How to turn off 'protected-mode' in Redis?

Question

I'd like to disable protected-mode on my production Redis. Regarding to the following error I got from my other Redis-Sentinel instance I could disable it live by connecting to Redis from the master machine it runs on.

DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions:

1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent.

2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server.

3) If you started the server manually just for testing, restart it with the '--protected-mode no' option.

4) Setup a bind address or an authentication password.

NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

But as I connect and try to disable it I get the Error (error) ERR Unsupported CONFIG parameter: protected-mode.

There's no auth configured or anything else - all security is managed by firewall rules. The redis.conf is almost default.

Demo

root@svim-redis03 /etc/redis # redis-cli

127.0.0.1:6379> CONFIG GET protected*
(empty list or set)
127.0.0.1:6379> CONFIG GET bind*
1) "bind"
2) "127.0.0.1"
127.0.0.1:6379> CONFIG SET protected-mode no
(error) ERR Unsupported CONFIG parameter: protected-mode
127.0.0.1:6379> exit

root@svim-redis03 /etc/redis # redis-server --version
Redis server v=3.2.9 sha=00000000:0 malloc=jemalloc-4.0.3 bits=64 build=86450d2ba8219c1e

Is there anything I need to check or change before? I couldn't find any hint in the documentation or in GitHub issues.

Update 01

It's not even possible to change the bind-address or any other config parameter. Do I need to enable config changes first?

127.0.0.1:6379> config set bind "127.0.0.1 11.12.13.14"
(error) ERR Unsupported CONFIG parameter: bind

score 9 · Accepted Answer · answered Jul 12 '17 at 09:06

Turns out that the current server running isn't the same version as the binary I've installed.

How to reproduce this?

Simply connect via redis-cli to your redis instance and type INFO server which returns a bunch of informations.

127.0.0.1:6379> INFO server
# Server
redis_version:3.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:869e89100d5ea8c2
redis_mode:standalone
os:Linux 4.2.0-35-generic x86_64
arch_bits:64
multiplexing_api:epoll
gcc_version:4.8.4
process_id:26720
run_id:6645270dd2ac6a7f96caa054f9dbba9e66566755
tcp_port:6379
uptime_in_seconds:10971777
uptime_in_days:126
hz:10
lru_clock:6676576
config_file:/etc/redis/redis.conf

As you can see this redis-instance runs almost 127 days and uses redis_version:3.0.7.

How to fix this?

Restart your server and be sure that you realy restarted it! For example with most Linux distros you can do so by hitting the following commands.

root@svim-redis03 ~ # service redis-server stop
Stopping redis-server: redis-server.

Check if it's really offline by trying to connect with redis-cli. If you still can connect the instance is still running. Check this by searching for active redis processes.

root@svim-redis03 ~ # ps -efl |grep redis
1 S redis    12418     1  0  80   0 - 10673 ep_pol  2016 ?        05:33:17 /usr/bin/redis-server 127.0.0.1:6381
1 S redis    12442     1  0  80   0 - 11697 ep_pol  2016 ?        05:33:46 /usr/bin/redis-server 127.0.0.1:6382
1 S redis    12453     1  0  80   0 - 10673 ep_pol  2016 ?        05:40:17 /usr/bin/redis-server 127.0.0.1:6383
4 S root     16570 16386  0  80   0 -  2489 wait_w 10:42 pts/7    00:00:00 tail -f /var/log/redis/redis-server-6379.log
0 S root     17064 12637  0  80   0 -  3617 pipe_w 10:47 pts/1    00:00:00 grep --color=auto redis
1 S redis    26720     1  0  80   0 - 453041 ep_pol Mar07 ?       08:37:01 /usr/bin/redis-server 127.0.0.1:6379

As you can see there's still the instance (process id: 26720) running. Quit it with the following command.

kill 26720

After you've killed the process check again with ps -efl |grep redis if the instance is really down.

Finally start it again with

root@svim-redis03 ~ # service redis-server start
Starting redis-server: redis-server.

Now check if the instance is running with the correct version.

root@svim-redis03 ~ # redis-cli
127.0.0.1:6379> INFO server
# Server
redis_version:3.2.9
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:86450d2ba8219c1e
redis_mode:standalone
os:Linux 4.2.0-35-generic x86_64
arch_bits:64
multiplexing_api:epoll
gcc_version:4.8.4
process_id:17135
run_id:40d6fa2e2b25e8f5b97a3c97ec1bddb8edda0014
tcp_port:6379
uptime_in_seconds:11
uptime_in_days:0
hz:10
lru_clock:6677102
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf

score 0 · Answer 2 · answered Jul 08 '24 at 18:35

I blame the error message for being vague. Let me elaborate, if it may help others. (I realize Thomas has answered his question himself, indicating that he was his mistakenly connecting to the wrong server.)

First, I'm finding also that I get this Unsupported CONFIG parameter error when trying to do config set bind (which Thomas mentioned having tried also, in his the update to the question).

It seems the problem there is that bind is a parameter that it seems cannot be changed via config set. I confirmed things on multiple servers, getting that very error (and nothing more).

As for when he tried to set protected-mode and got the same error (because it was not supported), a clue about that was when he did CONFIG GET protected* and it returned:

(empty list or set)

If the redis version did support it, it would have returned the current value (as yes or no). I confirmed getting that same error above when doing config set protected-mode on a version 3 implementation of Redis I still had.

Bottom line, that Unsupported CONFIG parameter error is quite vague, applying to at least two different situations: it can mean:

"the parameter is not defined in this redis version" (and a get will help confirm that) or
"the parameter is valid but cannot be changed via this command" (but I don't find any docs or feature that can help us know which parameters that applies to.)

Hope that may help someone else searching for help on this error.

score 0 · Answer 3 · answered Dec 12 '24 at 12:18

Redis Reinstallation Process

Remove the Existing Redis Installation Run the following command to completely remove Redis along with its dependencies:

   sudo apt-get purge --auto-remove redis-server redis

Terminate All Redis Processes Use the command below to list and kill all Redis processes:

   ps aux | grep redis

Configure the Bind Address Edit the Redis configuration file to specify the IP addresses you want Redis to listen on:

   sudo nano /etc/redis/redis.conf

Add the following lines, replacing 127.0.0.1 and 0.0.0.0 with your actual IP addresses:

   bind 127.0.0.1
   bind 0.0.0.0

Install Redis Tools To install additional Redis tools, run:

   sudo apt install redis-tools

Restart the Redis Service Finally, restart the Redis service to apply the changes:

   sudo systemctl restart redis

This should help clarify the steps involved in the Redis reinstallation process!

How to turn off 'protected-mode' in Redis?

Demo

Update 01

3 Answers3

How to reproduce this?

How to fix this?