Redis 配置文件详解
核心配置项讲解:
# Redis 配置文件.
# 使用配置文件启动方式
# ./redis-server /path/to/redis.conf
# 单位说明:当内存大小需要被设置时,可以使用常规的格式来进行配置,例如 1k 5GB 4M 等等:
#
# 1k => 1000 bytes
# 1kb => 1024 bytes
# 1m => 1000000 bytes
# 1mb => 1024*1024 bytes
# 1g => 1000000000 bytes
# 1gb => 1024*1024*1024 bytes
#
# 单位大小写不敏感
INCLUDES包含
################################## INCLUDES ###################################
# 可以在这里包含一个或多个其他的配置文件。如果你有一个适用于所有Redis服务器的标准配置模板
# 但也需要一些每个服务器自定义的设置,这个功能将很有用。被包含的配置文件也可以包含其他配置文件,
# 所以需要谨慎的使用这个功能。
#
# 注意“inclue”选项不能被admin或Redis哨兵的"CONFIG REWRITE"命令重写。
# 因为Redis总是使用最后解析的配置行最为配置指令的值, 你最好在这个文件的开头配置includes来
# 避免它在运行时重写配置。
# 如果相反你想用includes的配置覆盖原来的配置,你最好在该文件的最后使用include
#
# include /path/to/local.conf
# include /path/to/other.conf
NETWORK 网络
################################## 网络 #####################################
# 默认情况下为了安全起见Redis会绑定本机,意味着Redis只监听来自本机的连接请求。
# bind 后面可以跟多个IP地址;用来限制哪些IP地址可以访问Redis;
# 如果在互联网上不配置bind属性意味着会对因特网上的所有人暴露redis的服务,这是非常危险的。
bind 127.0.0.1
# 是否开启保护模式;默认为开启。
# 如果你期望本机之外的其他主机访问该Redis,那么需要设置为no
protected-mode no
# Redis 通过该端口来接收连接请求。
# 如果设置为0,redis将不再监听TCP请求。
port 6379
# TCP listen() backlog.
#
# 在高并发环境下你需要一个高backlog值来避免慢客户端连接问题。注意Linux内核默默地将这个值减小
# 到/proc/sys/net/core/somaxconn的值,所以需要确认增大somaxconn和tcp_max_syn_backlog
# 两个值来达到想要的效果。
tcp-backlog 511
# Unix socket.
# 指定用来监听Unix套套接字的路径。没有默认值, 所以在没有指定的情况下Redis不会监听Unix套接字
#
# unixsocket /tmp/redis.sock
# unixsocketperm 700
# 客户端空闲N秒后关闭连接,设置0表示禁用超时关闭
timeout 0
# TCP 活跃保持
# 如果设置的值不为0,会使用SO_KEEPALIVE发送TCP ACKs给所有连接的客户端连接。
# 这个设置通常有两个原因:
#
# 1) 检测死亡同伴.
# 2) 强制网路设备保持连接的活跃。
#
# 在Linux上,这个指定的值用来设置发送ACKs的时间间隔。值得注意的是连接关闭时间最好是该选项时间的两倍。
# 在其他内核上时间间隔取决于内核自身的配置。
# 该配置项的建议配置值为:300秒,Redis3.2.1开始新增该项为默认配置。
#
tcp-keepalive 300
TLS/SSL
################################# TLS/SSL #####################################
# 默认情况下TLS/SSL是不生效的。To enable it, the "tls-port" configuration
# directive can be used to define TLS-listening ports. To enable TLS on the
# default port, use:
#
# port 0
# tls-port 6379
# Configure a X.509 certificate and private key to use for authenticating the
# server to connected clients, masters or cluster peers. These files should be
# PEM formatted.
#
# tls-cert-file redis.crt
# tls-key-file redis.key
# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange:
