Credentials for use with Redis Socache module
-
Polite bump! :) 0 -
The auth feature and what it entails is described in the redis documentation here: Redis Security " Redis. 0 -
Hi, Thank you, sorry for any confusion, I'm familiar with Redis and have my Redis running fine, but I'm looking for improved documentation or guidance showing how to utilise the provided mod_socache_redis module as SSL Session Cache, stapling etc when you are using Redis with a password and socket. I've been reading documentation for most of the day but can't seem to get it to work. It ideally needs a more modern example or two, following best practice you would ideally use Redis with a password, and now it's more preferable performance-wise to use Redis with a Unix socket rather than the traditional default port 6379. The Apache doc example I linked to shows: [CODE=apacheconf]SSLSessionCache redis:redis.example.com:12345,redis2.example.com:12345
and makes reference to Memcached host/port specifications but in my case: [CODE=apacheconf]SSLSessionCache redis:/var/redis/redis.sock:0
doesn't work because it still needs the Redis password credential. It seems to have something to do with AuthnCacheProvideFor and AuthnCacheSOCache so tried putting the password inside the Pre Main Include editor, but Apache then wouldn't restart due to error messages about it not being allowed there, also I'm unfamiliar with the proper syntax to use, as well as the location to use it! Hope this makes more sense.0 -
There's just not a lot of information on this period I'm finding The following looked helpful: Redis 0 -
Thanks Lauren. Redis actually works just fine, I just enter the socket path and password and my various hosted sites are using it okay, it's just a question of where do I put the password in so that Apache can make use it via mod_socache_redis? Many thanks. 0 -
Had a bit of success with this today by experimenting without socket and without a password to keep it simple, but its still not correct, it's working kind of but seems to come and go. For testing, I created a new Redis instance named Redis7 but with no password, bound to listen to 127.0.0.1 as usual, but on TCP socket port 6384 instead of a unix socket. - CENTOS 7.8 virtuozzo [vps]
- v88.0.13
CSF Firewall shows is listening on that port. System Status in Apache now shows a mixture of messages, each time I reload the page. :oops:SSL/TLS Session Cache Status: Redis server: /var/redis/redis7.sock:6384 [Up] General:: Version: 5.0.5 [64 bits], PID: 417, Uptime: 9 hrs Clients:: Connected: 9, Blocked: 0 Memory:: Total: 6442450944, Max: 2000000, Used: 495080 CPU:: System: 17, User: 38 Connections:: Recd: 31766, Processed: 68043, Rejected: 0 Cache:: Hits: 0, Misses: 1745 Net:: Input bytes: 1282420, Output bytes: 116477904 Misc:: Role: master, Connected Slaves: 9, Is Cluster?: no
Sometimes nothing shows for this block at below the usual scoreboard and list of slots. Sometimes I get this message appeaing: :rolleyes:SSL/TLS Session Cache Status: Redis server: /var/redis/redis7.sock:6384 [Down]
Other times, I see this: :-pSSL/TLS Session Cache Status: Redis server: /var/redis/redis7.sock:6384 [Up]
Apache Error Log excerpt:[Sun Aug 09 03:48:28.574235 2020] [socache_redis:error] [pid 9267:tid 48011031754496] (11)Resource temporarily unavailable: AH03479: scache_rd: 'retrieve' FAIL [Sun Aug 09 03:48:31.540757 2020] [socache_redis:error] [pid 16047:tid 48011075880704] (11)Resource temporarily unavailable: AH03479: scache_rd: 'retrieve' FAIL [Sun Aug 09 03:48:42.882775 2020] [socache_redis:error] [pid 15243:tid 48011061171968] (11)Resource temporarily unavailable: AH03479: scache_rd: 'retrieve' FAIL [Sun Aug 09 03:49:00.645347 2020] [socache_redis:error] [pid 6546:tid 48011067475712] (11)Resource temporarily unavailable: AH03479: scache_rd: 'retrieve' FAIL [Sun Aug 09 03:49:05.985298 2020] [lsapi:error] [pid 6546:tid 48011073779456] [client 66.xx.xx.xx:34230] mod_lsapi: [host www.example.co.uk] [req GET /gallery/image/887-show_2017_-185jpg/ HTTP/1.1] Connect to backend failed: connect to lsphp refused: 111 (possibly memory limit for LVE ID 1002 too small) [Sun Aug 09 03:49:29.743453 2020] [socache_redis:error] [pid 14748:tid 48011075880704] (11)Resource temporarily unavailable: AH03479: scache_rd: 'retrieve' FAIL [Sun Aug 09 03:49:18.705167 2020] [lsapi:error] [pid 15243:tid 48011067475712] [client 66.xx.xx.xx:52348] mod_lsapi: [host example.net] [req GET /forum/topic/25647 HTTP/1.1] Connect to backend failed: connect to lsphp refused: 111 (possibly memory limit for LVE ID 1000 too small) [Sun Aug 09 03:50:03.031114 2020] [socache_redis:error] [pid 15243:tid 48011073779456] (11)Resource temporarily unavailable: AH03479: scache_rd: 'retrieve' FAIL
Apache modules:apachectl -l Compiled in modules: core.c mod_so.c http_core.c root@vpsxxx [~]# apachectl -M Loaded Modules: core_module (static) so_module (static) http_module (static) mpm_event_module (shared) lsapi_module (shared) cgid_module (shared) access_compat_module (shared) actions_module (shared) alias_module (shared) allowmethods_module (shared) asis_module (shared) auth_basic_module (shared) auth_digest_module (shared) authn_core_module (shared) authn_anon_module (shared) authn_dbm_module (shared) authn_file_module (shared) authn_socache_module (shared) authz_core_module (shared) authz_dbm_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_owner_module (shared) authz_user_module (shared) autoindex_module (shared) brotli_module (shared) buffer_module (shared) cache_module (shared) cache_socache_module (shared) dbd_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) expires_module (shared) filter_module (shared) headers_module (shared) include_module (shared) log_config_module (shared) logio_module (shared) mime_module (shared) mime_magic_module (shared) negotiation_module (shared) proxy_module (shared) proxy_connect_module (shared) proxy_express_module (shared) proxy_http_module (shared) proxy_wstunnel_module (shared) proxy_uwsgi_module (shared) remoteip_module (shared) reqtimeout_module (shared) rewrite_module (shared) sed_module (shared) setenvif_module (shared) slotmem_plain_module (shared) slotmem_shm_module (shared) socache_dbm_module (shared) socache_shmcb_module (shared) socache_redis_module (shared) speling_module (shared) status_module (shared) suexec_module (shared) unique_id_module (shared) unixd_module (shared) userdir_module (shared) bwlimited_module (shared) ssl_module (shared) http2_module (shared) security2_module (shared) cloudflare_module (shared) cpanel_module (shared)
Apachectl -SServerRoot: "/etc/apache2" Main DocumentRoot: "/etc/apache2/htdocs" Main ErrorLog: "/etc/apache2/logs/error_log" Mutex authdigest-client: using_defaults Mutex ssl-stapling: using_defaults Mutex proxy: using_defaults Mutex authn-socache: using_defaults Mutex ssl-cache: dir="/run/apache2" mechanism=fcntl Mutex lsapi-pipe: dir="" mechanism=posixsem Mutex default: dir="/var/run/apache2/" mechanism=default Mutex cache-socache: using_defaults Mutex authdigest-opaque: using_defaults Mutex rewrite-map: dir="/run/apache2" mechanism=fcntl Mutex ssl-stapling-refresh: using_defaults PidFile: "/run/apache2/httpd.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG Define: MODSEC_2.5 Define: MODSEC_2.9 User: name="nobody" id=99 Group: name="nobody" id=99 root@vpsXXXXX
