redis.conf详解之protected-mode

用法

打开保护模式

protected-mode yes

关闭保护模式

protected-mode no

用途

保护你的redis实例，防止被访问和利用。
大白话：只有本地能操作这个实例，外网不行。

注意事项：

1.保护模式默认是打开的。
2.保护模式生效后，只有本地回环和unix域套接字的请求可操作redis。
3.保护模式的生效条件：保护模式已打开且未指定bind且未指定密码
例如

protected-mode yes // 打开保护模式
#bind 127.0.0.1 //不绑定任何网络接口
#requirepass xiaoyi //不设置密码 

保护模式生效后非本地回环与unix domain socket连接将报错:

$ redis-cli -h 10.10.10.10
10.10.10.10:6379> set a 1
(error) DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent. 2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server. 3) If you started the server manually just for testing, restart it with the '--protected-mode no' option. 4) Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

保护模式生效后本地回环与unix domain socket连接将成功:

$ redis-cli -h ::1
[::1]:6379> set a 1
OK
[::1]:6379>

$ redis-cli -h 127.0.0.1
127.0.0.1:6379> set a 1
OK
127.0.0.1:6379>

原生注释

# Protected mode is a layer of security protection, in order to avoid that
# Redis instances left open on the internet are accessed and exploited.
#
# When protected mode is on and if:
#
# 1) The server is not binding explicitly to a set of addresses using the
#    "bind" directive.
# 2) No password is configured.
#
# The server only accepts connections from clients connecting from the
# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
# sockets.
#
# By default protected mode is enabled. You should disable it only if
# you are sure you want clients from other hosts to connect to Redis
# even if no authentication is configured, nor a specific set of interfaces
# are explicitly listed using the "bind" directive.