优化
Redis 是完全开源的,遵守 BSD 协议,是一个高性能的 key-value 数据库,每个数据库对应一个redisDb结构。Redis能读的速度是110000次/s,写的速度是81000次/s。 优化分为访问控制、安全审计、资源控制、入侵防护等四个方面来处理。
1.1 访问控制
- 主目录权限
描述:建议redis数据库严格限制redis主目录权限,权限值<=755
- 配置文件
描述:建议redis数据库严格限制配置文件目录权限<=644
- 日志文件目录以及文件
描述:建议redis数据库严格限制日志文件目录权限<=644
1.2 安全审计
- 日志保留时间满足6个月以上
描述:建议 redis数据库审计日志保留时间满足6个月以上
定时删除日志文件
- appendonly.aof权限
描述:建议 appendonly.aof 访问权限为600
代码语言:javascript复制702
703 # The name of the append only file (default: "appendonly.aof")
704
705 appendfilename "appendonly.aof"- logfile 权限
描述:建议logfile xxx访问权限为600
在适当的位置创建 logs目录,然后创建redis.log日志文件,redis默认不写日志文件。例如我mac创建的目录为 /REDIS_HOME/logs 日志文件名称为 redis.log。
> cd /REDIS_HOME/
> mkdir logs
> cd logs
> touch redis.log
> pwd
> /REDIS_HOME/logsredis.conf配置文件中 GENERAL模块
168
169 # Specify the log file name. Also the empty string can be used to force
170 # Redis to log on the standard output. Note that if you use standard
171 # output for logging but daemonize, logs will be sent to /dev/null
172 logfile "/REDIS_HOME/logs/redis.log"
1731.3 资源控制
- 空闲超时时间
描述:建议redis数据库合理配置会话空闲超时锁定功能,在/REDIS_HOME/redis.conf文件中设置timeout参数,建议值300。
建议修改优化配置**redis.conf **配置文件中 NETWORK模块
112 # Close the connection after a client is idle for N seconds (0 to disable)
113 # timeout 0
114 timeout 3001.4 入侵防护
- redis数据库限制应用服务器Threads数量
描述:redis数据库限制应用服务器Threads数量,在redis.conf文件中配置maxclients值,建议值为128
建议修改配置为指定优化配置**redis.conf **配置文件中 CLIENTS模块
529 ################################### CLIENTS ####################################
530
531 # Set the max number of connected clients at the same time. By default
532 # this limit is set to 10000 clients, however if the Redis server is not
533 # able to configure the process file limit to allow for the specified limit
534 # the max number of allowed clients is set to the current file limit
535 # minus 32 (as Redis reserves a few file descriptors for internal uses).
536 #
537 # Once the limit is reached Redis will close all the new connections sending
538 # an error 'max number of clients reached'.
539 #
540 # maxclients 10000
541 maxclients 128- 重命名关键命令
描述:reddis数据库修改错误文件信息,防止信息泄漏,配置:重命名关键命令,在/REDIS_HOME/redis.conf文件中,使用rename-command命令重命名或禁用以下命令FLUSHDB, FLUSHALL, KEYS,PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM。
建议修改配置为指定优化配置**redis.conf **配置文件中SECURITY模块
495 ################################## SECURITY ###################################
496
497 # Require clients to issue AUTH <PASSWORD> before processing any other
498 # commands. This might be useful in environments in which you do not trust
499 # others with access to the host running redis-server.
500 #
501 # This should stay commented out for backward compatibility and because most
502 # people do not need auth (e.g. they run their own servers).
503 #
504 # Warning: since Redis is pretty fast an outside user can try up to
505 # 150k passwords per second against a good box. This means that you should
506 # use a very strong password otherwise it will be very easy to break.
507 #
508 # requirepass foobared
509
510
511 # Command renaming.
512 #
513 # It is possible to change the name of dangerous commands in a shared
514 # environment. For instance the CONFIG command may be renamed into something
515 # hard to guess so that it will still be available for internal-use tools
516 # but not available for general clients.
517 #
518 # Example:
519 #
520 # rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
521 #
522 # It is also possible to completely kill a command by renaming it into
523 # an empty string:
524 #
525 # rename-command CONFIG ""
526 #
527 # Please note that changing the name of commands that are logged into the
528 # AOF file or transmitted to replicas may cause problems.重新命名下面的命令为空(线上要清空命令)
代码语言:javascript复制rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command KEYS ""
rename-command PEXPIRE ""
rename-command DEL ""
rename-command CONFIG ""
rename-command SHUTDOWN ""
rename-command BGREWRITEAOF ""
rename-command BGSAVE ""
rename-command SAVE ""
rename-command SPOP ""
rename-command SREM ""- 限定登录Redis服务器的IP地址
描述:redis数据库对redis管理后台操作进行登陆源限制,配置:在/REDIS_HOME/redis.conf文件中,取消注释# bind 127.0.0.1 #,并更改IP
建议修改配置为指定IP地址可以登录redis.conf配置文件中NETWORK模块
46 ################################## NETWORK #####################################
47
48 # By default, if no "bind" configuration directive is specified, Redis listens
49 # for connections from all the network interfaces available on the server.
50 # It is possible to listen to just one or multiple selected interfaces using
51 # the "bind" configuration directive, followed by one or more IP addresses.
52 #
53 # Examples:
54 #
55
56 # bind 127.0.0.1
57 bind 192.168.2.38- redis安全补丁
描述:redis数据库及时更新redis安全补丁,推荐版本: >=4.0.14
