diff --git a/apps/nginx/versions/1.21.4/www/common/waf/.gitignore b/apps/nginx/versions/1.21.4/www/common/waf/.gitignore
new file mode 100644
index 000000000..70cbd5d1f
--- /dev/null
+++ b/apps/nginx/versions/1.21.4/www/common/waf/.gitignore
@@ -0,0 +1,9 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+.idea
+
+
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/LICENSE b/apps/nginx/versions/1.21.4/www/common/waf/LICENSE
new file mode 100644
index 000000000..f288702d2
--- /dev/null
+++ b/apps/nginx/versions/1.21.4/www/common/waf/LICENSE
@@ -0,0 +1,674 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+ The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users. We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors. You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+ To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights. Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received. You must make sure that they, too, receive
+or can get the source code. And you must show them these terms so they
+know their rights.
+
+ Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+ For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software. For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+ Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so. This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software. The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable. Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products. If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+ Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary. To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ TERMS AND CONDITIONS
+
+ 0. Definitions.
+
+ "This License" refers to version 3 of the GNU General Public License.
+
+ "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+ "The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+ To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy. The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+ A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+ To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+ To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+ An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+ 1. Source Code.
+
+ The "source code" for a work means the preferred form of the work
+for making modifications to it. "Object code" means any non-source
+form of a work.
+
+ A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+ The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+ The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+ The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+ The Corresponding Source for a work in source code form is that
+same work.
+
+ 2. Basic Permissions.
+
+ All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+ You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force. You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright. Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+ Conveying under any other circumstances is permitted solely under
+the conditions stated below. Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+ 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+ No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+ When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+ 4. Conveying Verbatim Copies.
+
+ You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+ You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+ 5. Conveying Modified Source Versions.
+
+ You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+ a) The work must carry prominent notices stating that you modified
+ it, and giving a relevant date.
+
+ b) The work must carry prominent notices stating that it is
+ released under this License and any conditions added under section
+ 7. This requirement modifies the requirement in section 4 to
+ "keep intact all notices".
+
+ c) You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable section 7
+ additional terms, to the whole of the work, and all its parts,
+ regardless of how they are packaged. This License gives no
+ permission to license the work in any other way, but it does not
+ invalidate such permission if you have separately received it.
+
+ d) If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has interactive
+ interfaces that do not display Appropriate Legal Notices, your
+ work need not make them do so.
+
+ A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+ 6. Conveying Non-Source Forms.
+
+ You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+ a) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+
+ b) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that product
+ model, to give anyone who possesses the object code either (1) a
+ copy of the Corresponding Source for all the software in the
+ product that is covered by this License, on a durable physical
+ medium customarily used for software interchange, for a price no
+ more than your reasonable cost of physically performing this
+ conveying of source, or (2) access to copy the
+ Corresponding Source from a network server at no charge.
+
+ c) Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially, and
+ only if you received the object code with such an offer, in accord
+ with subsection 6b.
+
+ d) Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to the
+ Corresponding Source in the same way through the same place at no
+ further charge. You need not require recipients to copy the
+ Corresponding Source along with the object code. If the place to
+ copy the object code is a network server, the Corresponding Source
+ may be on a different server (operated by you or a third party)
+ that supports equivalent copying facilities, provided you maintain
+ clear directions next to the object code saying where to find the
+ Corresponding Source. Regardless of what server hosts the
+ Corresponding Source, you remain obligated to ensure that it is
+ available for as long as needed to satisfy these requirements.
+
+ e) Convey the object code using peer-to-peer transmission, provided
+ you inform other peers where the object code and Corresponding
+ Source of the work are being offered to the general public at no
+ charge under subsection 6d.
+
+ A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+ A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling. In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage. For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product. A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+ "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source. The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+ If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+ The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed. Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+ Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+ 7. Additional Terms.
+
+ "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+ When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+ Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+ a) Disclaiming warranty or limiting liability differently from the
+ terms of sections 15 and 16 of this License; or
+
+ b) Requiring preservation of specified reasonable legal notices or
+ author attributions in that material or in the Appropriate Legal
+ Notices displayed by works containing it; or
+
+ c) Prohibiting misrepresentation of the origin of that material, or
+ requiring that modified versions of such material be marked in
+ reasonable ways as different from the original version; or
+
+ d) Limiting the use for publicity purposes of names of licensors or
+ authors of the material; or
+
+ e) Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+
+ f) Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified versions of
+ it) with contractual assumptions of liability to the recipient, for
+ any liability that these contractual assumptions directly impose on
+ those licensors and authors.
+
+ All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+ If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+ Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+ 8. Termination.
+
+ You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+ However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+ Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+ Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+ 9. Acceptance Not Required for Having Copies.
+
+ You are not required to accept this License in order to receive or
+run a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+ 10. Automatic Licensing of Downstream Recipients.
+
+ Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+ An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+ You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+ 11. Patents.
+
+ A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+ A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+ In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+ If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+ If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+ A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License. You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+ Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+ 12. No Surrender of Others' Freedom.
