Enable password protection for Redis

2026-01-02 03:29:17 +00:00 · 2024-11-08 10:53:22 +01:00
parent 326a446f8b
commit 89fb1322c6
34 changed files with 111 additions and 63 deletions
--- a/data/Dockerfiles/acme/acme.sh
+++ b/data/Dockerfiles/acme/acme.sh
@@ -4,9 +4,9 @@ exec 5>&1

 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  export REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS}"
 else
-  export REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  export REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS}"
 fi

 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
--- a/data/Dockerfiles/acme/obtain-certificate.sh
+++ b/data/Dockerfiles/acme/obtain-certificate.sh
@@ -124,7 +124,7 @@ case "$SUCCESS" in
    ;;
  *) # non-zero is non-fun
    log_f "Failed to obtain certificate ${CERT} for domains '${CERT_DOMAINS[*]}'"
-    redis-cli -h redis SET ACME_FAIL_TIME "$(date +%s)"
+    redis-cli -h redis -a ${REDISPASS} SET ACME_FAIL_TIME "$(date +%s)"
    exit 100${SUCCESS}
    ;;
 esac
--- a/data/Dockerfiles/dockerapi/main.py
+++ b/data/Dockerfiles/dockerapi/main.py
@@ -34,9 +34,9 @@ async def lifespan(app: FastAPI):

  # Init redis client
  if os.environ['REDIS_SLAVEOF_IP'] != "":
-    redis_client = redis = await aioredis.from_url(f"redis://{os.environ['REDIS_SLAVEOF_IP']}:{os.environ['REDIS_SLAVEOF_PORT']}/0")
+    redis_client = redis = await aioredis.from_url(f"redis://{os.environ['REDIS_SLAVEOF_IP']}:{os.environ['REDIS_SLAVEOF_PORT']}/0", password=os.environ['REDISPASS'])
  else:
-    redis_client = redis = await aioredis.from_url("redis://redis-mailcow:6379/0")
+    redis_client = redis = await aioredis.from_url("redis://redis-mailcow:6379/0", password=os.environ['REDISPASS'])

  # Init docker clients
  sync_docker_client = docker.DockerClient(base_url='unix://var/run/docker.sock', version='auto')
--- a/data/Dockerfiles/dovecot/clean_q_aged.sh
+++ b/data/Dockerfiles/dovecot/clean_q_aged.sh
@@ -2,7 +2,7 @@

 source /source_env.sh

-MAX_AGE=$(redis-cli --raw -h redis-mailcow GET Q_MAX_AGE)
+MAX_AGE=$(redis-cli --raw -h redis-mailcow -a ${REDISPASS} GET Q_MAX_AGE)

 if [[ -z ${MAX_AGE} ]]; then
  echo "Max age for quarantine items not defined"
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -14,9 +14,9 @@ done

 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS}"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS}"
 fi

 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
--- a/data/Dockerfiles/dovecot/quarantine_notify.py
+++ b/data/Dockerfiles/dovecot/quarantine_notify.py
@@ -31,7 +31,7 @@ try:

  while True:
    try:
-      r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0)
+      r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
      r.ping()
    except Exception as ex:
      print('%s - trying again...'  % (ex))
--- a/data/Dockerfiles/dovecot/quota_notify.py
+++ b/data/Dockerfiles/dovecot/quota_notify.py
@@ -23,7 +23,7 @@ else:

 while True:
  try:
-    r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0)
+    r = redis.StrictRedis(host='redis', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
    r.ping()
  except Exception as ex:
    print('%s - trying again...'  % (ex))
--- a/data/Dockerfiles/dovecot/repl_health.sh
+++ b/data/Dockerfiles/dovecot/repl_health.sh
@@ -4,9 +4,9 @@ source /source_env.sh

 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS}"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS}"
 fi

 # Is replication active?
--- a/data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf
@@ -20,6 +20,7 @@ destination d_redis_ui_log {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis1")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -28,6 +29,7 @@ destination d_redis_f2b_channel {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis2")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/dovecot/syslog-ng.conf
+++ b/data/Dockerfiles/dovecot/syslog-ng.conf
@@ -20,6 +20,7 @@ destination d_redis_ui_log {
    host("redis-mailcow")
    persist-name("redis1")
    port(6379)
+    auth("`REDISPASS`")
    command("LPUSH" "DOVECOT_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -28,6 +29,7 @@ destination d_redis_f2b_channel {
    host("redis-mailcow")
    persist-name("redis2")
    port(6379)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/dovecot/trim_logs.sh
+++ b/data/Dockerfiles/dovecot/trim_logs.sh
@@ -10,9 +10,9 @@ catch_non_zero() {
 source /source_env.sh
 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS}"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS}"
 fi
 catch_non_zero "${REDIS_CMDLINE} LTRIM ACME_LOG 0 ${LOG_LINES}"
 catch_non_zero "${REDIS_CMDLINE} LTRIM POSTFIX_MAILLOG 0 ${LOG_LINES}"
--- a/data/Dockerfiles/netfilter/main.py
+++ b/data/Dockerfiles/netfilter/main.py
@@ -106,7 +106,7 @@ def get_ip(address):
    ip = ip.ipv4_mapped
  if ip.is_private or ip.is_loopback:
    return False
-  
+
  return ip

