我有一个Rails应用程序,它使用Redis进行后台作业(通过Resque)。这在相当一段时间内在开发和生产(在VM上)都很好。最近,当尝试访问生产中的resque-web Sinatra网站来管理后台任务时,我收到了Internal Server Error消息。查看Web服务器日志,我可以看到该错误源自Redis,因为它似乎需要密码进行身份验证:
Redis::CommandError - NOAUTH Authentication required
这是奇怪的部分,我的redis conf文件(/etc/redis/6379.conf)没有(据我所知)从未启用任何身份验证(请注意两行都已注释掉):
...
# If the master is password protected (using the "requirepass" configuration
# directive below) it is possible to tell the slave to authenticate before
# starting the replication synchronization process, otherwise the master will
# refuse the slave request.
#
# masterauth <master-password>
...
# Require clients to issue AUTH <PASSWORD> before processing any other
# commands. This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
# requirepass foobared
...
如果我尝试重新启动redis服务器,它将不会让我没有密码:
sudo /etc/init.d/redis_6379 restart
Stopping ...
(error) NOAUTH Authentication required.
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
所以我的直接问题是我的Redis服务器设置了密码,我不知道它是什么。我需要让它再次运作。
第二个问题是我不知道这个密码是如何设置的。该应用程序部署在DigitalOcean VM上。查看redis日志并未显示任何可疑信息。我使用推荐的SSH和自定义端口设置来提供一些访问安全性,但当然它永远不会完全安全。这个应用程序是我的一个副项目,并没有真正的任何敏感信息。但是,我确实想知道发生了什么,并阻止它再次发生。
答案 0 :(得分:1)
这里的答案似乎最好地解释了发生的事情:https://stackoverflow.com/a/34149605/931528
有兴趣注意该问题的最近日期。我们似乎都是同一安全漏洞的受害者。我现在正在向Redis服务器添加密码,并且还会阻止VM上的Redis端口。
答案 1 :(得分:1)
<强>问题:
这个问题......
service redis_6379 restart
Stopping ...
(error) NOAUTH Authentication required.
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
[...]
...因为配置了密码验证并且在停止/重新启动时未配置密码而发生。
<强> SOLUTION:
打开文件...
/etc/init.d/redis_6379
...并替换线......
#!/bin/sh
...与......
#!/bin/bash
...并替换线......
“$ CLIEXEC -p $ REDISPORT shutdown”
...与......
# NOTE: We use that workaround because the password authentication is configured, and the pass word is not configured at restart! By Questor
REQUIREPASS=$(sed -n 's/.*requirepass * *\([^ ]*.*\)/\1/p' < "$CONF")
IFS=' ' read -r -a MATCH_ARRAY <<< $REQUIREPASS
$CLIEXEC -a "${MATCH_ARRAY[1]}" -p $REDISPORT shutdown
# $CLIEXEC -p $REDISPORT shutdown
完成!
注意:请注意i中的${MATCH_ARRAY[i]}索引取决于您配置requirepass参数的方式!也就是说,"requirepass "文件中存在6379.conf字符串的次数,以及您感兴趣的字符串!