#
# tls-dh-params-file redis.dh
# Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL
# clients and peers. Redis requires an explicit configuration of at least one
# of these, and will not implicitly use the system wide configuration.
#
# tls-ca-cert-file ca.crt
# tls-ca-cert-dir /etc/ssl/certs
# By default, clients (including replica servers) on a TLS port are required
# to authenticate using valid client side certificates.
#
# If "no" is specified, client certificates are not required and not accepted.
# If "optional" is specified, client certificates are accepted and must be
# valid if provided, but are not required.
#
# tls-auth-clients no
# tls-auth-clients optional
# By default, a Redis replica does not attempt to establish a TLS connection
# with its master.
#
# Use the following directive to enable TLS on replication links.
#
# tls-replication yes
# By default, the Redis Cluster bus uses a plain TCP connection. To enable
# TLS for the bus protocol, use the following directive:
#
# tls-cluster yes
# Explicitly specify TLS versions to support. Allowed values are case insensitive
# and include "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" (OpenSSL >= 1.1.1) or
# any combination. To enable only TLSv1.2 and TLSv1.3, use:
#
# tls-protocols "TLSv1.2 TLSv1.3"
# Configure allowed ciphers. See the ciphers(1ssl) manpage for more information
# about the syntax of this string.
#
# Note: this configuration applies only to <= TLSv1.2.
#
# tls-ciphers DEFAULT:!MEDIUM
# Configure allowed TLSv1.3 ciphersuites. See the ciphers(1ssl) manpage for more
# information about the syntax of this string, and specifically for TLSv1.3
# ciphersuites.
#
# tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256
# When choosing a cipher, use the server's preference instead of the client
# preference. By default, the server follows the client's preference.
#
# tls-prefer-server-ciphers yes
# By default, TLS session caching is enabled to allow faster and less expensive
# reconnections by clients that support it. Use the following directive to disable
# caching.
#
# tls-session-caching no
# Change the default number of TLS sessions cached. A zero value sets the cache
# to unlimited size. The default size is 20480.
#
# tls-session-cache-size 5000
# Change the default timeout of cached TLS sessions. The default timeout is 300
# seconds.
#
# tls-session-cache-timeout 60
GENERAL 常规
################################# GENERAL #####################################
# 默认情况下Redis不是以守护进程的方式启动的。如果需要请设置为:yes
# 值得注意的是如果Redis以后台进程的方式启动,会在/var/run/redis.pid 下生产一个pid文件
daemonize yes
# If you run Redis from upstart or systemd, Redis can interact with your
# supervision tree. 配置项:
# supervised no - no supervision interaction
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
# requires "expect stop" in your upstart job config
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
# supervised auto - detect upstart or systemd method based on
# UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready."
# They do not enable continuous pings back to your supervisor.
supervised no
# 如果配置了pid文件,Redis会在启动的时候在指定位置写入该pid文件,在停止时删除该配置文件。
# 如果服务器端不是以守护进程的方式启动,并且没有配置pidfile Redis就不会创建pid文件。
# 如果服务以守护进程的方式启动,pidfile始终会被创建,即使没有配置也会使用“/var/run/redis.pid” 做为默认值。 #
# 创建一个pid文件是最好的选择,如果redis无法创建pid文件,那么服务也能正常的启动和运行。
pidfile /var/run/redis_6379.pid
# 配置服务的日志记录等级.
# 可以设置为以下值:
# debug (会打印非常多的信息, 通常用于开发/测试)
# verbose (很多精简的有用信息,但是不像debug等级那么多)
# notice ( 适度的日志记录,在生产模式下)
# warning ( 仅仅记录非常重要的信息。)
loglevel notice
# 指定日志文件的名称,如果设置为空将强制Redis将日志输出到标准的控制台;
# 如果使用守护模式启动,日志将会被发送给/dev/null
logfile ""
