I have always thought that the role of bind in the redis configuration file is to restrict the redis server to receive redis connection requests from which servers (IP addresses), only the IP addresses specified in bind Only computers can access this redis server.
Facts have proved that the above conclusion is completely wrong.
When I was building a Redis service cluster today, I discovered a misunderstanding about bind in Redis.
For example:
bind 127.0.0.1 is used to restrict that only the local computer can connect to the redis service connection
bind 0.0.0.0 is used to allow any computer to connect to redis Service connection.
Note: The above understandings are all wrong. They happen to be special cases and create an illusion about us.
If you don’t believe it, you can try: (It’s best to give it a try)
bind 10.0.0.1 (or any IP address except 127.0.0.1 and 0.0.0.0)
Then restart redis and you will find that it cannot start.
As for why it cannot start, after you know the true meaning of bind, you will understand the reason why it cannot start.
The correct understanding of bind in Redis is:
bind: is the IP address bound to the local machine, (accurately: the IP address corresponding to the local network card, each network card all have an IP address) instead of redis allowing IP addresses from other computers.
If bind is specified, it means that only Redis requests from the specified network card are allowed. If not specified, it means that Redis requests from any network card can be accepted.
For example: If there are two network cards on the redis server (local machine), each network card corresponds to an IP address, such as IP1 and IP2. (Note that IP1 and IP2 are both the IP addresses of this machine).
Our configuration file: bind IP1. Only if we access the redis server through IP1 are we allowed to connect to the Redis server. If we access the Redis server through IP2, we will not be able to connect to Redis.
Check the IP address corresponding to the local network card: use the ifconfig command.
(Learning video sharing: redis video tutorial)
It can be seen from the above that we have two network cards, that is, we only Can be used: 127.0.0.1 and 172.18.235.206 are the best bind addresses, otherwise redis will not start.
This explains why the above example (bind 10.0.0.1) cannot start because we do not have the corresponding network card IP address. This shows that bind does not specify the IP addresses from which server requests can be accepted in redis.
Instead: bind is used to specify the IP address corresponding to the local network card.
Note:
Explanation of bind 127.0.0.1: (Why only this machine can connect, but not others)
We can see from ifconfig: lo network card (Corresponding to 127.0.0.1 IP address): It is a loopback address (Local Loopback), that is, only the local computer can access this loopback address, and other computers can only access their own loopback addresses.
Then the computer from this lo network card only has this computer, so only this computer can access it, but other computers cannot.
bind 172.18.235.206, as long as the Redis request comes through this network card address (172.18.235.206), you can access redis. I use Alibaba Cloud's server. When I request the redis-cli Alibaba Cloud public IP address on another server, it will connect to the redis server.
Because requests for public network addresses all pass through the eth0 network card address (172.18.235.206), thus receiving this redis request.
When you do not use the loopback address, basically external computers can access the local Redis server.
If we want to restrict only specified hosts to connect to redis, we can only control it through the firewall, but not through the bind parameter in redis.
Use Alibaba Cloud's security group to restrict specified hosts from connecting to port 6379.
Understanding of [protected-mode] in redis:
redis itself cannot restrict [only specified hosts] from connecting to redis. As I said above, bind specification is only used Set interface addresses (interfaces).
1. If your bind is set to: bind 127.0.0.1, this is very safe, because only this host can connect to redis. Even if you do not set a password, it is safe unless someone logs in to you. on the server.
2. If your bind is set to: bind 0.0.0.0, it means that all hosts can connect to redis. (Prerequisite: Your server must open the redis port). Setting a password at this time will provide an additional layer of protection, and only those who know the password can access. That is, any host that knows the password can access your redis.
protected-mode is a security layer of redis itself. The function of this security layer is that only [this machine] can access redis, and no one else can access redis. Three conditions must be met to enable this security layer, otherwise the security layer will be closed:
(1) protected-mode yes (is on)
(2) There is no bind command. Original text: The server is not binding explicitly to a set of addresses using the "bind" directive.
(3) No password is set. Original text: No password is configured.
The redis protection mechanism will be turned on at this time. After it is turned on, only the local machine can access redis. If any of the above three conditions are not met, the protection mechanism will not be enabled.
Related recommendations: redis database tutorial
Original link: https://blog.csdn.net/cw_hello1/article/details/83444013
The above is the detailed content of What is the real role of bind in redis. For more information, please follow other related articles on the PHP Chinese website!