Redis Error Log shows nothing obvious:10494:C 08 Aug 2020 16:45:17.002 # Configuration loaded 10494:M 08 Aug 2020 16:45:17.010 # Server initialized 10494:signal-handler (1596905476) Received SIGTERM scheduling shutdown... 10494:M 08 Aug 2020 17:51:16.816 # User requested shutdown... 10494:M 08 Aug 2020 17:51:16.825 # Redis is now ready to exit, bye bye... 417:C 08 Aug 2020 17:51:55.021 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo 417:C 08 Aug 2020 17:51:55.021 # Redis version=5.0.5, bits=64, commit=00000000, modified=0, pid=417, just started 417:C 08 Aug 2020 17:51:55.021 # Configuration loaded 417:M 08 Aug 2020 17:51:55.026 # Server initialized0 -
Some more progress... If using this format, to connect to TCP Socket Port 6385 : [CODE=apacheconf] SSLSessionCache redis:/var/redis/redis7.sock:6385
I get no error messages in Apache Error Log. The Redis Socache summary stays visible every time I refresh WHM System Status, but no are keys are stored in Redis memory. The amount of connections it reports does increase though.SSL/TLS Session Cache Status: Redis server: /var/redis/redis7.sock:6385 [Up] General:: Version: 5.0.5 [64 bits], PID: 28129, Uptime: 6 hrs Clients:: Connected: 8, Blocked: 0 Memory:: Total: 6442450944, Max: 10000000, Used: 474200 CPU:: System: 13, User: 27 Connections:: Recd: 15454, Processed: 50712, Rejected: 0 Cache:: Hits: 0, Misses: 1634 Net:: Input bytes: 874576, Output bytes: 117674893 Misc:: Role: master, Connected Slaves: 8, Is Cluster?: no
If trying to use this variation, to try and get it to connect on the Unix Socket, it doesn't work at all, so I don't think mod_socache_Redis supports Unix sockets that were introduced in later versions of Redis: [CODE=apacheconf] SSLSessionCache redis:/var/redis/redis7.sock:0
[socache_redis:error] [pid 6693:tid 47472699696896] (11)Resource temporarily unavailable: AH03479: scache_rd: 'retrieve' FAIL
If I try leaving out the socket 0 or port altogether, with this variation (which works from SSH to connect to Redis-cli), it throws an error and Redis redirects the connection to its default port of 6379, because in my case it won't work as the default instance is configured to use a Unix Socket only for better performance: [CODE=apacheconf] SSLSessionCache redis:/var/redis/redis7
[socache_redis:crit] [pid 18404:tid 47711874364480] (22)Invalid argument: AH03474: Failed to Parse redis Server: '/var/redis/redis7.sock:0'
So it seems like you can use a TCP Port or TCP Socket such as 6379, 6385 etc, but not a 50% or so faster Unix type socket. It doesn't like Apachemod_socache_Redis supports password authentication, but at least you can bind your Redis instance to 127.0.0.1 and keep it from being accessed by the internet. That said when I did get it working with a live connection to my Redis TCP socket, it doesn't seem to actually store anything. I found that if I set either RedisConnPoolTTL and RedisTimeout to 0 to disable timeouts as per the documentation, it breaks, that was what seemed kept causing the connection to switch off and on. If commented out or set to actual values, the mod_socache_connection was stable. So with this in the Pre VirtualHost configuration include file, it stays connected, no errors, works with no set password, works with a TCP Socket or Port only, but doesn't store any keys in its cache: [code=apache] # configure shared object cache provider mod_socache_redis on TCP Socket SSLSessionCache redis:/var/redis/redis7.sock:6385 # Set the time to keep idle connections with the Redis server(s) alive (threaded platforms only). # Valid values for RedisConnPoolTTL are times up to one hour. 0 means no timeout. # Set a timeout of 60 minutes RedisConnPoolTTL 60min # Set the Read/Write timeout used for the connection with the Redis server(s). # Valid values for RedisTimeout are times up to one hour. 0 means no timeout. # Set a timeout of 60 minutes RedisTimeout 60min0 -
I spent some time researching this for you last week and came up with almost nothing. This really isn't well documented. I'm glad you were able to make progress though. 0
Please sign in to leave a comment.
Comments
8 comments