From 1112f4c14f64123c40f13a54419c1b7444092353 Mon Sep 17 00:00:00 2001
From: David Manzano <david.manzano@fortra.com>
Date: Mon, 8 Sep 2025 15:34:46 -0500
Subject: [PATCH 1/3] Allow passwordless Redis connections

---
 core/files/entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh
index 3cd3c03..7da728c 100755
--- a/core/files/entrypoint.sh
+++ b/core/files/entrypoint.sh
@@ -15,7 +15,7 @@ export MYSQL_DATABASE=${MYSQL_DATABASE:-misp}
 export MYSQL_CMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
 export REDIS_HOST=${REDIS_HOST:-redis}
 export REDIS_PORT=${REDIS_PORT:-6379}
-export REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword}
+export REDIS_PASSWORD=${REDIS_PASSWORD:-}
 export BASE_URL=${BASE_URL:-https://localhost}
 export DISABLE_IPV6=${DISABLE_IPV6:-false}
 export DISABLE_SSL_REDIRECT=${DISABLE_SSL_REDIRECT:-false}

From 23a068b6cb1d81e1a8504e52c0dcf12f57409c19 Mon Sep 17 00:00:00 2001
From: David Manzano <david.manzano@fortra.com>
Date: Mon, 8 Sep 2025 18:13:35 -0500
Subject: [PATCH 2/3] Configure php session path according to the redis
 configuration

---
 core/files/entrypoint_fpm.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh
index a319a4c..3de2e59 100755
--- a/core/files/entrypoint_fpm.sh
+++ b/core/files/entrypoint_fpm.sh
@@ -26,8 +26,13 @@ change_php_vars() {
         echo "Configure PHP | Setting 'max_input_time = ${PHP_MAX_INPUT_TIME}'"
         sed -i "s/max_input_time = .*/max_input_time = ${PHP_MAX_INPUT_TIME}/" "$FILE"
         sed -i "s/session.save_handler = .*/session.save_handler = redis/" "$FILE"
-        echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'"
-        sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE"
+        if [[ -n "$REDIS_PASSWORD" ]]; then
+            echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'"
+            sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE"
+        else
+            echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT'"
+            sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT'|" "$FILE"
+        fi
         sed -i "s/session.sid_length = .*/session.sid_length = 64/" "$FILE"
         sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE"
         echo "Configure PHP | Setting 'date.timezone = ${PHP_TIMEZONE}'"

From e9c78b18190626607072410076b9479e27740fc3 Mon Sep 17 00:00:00 2001
From: David Manzano <david.manzano@fortra.com>
Date: Wed, 17 Sep 2025 14:20:20 -0500
Subject: [PATCH 3/3] Adding REDIS_ENABLE_EMPTY_PASSWORD guard suggested by
 @ostefano

---
 README.md                                   |  5 +++++
 core/files/entrypoint.sh                    | 10 +++++++++-
 core/files/entrypoint_fpm.sh                |  9 ++++++---
 docker-compose.yml                          | 22 +++++++++++++++++++--
 experimental/podman-systemd/redis.container |  4 ++--
 template.env                                |  2 ++
 6 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index da2c2d1..2667028 100644
--- a/README.md
+++ b/README.md
@@ -248,6 +248,11 @@ Set the Redis password:
 REDIS_PASSWORD=
 ```
 
+Enable passwordless Redis connection (defaults to false for security):
+```bash
+ENABLE_REDIS_EMPTY_PASSWORD=false
+```
+
 Set the base URL:
 ```bash
 BASE_URL=https://<IP>:10443
diff --git a/core/files/entrypoint.sh b/core/files/entrypoint.sh
index 7da728c..b56e658 100755
--- a/core/files/entrypoint.sh
+++ b/core/files/entrypoint.sh
@@ -15,7 +15,15 @@ export MYSQL_DATABASE=${MYSQL_DATABASE:-misp}
 export MYSQL_CMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
 export REDIS_HOST=${REDIS_HOST:-redis}
 export REDIS_PORT=${REDIS_PORT:-6379}
-export REDIS_PASSWORD=${REDIS_PASSWORD:-}
+export ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false}
+
+# Set Redis password based on ENABLE_REDIS_EMPTY_PASSWORD setting
+if [ "$ENABLE_REDIS_EMPTY_PASSWORD" = "true" ]; then
+    # This still need to be set to empty string to ensure all places where it's used got the correct value
+    export REDIS_PASSWORD=""
+else
+    export REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword}
+fi
 export BASE_URL=${BASE_URL:-https://localhost}
 export DISABLE_IPV6=${DISABLE_IPV6:-false}
 export DISABLE_SSL_REDIRECT=${DISABLE_SSL_REDIRECT:-false}
diff --git a/core/files/entrypoint_fpm.sh b/core/files/entrypoint_fpm.sh
index 3de2e59..00848c3 100755
--- a/core/files/entrypoint_fpm.sh
+++ b/core/files/entrypoint_fpm.sh
@@ -26,12 +26,15 @@ change_php_vars() {
         echo "Configure PHP | Setting 'max_input_time = ${PHP_MAX_INPUT_TIME}'"
         sed -i "s/max_input_time = .*/max_input_time = ${PHP_MAX_INPUT_TIME}/" "$FILE"
         sed -i "s/session.save_handler = .*/session.save_handler = redis/" "$FILE"
-        if [[ -n "$REDIS_PASSWORD" ]]; then
+        if [[ "$ENABLE_REDIS_EMPTY_PASSWORD" = "true" ]]; then
+            echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT' (passwordless)"
+            sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT'|" "$FILE"
+        elif [[ -n "$REDIS_PASSWORD" ]]; then
             echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'"
             sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE"
         else
-            echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT'"
-            sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT'|" "$FILE"
+            echo "ERROR: REDIS_PASSWORD is not set but ENABLE_REDIS_EMPTY_PASSWORD is false. Please set REDIS_PASSWORD or enable ENABLE_REDIS_EMPTY_PASSWORD=true for passwordless Redis."
+            exit 1
         fi
         sed -i "s/session.sid_length = .*/session.sid_length = 64/" "$FILE"
         sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE"
diff --git a/docker-compose.yml b/docker-compose.yml
index b36a3c6..af75b4a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,9 +12,26 @@ services:
 