 def ban(address):
@@ -434,9 +434,9 @@ if __name__ == '__main__':
      redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
      redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
      if "".__eq__(redis_slaveof_ip):
-        r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0)
+        r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0, password=os.environ['REDISPASS'])
      else:
-        r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0)
+        r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0, password=os.environ['REDISPASS'])
      r.ping()
      pubsub = r.pubsub()
    except Exception as ex:
@@ -452,7 +452,7 @@ if __name__ == '__main__':
  # clear bans in redis
  r.delete('F2B_ACTIVE_BANS')
  r.delete('F2B_PERM_BANS')
-  
+
  refreshF2boptions()

  watch_thread = Thread(target=watch)
--- a/data/Dockerfiles/phpfpm/docker-entrypoint.sh
+++ b/data/Dockerfiles/phpfpm/docker-entrypoint.sh
@@ -16,7 +16,7 @@ else
  REDIS_HOST="redis"
  REDIS_PORT="6379"
 fi
-REDIS_CMDLINE="redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT}"
+REDIS_CMDLINE="redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -a ${REDISPASS}"

 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
  echo "Waiting for Redis..."
@@ -26,7 +26,7 @@ done
 # Set redis session store
 echo -n '
 session.save_handler = redis
-session.save_path = "tcp://'${REDIS_HOST}':'${REDIS_PORT}'"
+session.save_path = "tcp://'${REDIS_HOST}':'${REDIS_PORT}'?auth='${REDISPASS}'"
 ' > /usr/local/etc/php/conf.d/session_store.ini

 # Check mysql_upgrade (master and slave)
--- a/data/Dockerfiles/postfix/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/postfix/syslog-ng-redis_slave.conf
@@ -20,6 +20,7 @@ destination d_redis_ui_log {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis1")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -28,6 +29,7 @@ destination d_redis_f2b_channel {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis2")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/postfix/syslog-ng.conf
+++ b/data/Dockerfiles/postfix/syslog-ng.conf
@@ -20,6 +20,7 @@ destination d_redis_ui_log {
    host("redis-mailcow")
    persist-name("redis1")
    port(6379)
+    auth("`REDISPASS`")
    command("LPUSH" "POSTFIX_MAILLOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -28,6 +29,7 @@ destination d_redis_f2b_channel {
    host("redis-mailcow")
    persist-name("redis2")
    port(6379)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/rspamd/docker-entrypoint.sh
+++ b/data/Dockerfiles/rspamd/docker-entrypoint.sh
@@ -56,27 +56,29 @@ if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
  cat <<EOF > /etc/rspamd/local.d/redis.conf
 read_servers = "redis:6379";
 write_servers = "${REDIS_SLAVEOF_IP}:${REDIS_SLAVEOF_PORT}";
+password = "${REDISPASS}";
 timeout = 10;
 EOF
-  until [[ $(redis-cli -h redis-mailcow PING) == "PONG" ]]; do
+  until [[ $(redis-cli -h redis-mailcow -a ${REDISPASS} PING) == "PONG" ]]; do
    echo "Waiting for Redis @redis-mailcow..."
    sleep 2
  done
-  until [[ $(redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} PING) == "PONG" ]]; do
+  until [[ $(redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS} PING) == "PONG" ]]; do
    echo "Waiting for Redis @${REDIS_SLAVEOF_IP}..."
    sleep 2
  done
-  redis-cli -h redis-mailcow SLAVEOF ${REDIS_SLAVEOF_IP} ${REDIS_SLAVEOF_PORT}
+  redis-cli -h redis-mailcow -a ${REDISPASS} SLAVEOF ${REDIS_SLAVEOF_IP} ${REDIS_SLAVEOF_PORT}
 else
  cat <<EOF > /etc/rspamd/local.d/redis.conf
 servers = "redis:6379";
+password = "${REDISPASS}";
 timeout = 10;
 EOF
-  until [[ $(redis-cli -h redis-mailcow PING) == "PONG" ]]; do
+  until [[ $(redis-cli -h redis-mailcow -a ${REDISPASS} PING) == "PONG" ]]; do
    echo "Waiting for Redis slave..."
    sleep 2
  done
-  redis-cli -h redis-mailcow SLAVEOF NO ONE
+  redis-cli -h redis-mailcow -a ${REDISPASS} SLAVEOF NO ONE
 fi

