I'm using Redis 6.2.5, and I'm facing some issues to save users.
It looks like it only works if I put the user in the redis.conf file. If I just create it with acl setuser username command and then restart the service, it loses the user information, even if I run the save or bgsave commands. Does anybody know a way to save the user definitely without editing the redis.conf file, or just add it in the memory but also on the redis.conf file, so, when it's restarted, the user will be there?
You can use CONFIG REWRITE command to rewrite the config file, so that your setting will be saved to config file. The next time, you start Redis with this config file, you'll get those user settings.
Also you can use an external ACL file to set ACL rules. If you want to change the settings, you can manually change the ACL file, and call ACL LOAD to reload the new configuration.
Check the doc for detail.
Related
When I create a new user in redis using the acl setuser command, like the following:
acl setuser ankit on >generalpassword +#all -#dangerous ~*
Where is this information about the new user stored?
I checked the redis.conf file.
Is it stored in another file? If yes, which file is that?
The ACL database is stored in memory (RAM) and get lost if you restart Redis. To persist it to disk, you need to invoke the ACL SAVE command:
When Redis is configured to use an ACL file (with the aclfile
configuration option), this command will save the currently defined
ACLs from the server memory to the ACL file.
I want to add password to Redis.
I interested if there is a way to save encrypted password in redis.conf and not as plain text?
Or a way not to store the password in redis.conf at all?
By default redis.conf atleast until today with its most recent version - 6.0.1 still doesnt support encrypting a password.
While this is a situation is not fully avoidable, at the best, you can automate this by writing a wrapper startup script that would accept password as an argument and bring up the service. And then, once the service is up, ALTHOUGH THIS IS TO BE AVOIDED AND IS NOT RECOMMENDED you can delete the conf file or change the password in that file. and, before the startup of REDIS, you would require to run the startup script again/ re-enter the original password. BUT THIS CAN ADDITIONALY CAUSE PROBLEMS.
Please note -> redis.conf can be secured by linux/OS permissions and thats the best way to do so
No Redis doesn't support encrypted password for auth. You may check the details in official documentation
The password is set by the system administrator in clear text inside the redis.conf file. It should be long enough to prevent brute force attacks.
Additionally;
The AUTH command, like every other Redis command, is sent unencrypted, so it does not protect against an attacker that has enough access to the network to perform eavesdropping.
You may use config set requirepass yourpassword to set password and this will not require a server restart but set it on-fly, but when the server is restarted your previous password(written in conf file)/no password(if it is not set) will be used to authenticate requests.
Well while encryption is till now not an option, Redis 6 introduced ACL (Access Control List) where you can store your SHA256-hashed passwords in the redis.conf file.
Please note that this not an Encryption though!
From redis-cli:
acl setuser yourUser on #951249c8e32817cb0727ba2b1440f008c49c582e5daca4a0bd6d64eed1291a37
From redis.conf
user yourUser on #951249c8e32817cb0727ba2b1440f008c49c582e5daca4a0bd6d64eed1291a37
Additional note:
You may need to disable the default user which does not have a password:
From redis-cli:
acl setuser default off
From redis.conf
user default off
I remember playing around with some settings and I believe it changed the location of dump.rdb. Now, dump.rdb auto-magically appears at the root of my projects.
Where does it belong, and how would I return it there? Also, how does this location change when in a production environment?
Where does it belong?
Wherever you want.
The default directory is ./, meaning the directory where the Redis server got started from.
Edit:
* I am modifying your second question (asked in comment) a little bit.
Is it possible to change to location of dump.rdb? How?
Yes, it is possible. There two possible ways I can think of.
1.
Modify redis configuration file (e.g. redis.conf) and restart redis server. This way, every restart after this one will use the new directory. But redis will not reload any previous data at first restart (because there will not be anything to reload from).
To reload previous data, previous dump.rdb would have to be moved to new location manually before restarting the server.
2.
Set new directory by CONFIG SET command. E.g.
CONFIG SET dir path/to/new/directory
* Note that the path has to be a directory.
That's it! But this way is not permanent because server restart will use the old directory.
To make new directory permanent, execute CONFIG REWRITE to rewrite the configuration file. Remember, redis server has to have write permission to that file.
dir path/to/dorectory has to be set in the redis config file.
I have a running instance that was created without a keypair, as I understand is not possible to apply a keypair to a running instance, I need to ssh connect to the instance to get some logs, how can I do that?
Right click on the instance -> Connect, shows a message saying that the instance is not associated with a key pair and "you will need to log into this instance using a valid username and password combination".
Our app runs on Elastic Beanstalk, the user should be ec2-user, but what about the password? How can I retrieve that?
PS: re-launch the instance with a keypair is not an option....
Thanks!
You can download the logs using tail logs or full logs option in the console
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.loggingS3.title.html
The above will get you the default set of log files from the instance. If you want to get your files from one of the non-default locations you will need to update your environment with the following ebextension. Create a file custom-logs.config in a folder named .ebextensions in your app root. In the contents of your file create a log configuration file that points to your custom location.
Example contents:
files:
"/opt/elasticbeanstalk/tasks/systemtaillogs.d/my-cool-logs.conf" :
mode: "000777"
owner: root
group: root
content: |
/my-framework/my-logs/my-cool-log.log
This file is in yaml format, so be careful with the indentation. After creating this file you can deploy this new app version to your environment. Then when you snapshot logs using the instructions above you will get your custom logs.
If there's any way to access the command line on your instance then you could
edit
/etc/ssh/sshd_config
setting change the line to:
PasswordAuthentication yes
SSH User:Pass access defaults to no on launch.
Since my ubuntu server was clearing sessions too early I decided to use another folder to store the sessions. So I use something like the following:
session_save_path(SESSION_PATH);
ini_set('session.gc_probability', 1);
session_start();
I attach this in every php file that needs a session_start() [I hope this is the right implementation]
My logout.php file does seem to clear the stored sessions in this custom directory. However my question is what if the user doesn't logout and just closes the browser. Do these session files from the custom folder get deleted over time?
yes it will be cleaned by php engine.
Garbage collection may occur during session start (depending on session.gc_probability and session.gc_divisor).
Ref: PHP Documents
in the other hand it would be enough to set session.gc_maxlifetime option.