   redis:
     image: valkey/valkey:7.2
-    command: "--requirepass '${REDIS_PASSWORD:-redispassword}'"
+    command: |
+      sh -c '
+        if [ "$${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then
+          exec valkey-server
+        else
+          exec valkey-server --requirepass "$${REDIS_PASSWORD:-redispassword}"
+        fi
+      '
+    environment:
+      - "ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false}"
+      - "REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword}"
     healthcheck:
-      test: "valkey-cli -a '${REDIS_PASSWORD:-redispassword}' -p ${REDIS_PORT:-6379} ping | grep -q PONG || exit 1"
+      test: |
+        sh -c '
+          if [ "$${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then
+            valkey-cli -p $${REDIS_PORT:-6379} ping | grep -q PONG || exit 1
+          else
+            valkey-cli -a "$${REDIS_PASSWORD:-redispassword}" -p $${REDIS_PORT:-6379} ping | grep -q PONG || exit 1
+          fi
+        '
       interval: 2s
       timeout: 1s
       retries: 3
@@ -217,6 +234,7 @@ services:
       - "REDIS_HOST=${REDIS_HOST:-redis}"
       - "REDIS_PORT=${REDIS_PORT:-6379}"
       - "REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword}"
+      - "ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false}"
       # debug setting 
       - "DEBUG=${DEBUG}"
       # SMTP setting
diff --git a/experimental/podman-systemd/redis.container b/experimental/podman-systemd/redis.container
index 72a8b38..f787c4e 100644
--- a/experimental/podman-systemd/redis.container
+++ b/experimental/podman-systemd/redis.container
@@ -11,8 +11,8 @@ Image=docker.io/valkey/valkey:7.2
 Network=misp-net
 Volume=redis_data:/data
 PodmanArgs=--network-alias redis
-Exec=--requirepass ${REDIS_PASSWORD}
-HealthCmd=valkey-cli -a ${REDIS_PASSWORD} ping
+Exec=sh -c 'if [ "${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then exec valkey-server; else exec valkey-server --requirepass "${REDIS_PASSWORD}"; fi'
+HealthCmd=sh -c 'if [ "${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then valkey-cli ping; else valkey-cli -a "${REDIS_PASSWORD}" ping; fi'
 HealthInterval=2s
 HealthTimeout=1s
 HealthRetries=3
diff --git a/template.env b/template.env
index c6f63e9..e672397 100644
--- a/template.env
+++ b/template.env
@@ -100,6 +100,8 @@ SYNCSERVERS_1_PULL_RULES=
 # REDIS_PORT=
 # remember to escape special character '$', e.g., 'test1%<$1323>' becomes 'test1%<$$1323>'
 # REDIS_PASSWORD=
+# Enable passwordless Redis connection (defaults to false for security)
+# ENABLE_REDIS_EMPTY_PASSWORD=false
 
 # These variables allows overriding some MISP email values.
 # They all default to ADMIN_EMAIL.