Redis protected-mode

Redis protected-mode 是3.2 之后加入的新特性,在redis.conf的注释中,我们可以了解到,他的具体作用和启用条件:

# Protected mode is a layer of security protection, in order to avoid that
# Redis instances left open on the internet are accessed and exploited.
#
# When protected mode is on and if:
#
# 1) The server is not binding explicitly to a set of addresses using the
#    "bind" directive.
# 2) No password is configured.
#
# The server only accepts connections from clients connecting from the
# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
# sockets.
#
# By default protected mode is enabled. You should disable it only if
# you are sure you want clients from other hosts to connect to Redis
# even if no authentication is configured, nor a specific set of interfaces
# are explicitly listed using the "bind" directive.
protected-mode yes  

可以看到 Protected-mode 是为了禁止公网访问redis cache,加强redis安全的。

它启用的条件,有两个:

  • 1) 没有bind IP
  • 2) 没有设置访问密码

如果启用了,则只能够通过lookback ip(127.0.0.1)访问 Redis,如果从外网访问,则会返回相应的错误信息:

(error) DENIED Redis is running in protected mode because protected mode is enabled...

建议:不要手动关闭Protected-mode,养成设置密码的习惯!

在配置 Redis 的 Sentinel 集群时,哨兵之间不能通信,不能进行主节点客观下线的判断,以及failover等问题都可能是开启了保护模式导致的,只需要在sentinel.conf中加入了protected-mode no,就可以解决。

sentinel.conf protected-mode 部分摘要如下:

# *** IMPORTANT ***
#
# By default Sentinel will not be reachable from interfaces different than
# localhost, either use the 'bind' directive to bind to a list of network
# interfaces, or disable protected mode with "protected-mode no" by
# adding it to this configuration file.
#
# Before doing that MAKE SURE the instance is protected from the outside
# world via firewalling or other means.
#
# For example you may use one of the following:
#
# bind 127.0.0.1 192.168.1.1
#
# protected-mode no