123456 # also needs to verify the password. Previously set the password + OK*3 $3set$3foo$3bar + OK# enter quit to exit telnet

Similarly, the length of the subsequent string is specified when the command is sent, so each parameter of each command can contain binary characters.

The AOF file of Redis and the content sent by the database during master-slave replication use the unified request protocol. If you simply use telnet to communicate with Redis, use a simple protocol.

Management tools 1. Redis-cli

It must be no stranger to you to see redis-cli, yes, we learn to test the rapid integration is carried out using the redis-cli command, Redis's own client. Redis can execute most Redis commands, including info commands to view database information, config commands to change database settings, and save commands to force RDB snapshots. A brief introduction to several common commands for managing Redis.

1.1. Time-consuming command log

When the execution time of a command exceeds the limit, Redis will add information such as the execution time of the command to the time-consuming command log (slow log) for developers to view. The limit is set by the slowlog-log-slower-than 10000 parameter of the configuration file. Note that the unit is microseconds, and you can see that the default is 10000. Limit the number of records through slowlog-max-len 128.

Get the current time-consuming command log

Slowlog get

Each log consists of the following four parts

Unique log ID

Unix time executed

Time in microseconds

Commands and their parameters

When testing, set the slowlog-log-slower-than 0 parameter to 0

Slowlog-log-slower-than 01.2, Command Monitoring

Redis provides monitor to monitor all commands executed by Redis, and redis-cli also supports it. For example:

Monitor

Note: generally used for debugging and error correction.

2 、 Medis

When there are more keys in Redis, it is slightly inadequate to use redis-cli management at this time. Medis is a visual Redis management tool under macOS. The management Redis can be realized through the interface.

3 、 phpRedisAdmin

When you see phpRedisAdmin, you may think of the phpMyAdmin management tool that manages MySQL as a web page.

About the use of tools, you can refer to the github instructions, not too much introduction here.

Suggestion: the access speed of github is well known. It is recommended to import it into gitee as an image repository and synchronize it at regular intervals.

4 、 Rdbtools

A Redis snapshot file parser developed in Python language, which can export json data files according to snapshot files and analyze the space occupied by each key in Redis.

This is the end of the content about "how Redis should be managed". Thank you for reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.