# 要使用系统日志记录器,只要设置 "syslog-enabled" 为 "yes" 就可以了。
# 然后根据需要设置其他一些syslog参数就可以了。
# syslog-enabled no
# 指定syslog唯一标识
# syslog-ident redis
# 指定syslog设备. 必须是 USER 或者 LOCAL0-LOCAL7.
# syslog-facility local0
# 设置数据库的数量. 默认数据库是 DB 0,
# 你可以选择一个不同的数据。在命令行中使用 select 命令。数据库的id 介于 0 和 15(配置值减1)之间
databases 16
# 是否展示启动LOGO
always-show-logo yes
SNAPSHOTTING 快照
################################ SNAPSHOTTING ################################
#
# 将DB保存在磁盘上:
# save <seconds> <changes>
# 当给定的时间参数和写入操作次数同时命中的时候,Redis就会将DB写入磁盘。
# 例如一下行为将触发磁盘写入:
# 检测到 900秒(15分钟)内有1次key改变
# 检测到 300秒(5分钟)内有10次keys改变
# 检测到 60秒有10000次keys改变
# 注意:你可以通过注释 save 属性来完全禁用写入功能。你也可以给 save设置一个空字符串来禁用写入功能。
# save ""
save 900 1
save 300 10
save 60 10000
# 默认如果开启RDB快照(至少一条save指令)并且最新的后台保存失败,Redis将会停止接受写操作
# 这将使用户知道数据没有正确的持久化到硬盘,否则可能没人注意到并且造成一些灾难。
# 如果后台保存进程能重新开始工作,Redis将自动允许写操作
# 然而如果你已经部署了适当的Redis服务器和持久化的监控,你可能想关掉这个功能以便于即使是
# 硬盘,权限等出问题了Redis也能够像平时一样正常工作,
stop-writes-on-bgsave-error yes
# 当导出到 .rdb 数据库时是否用LZF压缩字符串对象?
# 默认设置为 "yes",因为几乎在任何情况下它都是不错的。
# 如果你想节省CPU的话你可以把这个设置为 "no",但是如果你有可压缩的key和value的话,
# 那数据文件就会更大了。
rdbcompression yes
# 因为版本5的RDB有一个CRC64算法的校验和放在了文件的最后。这将使文件格式更加可靠但在
# 生产和加载RDB文件时,这有一个性能消耗(大约10%),所以你可以关掉它来获取最好的性能。
# 生成的关闭校验的RDB文件有一个0的校验和,它将告诉加载代码跳过检查
rdbchecksum yes
# 持久化数据库的文件名
dbfilename dump.rdb
# Remove RDB files used by replication in instances without persistence
# enabled. By default this option is disabled, however there are environments
# where for regulations or other security concerns, RDB files persisted on
# disk by masters in order to feed replicas, or stored on disk by replicas
# in order to load them for the initial synchronization, should be deleted
# ASAP. Note that this option ONLY WORKS in instances that have both AOF
# and RDB persistence disabled, otherwise is completely ignored.
#
# An alternative (and sometimes better) way to obtain the same effect is
# to use diskless replication on both master and replicas instances. However
# in the case of replicas, diskless is not always an option.
rdb-del-sync-files no
# 工作目录.
#
# 数据库会写到这个目录下,文件名就是上面的 "dbfilename" 的值。
# Append Only 文件也将被创建在这个目录里。
# 注意:这里是指定一个文件夹,而不是一个文件!
dir ./
APPENDONLY
############################## APPEND ONLY MODE ###############################
# 默认情况下,Redis异步转储数据集到磁盘上。
# 此模式在许多应用程序中都足够好,但如果Redis进程会由于停电的问题而导致几分钟的写入丢失(取决于配置的保存点)。
# AOF 是一种备用持久化模式,可提供更好的持久化。
# 例如,使用默认数据 fsync 策略(请参阅配置文件中的后面部分)Redis在服务器断电等戏剧性事件中只会丢失一秒写入,
# 如果Redis进程本身出现问题,则会丢失一次,但是操作系统仍然正常运行。
# 可以同时启用AOF和RDB持久化以保证不会出现问题。
# 如果在启动时启用AOF,Redis将加载AOF,即文件将具有更好的持久性保证。
# 请查看 http://redis.io/topics/persistence 以获取更多信息。
# 总的来说,这个配置是 开启或关闭AOF 的总配置
appendonly no
# append only file的文件名称,默认为:“appendonly.aof”
appendfilename "appendonly.aof"