 # Provide additional lua modules
--- a/data/Dockerfiles/sogo/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/sogo/syslog-ng-redis_slave.conf
@@ -22,6 +22,7 @@ destination d_redis_ui_log {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis1")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -30,6 +31,7 @@ destination d_redis_f2b_channel {
    host("`REDIS_SLAVEOF_IP`")
    persist-name("redis2")
    port(`REDIS_SLAVEOF_PORT`)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/sogo/syslog-ng.conf
+++ b/data/Dockerfiles/sogo/syslog-ng.conf
@@ -22,6 +22,7 @@ destination d_redis_ui_log {
    host("redis-mailcow")
    persist-name("redis1")
    port(6379)
+    auth("`REDISPASS`")
    command("LPUSH" "SOGO_LOG" "$(format-json time=\"$S_UNIXTIME\" priority=\"$PRIORITY\" program=\"$PROGRAM\" message=\"$MESSAGE\")\n")
  );
 };
@@ -30,6 +31,7 @@ destination d_redis_f2b_channel {
    host("redis-mailcow")
    persist-name("redis2")
    port(6379)
+    auth("`REDISPASS`")
    command("PUBLISH" "F2B_CHANNEL" "$(sanitize $MESSAGE)")
  );
 };
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -40,9 +40,9 @@ done

 # Do not attempt to write to slave
 if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
-  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
+  REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT} -a ${REDISPASS}"
 else
-  REDIS_CMDLINE="redis-cli -h redis -p 6379"
+  REDIS_CMDLINE="redis-cli -h redis -p 6379 -a ${REDISPASS}"
 fi

 until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
@@ -330,7 +330,7 @@ redis_checks() {
    touch /tmp/redis-mailcow; echo "$(tail -50 /tmp/redis-mailcow)" > /tmp/redis-mailcow
    host_ip=$(get_container_ip redis-mailcow)
    err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_tcp -4 -H redis-mailcow -p 6379 -E -s "PING\n" -q "QUIT" -e "PONG" 2>> /tmp/redis-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -4 -H redis-mailcow -p 6379 -E -s "AUTH ${REDISPASS}\nPING\n" -q "QUIT" -e "PONG" 2>> /tmp/redis-mailcow 1>&2; err_count=$(( ${err_count} + $? ))
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
    progress "Redis" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
@@ -503,12 +503,12 @@ dovecot_repl_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${DOVECOT_REPL_THRESHOLD}
-  D_REPL_STATUS=$(redis-cli -h redis -r GET DOVECOT_REPL_HEALTH)
+  D_REPL_STATUS=$(redis-cli -h redis -a ${REDISPASS} -r GET DOVECOT_REPL_HEALTH)
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
-    D_REPL_STATUS=$(redis-cli --raw -h redis GET DOVECOT_REPL_HEALTH)
+    D_REPL_STATUS=$(redis-cli --raw -h redis -a ${REDISPASS} GET DOVECOT_REPL_HEALTH)
    if [[ "${D_REPL_STATUS}" != "1" ]]; then
      err_count=$(( ${err_count} + 1 ))
    fi
@@ -578,19 +578,19 @@ ratelimit_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${RATELIMIT_THRESHOLD}
-  RL_LOG_STATUS=$(redis-cli -h redis LRANGE RL_LOG 0 0 | jq .qid)
+  RL_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} LRANGE RL_LOG 0 0 | jq .qid)
  # Reduce error count by 2 after restarting an unhealthy container
  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
  while [ ${err_count} -lt ${THRESHOLD} ]; do
    err_c_cur=${err_count}
    RL_LOG_STATUS_PREV=${RL_LOG_STATUS}
-    RL_LOG_STATUS=$(redis-cli -h redis LRANGE RL_LOG 0 0 | jq .qid)
+    RL_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} LRANGE RL_LOG 0 0 | jq .qid)
    if [[ ${RL_LOG_STATUS_PREV} != ${RL_LOG_STATUS} ]]; then
      err_count=$(( ${err_count} + 1 ))
      echo 'Last 10 applied ratelimits (may overlap with previous reports).' > /tmp/ratelimit
      echo 'Full ratelimit buckets can be emptied by deleting the ratelimit hash from within mailcow UI (see /debug -> Protocols -> Ratelimit):' >> /tmp/ratelimit
      echo >> /tmp/ratelimit
-      redis-cli --raw -h redis LRANGE RL_LOG 0 10 | jq . >> /tmp/ratelimit
+      redis-cli --raw -h redis -a ${REDISPASS} LRANGE RL_LOG 0 10 | jq . >> /tmp/ratelimit
    fi
    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -673,7 +673,7 @@ acme_checks() {
  err_count=0
  diff_c=0
  THRESHOLD=${ACME_THRESHOLD}
-  ACME_LOG_STATUS=$(redis-cli -h redis GET ACME_FAIL_TIME)
+  ACME_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} GET ACME_FAIL_TIME)
  if [[ -z "${ACME_LOG_STATUS}" ]]; then
    ${REDIS_CMDLINE} SET ACME_FAIL_TIME 0
    ACME_LOG_STATUS=0
@@ -685,7 +685,7 @@ acme_checks() {
    ACME_LOG_STATUS_PREV=${ACME_LOG_STATUS}
    ACME_LC=0
    until [[ ! -z ${ACME_LOG_STATUS} ]] || [ ${ACME_LC} -ge 3 ]; do
-      ACME_LOG_STATUS=$(redis-cli -h redis GET ACME_FAIL_TIME 2> /dev/null)
+      ACME_LOG_STATUS=$(redis-cli -h redis -a ${REDISPASS} GET ACME_FAIL_TIME 2> /dev/null)
      sleep 3
      ACME_LC=$((ACME_LC+1))
    done