diff --git a/README.md b/README.md index da2c2d1d..26670281 100644 --- a/README.md +++ b/README.md @@ -248,6 +248,11 @@ Set the Redis password: REDIS_PASSWORD= ``` +Enable passwordless Redis connection (defaults to false for security): +```bash +ENABLE_REDIS_EMPTY_PASSWORD=false +``` + Set the base URL: ```bash BASE_URL=https://:10443 diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh index 3cd3c031..b56e6584 100755 --- a/core/files/entrypoint.sh +++ b/core/files/entrypoint.sh @@ -15,7 +15,15 @@ export MYSQL_DATABASE=${MYSQL_DATABASE:-misp} export MYSQL_CMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE" export REDIS_HOST=${REDIS_HOST:-redis} export REDIS_PORT=${REDIS_PORT:-6379} -export REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword} +export ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false} + +# Set Redis password based on ENABLE_REDIS_EMPTY_PASSWORD setting +if [ "$ENABLE_REDIS_EMPTY_PASSWORD" = "true" ]; then + # This still need to be set to empty string to ensure all places where it's used got the correct value + export REDIS_PASSWORD="" +else + export REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword} +fi export BASE_URL=${BASE_URL:-https://localhost} export DISABLE_IPV6=${DISABLE_IPV6:-false} export DISABLE_SSL_REDIRECT=${DISABLE_SSL_REDIRECT:-false} diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh index a319a4ca..00848c39 100755 --- a/core/files/entrypoint_fpm.sh +++ b/core/files/entrypoint_fpm.sh @@ -26,8 +26,16 @@ change_php_vars() { echo "Configure PHP | Setting 'max_input_time = ${PHP_MAX_INPUT_TIME}'" sed -i "s/max_input_time = .*/max_input_time = ${PHP_MAX_INPUT_TIME}/" "$FILE" sed -i "s/session.save_handler = .*/session.save_handler = redis/" "$FILE" - echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'" - sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE" + if [[ "$ENABLE_REDIS_EMPTY_PASSWORD" = "true" ]]; then + echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT' (passwordless)" + sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT'|" "$FILE" + elif [[ -n "$REDIS_PASSWORD" ]]; then + echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'" + sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE" + else + echo "ERROR: REDIS_PASSWORD is not set but ENABLE_REDIS_EMPTY_PASSWORD is false. Please set REDIS_PASSWORD or enable ENABLE_REDIS_EMPTY_PASSWORD=true for passwordless Redis." + exit 1 + fi sed -i "s/session.sid_length = .*/session.sid_length = 64/" "$FILE" sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE" echo "Configure PHP | Setting 'date.timezone = ${PHP_TIMEZONE}'" diff --git a/docker-compose.yml b/docker-compose.yml index b36a3c60..af75b4a6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,9 +12,26 @@ services: redis: image: valkey/valkey:7.2 - command: "--requirepass '${REDIS_PASSWORD:-redispassword}'" + command: | + sh -c ' + if [ "$${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then + exec valkey-server + else + exec valkey-server --requirepass "$${REDIS_PASSWORD:-redispassword}" + fi + ' + environment: + - "ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false}" + - "REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword}" healthcheck: - test: "valkey-cli -a '${REDIS_PASSWORD:-redispassword}' -p ${REDIS_PORT:-6379} ping | grep -q PONG || exit 1" + test: | + sh -c ' + if [ "$${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then + valkey-cli -p $${REDIS_PORT:-6379} ping | grep -q PONG || exit 1 + else + valkey-cli -a "$${REDIS_PASSWORD:-redispassword}" -p $${REDIS_PORT:-6379} ping | grep -q PONG || exit 1 + fi + ' interval: 2s timeout: 1s retries: 3 @@ -217,6 +234,7 @@ services: - "REDIS_HOST=${REDIS_HOST:-redis}" - "REDIS_PORT=${REDIS_PORT:-6379}" - "REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword}" + - "ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false}" # debug setting - "DEBUG=${DEBUG}" # SMTP setting diff --git a/experimental/podman-systemd/redis.container b/experimental/podman-systemd/redis.container index 72a8b382..f787c4ec 100644 --- a/experimental/podman-systemd/redis.container +++ b/experimental/podman-systemd/redis.container @@ -11,8 +11,8 @@ Image=docker.io/valkey/valkey:7.2 Network=misp-net Volume=redis_data:/data PodmanArgs=--network-alias redis -Exec=--requirepass ${REDIS_PASSWORD} -HealthCmd=valkey-cli -a ${REDIS_PASSWORD} ping +Exec=sh -c 'if [ "${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then exec valkey-server; else exec valkey-server --requirepass "${REDIS_PASSWORD}"; fi' +HealthCmd=sh -c 'if [ "${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then valkey-cli ping; else valkey-cli -a "${REDIS_PASSWORD}" ping; fi' HealthInterval=2s HealthTimeout=1s HealthRetries=3 diff --git a/template.env b/template.env index c6f63e94..e672397b 100644 --- a/template.env +++ b/template.env @@ -100,6 +100,8 @@ SYNCSERVERS_1_PULL_RULES= # REDIS_PORT= # remember to escape special character '$', e.g., 'test1%<$1323>' becomes 'test1%<$$1323>' # REDIS_PASSWORD= +# Enable passwordless Redis connection (defaults to false for security) +# ENABLE_REDIS_EMPTY_PASSWORD=false # These variables allows overriding some MISP email values. # They all default to ADMIN_EMAIL.