Allow passwordless Redis connections

README.md

@@ -248,6 +248,11 @@ Set the Redis password:
 REDIS_PASSWORD=
 ```
 
+Enable passwordless Redis connection (defaults to false for security):
+```bash
+ENABLE_REDIS_EMPTY_PASSWORD=false
+```
+
 Set the base URL:
 ```bash
 BASE_URL=https://<IP>:10443

core/files/entrypoint.sh

@@ -15,7 +15,15 @@ export MYSQL_DATABASE=${MYSQL_DATABASE:-misp}
 export MYSQL_CMD="mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -P $MYSQL_PORT -h $MYSQL_HOST -r -N $MYSQL_DATABASE"
 export REDIS_HOST=${REDIS_HOST:-redis}
 export REDIS_PORT=${REDIS_PORT:-6379}
-export REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword}
+export ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false}
+
+# Set Redis password based on ENABLE_REDIS_EMPTY_PASSWORD setting
+if [ "$ENABLE_REDIS_EMPTY_PASSWORD" = "true" ]; then
+    # This still need to be set to empty string to ensure all places where it's used got the correct value
+    export REDIS_PASSWORD=""
+else
+    export REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword}
+fi
 export BASE_URL=${BASE_URL:-https://localhost}
 export DISABLE_IPV6=${DISABLE_IPV6:-false}
 export DISABLE_SSL_REDIRECT=${DISABLE_SSL_REDIRECT:-false}

core/files/entrypoint_fpm.sh

@@ -26,8 +26,16 @@ change_php_vars() {
         echo "Configure PHP | Setting 'max_input_time = ${PHP_MAX_INPUT_TIME}'"
         sed -i "s/max_input_time = .*/max_input_time = ${PHP_MAX_INPUT_TIME}/" "$FILE"
         sed -i "s/session.save_handler = .*/session.save_handler = redis/" "$FILE"
-        echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'"
-        sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE"
+        if [[ "$ENABLE_REDIS_EMPTY_PASSWORD" = "true" ]]; then
+            echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT' (passwordless)"
+            sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT'|" "$FILE"
+        elif [[ -n "$REDIS_PASSWORD" ]]; then
+            echo "Configure PHP | Setting 'session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'"
+            sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_HOST | grep -E '^\w+://' || echo tcp://$REDIS_HOST):$REDIS_PORT?auth=${ESCAPED}'|" "$FILE"
+        else
+            echo "ERROR: REDIS_PASSWORD is not set but ENABLE_REDIS_EMPTY_PASSWORD is false. Please set REDIS_PASSWORD or enable ENABLE_REDIS_EMPTY_PASSWORD=true for passwordless Redis."
+            exit 1
+        fi
         sed -i "s/session.sid_length = .*/session.sid_length = 64/" "$FILE"
         sed -i "s/session.use_strict_mode = .*/session.use_strict_mode = 1/" "$FILE"
         echo "Configure PHP | Setting 'date.timezone = ${PHP_TIMEZONE}'"

docker-compose.yml

@@ -12,9 +12,26 @@ services:
 
   redis:
     image: valkey/valkey:7.2
-    command: "--requirepass '${REDIS_PASSWORD:-redispassword}'"
+    command: |
+      sh -c '
+        if [ "$${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then
+          exec valkey-server
+        else
+          exec valkey-server --requirepass "$${REDIS_PASSWORD:-redispassword}"
+        fi
+      '
+    environment:
+      - "ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false}"
+      - "REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword}"
     healthcheck:
-      test: "valkey-cli -a '${REDIS_PASSWORD:-redispassword}' -p ${REDIS_PORT:-6379} ping | grep -q PONG || exit 1"
+      test: |
+        sh -c '
+          if [ "$${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then
+            valkey-cli -p $${REDIS_PORT:-6379} ping | grep -q PONG || exit 1
+          else
+            valkey-cli -a "$${REDIS_PASSWORD:-redispassword}" -p $${REDIS_PORT:-6379} ping | grep -q PONG || exit 1
+          fi
+        '
       interval: 2s
       timeout: 1s
       retries: 3
@@ -217,6 +234,7 @@ services:
       - "REDIS_HOST=${REDIS_HOST:-redis}"
       - "REDIS_PORT=${REDIS_PORT:-6379}"
       - "REDIS_PASSWORD=${REDIS_PASSWORD:-redispassword}"
+      - "ENABLE_REDIS_EMPTY_PASSWORD=${ENABLE_REDIS_EMPTY_PASSWORD:-false}"
       # debug setting 
       - "DEBUG=${DEBUG}"
       # SMTP setting

experimental/podman-systemd/redis.container

@@ -11,8 +11,8 @@ Image=docker.io/valkey/valkey:7.2
 Network=misp-net
 Volume=redis_data:/data
 PodmanArgs=--network-alias redis
-Exec=--requirepass ${REDIS_PASSWORD}
-HealthCmd=valkey-cli -a ${REDIS_PASSWORD} ping
+Exec=sh -c 'if [ "${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then exec valkey-server; else exec valkey-server --requirepass "${REDIS_PASSWORD}"; fi'
+HealthCmd=sh -c 'if [ "${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then valkey-cli ping; else valkey-cli -a "${REDIS_PASSWORD}" ping; fi'
 HealthInterval=2s
 HealthTimeout=1s
 HealthRetries=3

template.env

@@ -100,6 +100,8 @@ SYNCSERVERS_1_PULL_RULES=
 # REDIS_PORT=
 # remember to escape special character '$', e.g., 'test1%<$1323>' becomes 'test1%<$$1323>'
 # REDIS_PASSWORD=
+# Enable passwordless Redis connection (defaults to false for security)
+# ENABLE_REDIS_EMPTY_PASSWORD=false
 
 # These variables allows overriding some MISP email values.
 # They all default to ADMIN_EMAIL.