To ensure Redis security, you need to configure from multiple aspects: 1. Restrict access sources, modify bind to specific IPs or combine firewall settings; 2. Enable password authentication, set strong passwords through requirepass and manage properly; 3. Close dangerous commands, use rename-command to disable high-risk operations such as FLUSHALL, CONFIG, etc.; 4. Enable TLS encrypted communication, suitable for high-security needs scenarios; 5. Regularly update the version and monitor logs to detect abnormalities and fix vulnerabilities in a timely manner. These measures jointly build the security line of Redis instances.

Redis is a high-performance in-memory database, but it can easily become the source of security vulnerabilities if configured improperly. To truly ensure the security of Redis instances, you cannot rely solely on default settings, you must start from multiple aspects.

1. Restrict access sources (IP whitelist)

Redis listens on default at 127.0.0.1 , which means that only native access is allowed. If you are deploying remote services, many people will change it directly to 0.0.0.0 , but this means that anyone may try to connect.

• Modify the bind configuration item in the redis.conf file to specify the IP segment that is allowed to access.
• If using cloud services, it is recommended to combine firewall rules or security groups to restrict access to the source.
• It is not recommended to fully open the port to the public network unless you know what you are doing.

For example: If your application server is 192.168.1.10 , then the bind of Redis can be set to this IP, or use a firewall to only release port 6379 of the IP.

2. Set password authentication (requirepass)

Redis supports authentication by password, and although it is not the most complex mechanism, it can effectively prevent unauthorized access.

• Find the requirepass configuration item in redis.conf and set a strong password.
• After the client connects, you need to execute AUTH yourpassword first to operate the data.
• Once the password is set, be sure to save it properly to avoid forgetting it.

Note: Do not write the password in the code to store it plain text, it can be managed through environment variables, etc.

3. Close the dangerous command (rename-command)

Redis provides some very powerful commands, such as FLUSHALL , KEYS * , CONFIG , etc. If abused, it may lead to data loss or configuration tampering.

• Use rename-command to rename or disable these commands:

   rename-command FLUSHALL ""
  rename-command CONFIG ""
  rename-command KEYS ""

In this way, even if others connect to Redis, it will be difficult to perform these high-risk operations.

4. Enable TLS encrypted communication (advanced options)

If you have higher security requirements, especially if Redis is exposed to public networks or cross-data center access, you can consider enabling TLS.

• Redis 6.0 supports TLS natively.
• You need to configure the certificate file path, enable tls-port in redis.conf and close the normal port.
• The client also needs to support TLS connection mode.

This step is a little more complex, but it is very worthwhile for sensitive businesses.

5. Regular update and monitoring logs

The Redis community is active, the version is updated frequently, and many security issues have been fixed in the new version.

• Regularly upgrade Redis to a stable version.
• Monitor Redis logs to see if there are abnormal connections or errors.
• You can use monitoring tools such as Prometheus Grafana to observe the running status.

Basically that's it. Security is not something that can be achieved overnight, but a process of continuous optimization. Redis itself is not complicated, but a little carelessness will bring risks. Some of the above points are simple but easy to ignore, and some are slightly troublesome but worth doing.

The above is the detailed content of How to secure a Redis instance?. For more information, please follow other related articles on the PHP Chinese website!