Redis protected-mode

Redis protected-mode 是3.2 之后加入的新特性，在redis.conf的注释中，我们可以了解到，他的具体作用和启用条件：

# Protected mode is a layer of security protection, in order to avoid that
# Redis instances left open on the internet are accessed and exploited.
#
# When protected mode is on and if:
#
# 1) The server is not binding explicitly to a set of addresses using the
#    "bind" directive.
# 2) No password is configured.
#
# The server only accepts connections from clients connecting from the
# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
# sockets.
#
# By default protected mode is enabled. You should disable it only if
# you are sure you want clients from other hosts to connect to Redis
# even if no authentication is configured, nor a specific set of interfaces
# are explicitly listed using the "bind" directive.
protected-mode yes  

可以看到 Protected-mode 是为了禁止公网访问redis cache，加强redis安全的。

它启用的条件，有两个：

• 1) 没有bind IP
• 2) 没有设置访问密码

如果启用了，则只能够通过lookback ip（127.0.0.1）访问 Redis，如果从外网访问，则会返回相应的错误信息：

(error) DENIED Redis is running in protected mode because protected mode is enabled...

建议：不要手动关闭Protected-mode，养成设置密码的习惯！

在配置 Redis 的 Sentinel 集群时，哨兵之间不能通信，不能进行主节点客观下线的判断，以及failover等问题都可能是开启了保护模式导致的，只需要在sentinel.conf中加入了protected-mode no，就可以解决。

sentinel.conf protected-mode 部分摘要如下：

# *** IMPORTANT ***
#
# By default Sentinel will not be reachable from interfaces different than
# localhost, either use the 'bind' directive to bind to a list of network
# interfaces, or disable protected mode with "protected-mode no" by
# adding it to this configuration file.
#
# Before doing that MAKE SURE the instance is protected from the outside
# world via firewalling or other means.
#
# For example you may use one of the following:
#
# bind 127.0.0.1 192.168.1.1
#
# protected-mode no