# 调用 fsync() 将让操作系统实际写入数据到磁盘上,而不是等待输出缓冲区中的更多数据。
# 某些操作系统会真正刷新数据到磁盘上,其他一些操作系统会尽快尝试这样做。
# Redis支持三种不同的模式:
# no:不要 fsync,只需让操作系统在需要时刷新数据。速度更快。
# always:每次有写入操作都会调用 fsync,将写入操作记录到 appendonly.aof 中。慢,最安全。
# everysec:每秒调用一次 fsync ,将写入操作记录到 appendonly.aof 中。妥协方案。
#
# 默认值为“everysec”,因为这通常是速度和数据安全之间的正确折衷。
# 这取决于你是否可以理解不总是让操作系统在需要时刷新输出缓冲区,以获得更好的性能
#(但如果你能想到一些数据丢失的想法,请考虑默认的持久化模式,也就是 RDB),或相反,
# 使用“always”,将非常慢,但比 everysec 方案更安全。
# 更多详情请查看以下文章:http://antirez.com/post/redis-persistence-demystified.html
# 如果不确定,请使用“everysec”。
# appendfsync always
appendfsync everysec
# appendfsync no
# 当AOF fsync策略设置为always或everysec,且后台保存进程
#(后台保存或AOF日志后台重写)正在对磁盘执行大量I/O操作时,
# 在某些Linux配置中,Redis可能会阻塞太长时间在 fsync()调用。
# 请注意,目前没有对此进行修复,因为即使在不同的线程中执行 fsync
# 也会阻塞我们的同步 write(2) 的调用。
# 为了缓解这个问题,当BGSAVE或BGREWRITEAOF正在进行中时可以使用这个配置来阻止在主进程中调用fsync()。
# 这意味着当另一个子进程正在保存时,Redis的 appendfsync 策略将会与“appendfsync none”相同。
# 实际上,这意味着在最糟糕的情况下(使用默认的Linux设置)可能会丢失最多30秒的日志。
# 如果您有延迟问题,请将其转为 "yes"。否则,从耐用性的角度来看,它是最“最安全”的选择使用 "no"。
no-appendfsync-on-rewrite no
# 自动重写 appendonly.file 。
# 当AOF日志大小增长到指定的百分比(即 auto-aof-rewrite-percentage的值)时,
# Redis能够自动重写日志文件,隐式调用 BGREWRITEAOF。
# 这是它的工作原理:Redis会在最近的重写后记住AOF文件的大小(如果重启后没有重写,则使用启动时的AOF大小)。
# 将此基本大小与当前大小进行比较。如果当前大小大于指定的百分比,则触发重写。
# 此外,您需要指定要重写的AOF文件的最小大小,这有助于避免重写AOF文件,
# 即使达到 auto-aof-rewrite-percentage 但仍然非常小。
# 指定 auto-aof-rewrite-percentage = 0 以禁用自动AOF重写功能。
#
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
# 如果系统(尤其是在没有data = ordered选项的情况下挂载ext4文件系统)出现崩溃
# 且此时 Redis 启动进程在使用 AOF 的 appendonly.aof 文件将数据加载回内存时,
# 可能会发生 appendonly.aof 末尾出现错误(也就是末尾被截断,文件不正常终止)这种情况
#(但是当Redis本身崩溃或中止但操作系统仍能正常工作时,这种情况不会发生)。
#
# 发生这种情况时,Redis可以退出,或者加载尽可能多的数据(默认值),
# 如果发现AOF文件在末尾被截断,则启动。此选项控制此行为。
# 如果将aof-load-truncated 设置为yes,则会加载截断的AOF文件,并且Redis服务器会开始发出日志以通知用户该事件。
# 否则,如果该选项设置为no,则服务器将中止并显示错误并拒绝启动。
# 当该选项设置为no时,用户需要使用“redis-check-aof”实用程序修复AOF文件,然后才能重新启动服务器。
# 请注意,如果发现AOF文件在中间被破坏,服务器仍将退出并显示错误。
# 此选项仅在Redis尝试从AOF文件中读取更多数据但不会找到足够的字节时适用。
aof-load-truncated yes
# 重写AOF文件时,Redis能够使用AOF文件中的RDB前导码来加快重写和恢复速度。
# 启用此选项后,重写的AOF文件由两个不同的节组成:
# [RDB文件] [AOF尾]
# 加载时Redis识别出AOF文件以“REDIS”字符串开头并加载前缀RDB文件,并继续加载AOF尾部。
aof-use-rdb-preamble yes
SECURITY安全
################################## SECURITY ###################################
# 警告: since Redis is pretty fast, an outside user can try up to
# 1 million passwords per second against a modern box.
# 这就意味着你必须使用足够安全的密码,否则很容易被破解。
# Note that because the password is really a shared secret between the client
# and the server, and should not be memorized by any human, the password
# can be easily a long string from /dev/urandom or whatever, so by using a
# long and unguessable password no brute force attack will be possible.
# Redis ACL users 被定义成如下格式:
# user <username> ... acl rules ...
#例如:
# user worker +@list +@connection ~jobs:* on >ffa9203c493aa99
#
# The special username "default" is used for new connections. If this user
# has the "nopass" rule, then new connections will be immediately authenticated
# as the "default" user without the need of any password provided via the
# AUTH command. Otherwise if the "default" user is not flagged with "nopass"
# the connections will start in not authenticated state, and will require
# AUTH (or the HELLO command AUTH option) in order to be authenticated and
# start to work.
#
# The ACL rules that describe what a user can do are the following:
#
# on Enable the user: it is possible to authenticate as this user.
# off Disable the user: it's no longer possible to authenticate
# with this user, however the already authenticated connections
# will still work.
# +<command> Allow the execution of that command
# -<command> Disallow the execution of that command
# +@<category> Allow the execution of all the commands in such category
# with valid categories are like @admin, @set, @sortedset, ...
# and so forth, see the full list in the server.c file where
# the Redis command table is described and defined.
# The special category @all means all the commands, but currently
# present in the server, and that will be loaded in the future
# via modules.
# +<command>|subcommand Allow a specific subcommand of an otherwise
# disabled command. Note that this form is not
# allowed as negative like -DEBUG|SEGFAULT, but
# only additive starting with "+".
# allcommands Alias for +@all. Note that it implies the ability to execute
# all the future commands loaded via the modules system.
# nocommands Alias for -@all.
# ~<pattern> Add a pattern of keys that can be mentioned as part of
# commands. For instance ~* allows all the keys. The pattern
# is a glob-style pattern like the one of KEYS.
# It is possible to specify multiple patterns.
# allkeys Alias for ~*
# resetkeys Flush the list of allowed keys patterns.
# ><password> Add this password to the list of valid password for the user.
# For example >mypass will add "mypass" to the list.
# This directive clears the "nopass" flag (see later).
# <<password> Remove this password from the list of valid passwords.
# nopass All the set passwords of the user are removed, and the user
# is flagged as requiring no password: it means that every
# password will work against this user. If this directive is
# used for the default user, every new connection will be
# immediately authenticated with the default user without
# any explicit AUTH command required. Note that the "resetpass"
# directive will clear this condition.
# resetpass Flush the list of allowed passwords. Moreover removes the
# "nopass" status. After "resetpass" the user has no associated
# passwords and there is no way to authenticate without adding
# some password (or setting it as "nopass" later).
# reset Performs the following actions: resetpass, resetkeys, off,
# -@all. The user returns to the same state it has immediately
# after its creation.
#
# ACL rules can be specified in any order: for instance you can start with
# passwords, then flags, or key patterns. However note that the additive
# and subtractive rules will CHANGE MEANING depending on the ordering.
# For instance see the following example:
#
# user alice on +@all -DEBUG ~* >somepassword
#
# This will allow "alice" to use all the commands with the exception of the
# DEBUG command, since +@all added all the commands to the set of the commands
# alice can use, and later DEBUG was removed. However if we invert the order
# of two ACL rules the result will be different:
#
# user alice on -DEBUG +@all ~* >somepassword
#
# Now DEBUG was removed when alice had yet no commands in the set of allowed
# commands, later all the commands are added, so the user will be able to
# execute everything.
#
# Basically ACL rules are processed left-to-right.
#
# For more information about ACL configuration please refer to
# the Redis web site at https://redis.io/topics/acl
# ACL LOG
#
# The ACL Log tracks failed commands and authentication events associated
# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked
# by ACLs. The ACL Log is stored in memory. You can reclaim memory with
# ACL LOG RESET. Define the maximum entry length of the ACL Log below.
acllog-max-len 128
# Using an external ACL file
#
# Instead of configuring users here in this file, it is possible to use
# a stand-alone file just listing users. The two methods cannot be mixed:
# if you configure users here and at the same time you activate the external
# ACL file, the server will refuse to start.
#
# The format of the external ACL user file is exactly the same as the
# format that is used inside redis.conf to describe users.
#
# aclfile /etc/redis/users.acl
# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatibility
# layer on top of the new ACL system. The option effect will be just setting
# the password for the default user. Clients will still authenticate using
# AUTH <password> as usually, or more explicitly with AUTH default <password>
# if they follow the new protocol: both will work.
#
# requirepass foobared
# Command renaming (DEPRECATED).
#
# ------------------------------------------------------------------------
# WARNING: avoid using this option if possible. Instead use ACLs to remove
# commands from the default user, and put them only in some admin user you
# create for administrative purposes.
# ------------------------------------------------------------------------
#
# It is possible to change the name of dangerous commands in a shared
# environment. For instance the CONFIG command may be renamed into something
# hard to guess so that it will still be available for internal-use tools
# but not available for general clients.
#
# Example:
#
# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
#
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
# rename-command CONFIG ""
#
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to replicas may cause problems.
本文由 huzd 创作,采用 知识共享署名4.0 国际许可协议进行许可本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名最后编辑时间
为:
2021/02/10 22:37