+
+ If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all. For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+ 13. Use with the GNU Affero General Public License.
+
+ Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+ 14. Revised Versions of this License.
+
+ The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+ If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+ Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+ 15. Disclaimer of Warranty.
+
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. Limitation of Liability.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+ 17. Interpretation of Sections 15 and 16.
+
+ If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+
+Also add information on how to contact you by electronic and paper mail.
+
+ If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+ Copyright (C)
+ This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+ You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+.
+
+ The GNU General Public License does not permit incorporating your program
+into proprietary programs. If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License. But first, please read
+.
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/README.md b/apps/nginx/versions/1.21.4/www/common/waf/README.md
new file mode 100644
index 000000000..ef09fa80f
--- /dev/null
+++ b/apps/nginx/versions/1.21.4/www/common/waf/README.md
@@ -0,0 +1,2 @@
+# waf
+waf 是一个基于 lua-nginx-module(openresty) 的 web 应用防火墙
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/access.lua b/apps/nginx/versions/1.21.4/www/common/waf/access.lua
index b4e8c78df..8a1d2e266 100644
--- a/apps/nginx/versions/1.21.4/www/common/waf/access.lua
+++ b/apps/nginx/versions/1.21.4/www/common/waf/access.lua
@@ -8,7 +8,7 @@ local method=ngx.req.get_method()
local function optionIsOn(options)
- return options == "on" or options == "On" or options == "ON"
+ return options == "on" or options == "On" or options == "ON"
end
local logpath = ngx.var.logdir
@@ -26,273 +26,297 @@ local CookieDeny = optionIsOn(ngx.var.cookieDeny)
local FileExtDeny = optionIsOn(ngx.var.fileExtDeny)
local function getClientIp()
- IP = ngx.var.remote_addr
- if IP == nil then
- IP = "unknown"
- end
- return IP
+ IP = ngx.var.remote_addr
+ if IP == nil then
+ IP = "unknown"
+ end
+ return IP
end
local function write(logfile,msg)
- local fd = io.open(logfile,"ab")
- if fd == nil then return end
- fd:write(msg)
- fd:flush()
- fd:close()
+ local fd = io.open(logfile,"ab")
+ if fd == nil then return end
+ fd:write(msg)
+ fd:flush()
+ fd:close()
end
local function log(method,url,data,ruletag)
- if attacklog then
- local realIp = getClientIp()
- local ua = ngx.var.http_user_agent
- local servername=ngx.var.server_name
- local time=ngx.localtime()
+ if attacklog then
+ local realIp = getClientIp()
+ local ua = ngx.var.http_user_agent
+ local servername=ngx.var.server_name
+ local time=ngx.localtime()
local line = nil
- if ua then
- line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n"
- else
- line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
- end
- local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log"
- write(filename,line)
- end
+ if ua then
+ line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n"
+ else
+ line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
+ end
+ local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log"
+ write(filename,line)
+ end
end
------------------------------------规则读取函数-------------------------------------------------------------------
-local function read_rule(var)
- file = io.open(rulepath..'/'..var,"r")
- if file==nil then
- return
- end
- t = {}
- for line in file:lines() do
- table.insert(t,line)
- end
- file:close()
- return(t)
-end
+--local function read_rule(var)
+-- file = io.open(rulepath..'/'..var,"r")
+-- if file==nil then
+-- return
+-- end
+-- t = {}
+-- for line in file:lines() do
+-- table.insert(t,line)
+-- end
+-- file:close()
+-- return(t)
+--end
+
+--local function read_json(var)
+-- file = io.open(rulepath..'/'..var,"r")
+-- if file==nil then
+-- return
+-- end
+-- str = file:read("*a")
+-- file:close()
+-- list = cjson.decode(str)
+-- return list
+--end
+
local function read_json(var)
- file = io.open(rulepath..'/'..var,"r")
- if file==nil then
- return
- end
+ file = io.open(rulepath..'/'..var .. '.json',"r")
+ if file==nil then
+ return
+ end
str = file:read("*a")
file:close()
list = cjson.decode(str)
return list
end
-local function read_str(var)
- file = io.open(rulepath..'/'..var,"r")
- if file==nil then
- return
- end
- local str = file:read("*a")
- file:close()
- return str
+
+local function select_rules(rules)
+ if not rules then return {} end
+ new_rules = {}
+ for i,v in ipairs(rules) do
+ if v[1] == 1 then
+ print("111")
+ table.insert(new_rules,v[2])
+ end
+ end
+ return new_rules
end
+local function read_str(var)
+ file = io.open(rulepath..'/'..var,"r")
+ if file==nil then
+ return
+ end
+ local str = file:read("*a")
+ file:close()
+ return str
+end
+local argsCheckList=select_rules(read_json('args_check'))
+local postCheckList=select_rules(read_json('post_check'))
+local cookieBlockList=select_rules(read_json('cookie_block'))
+local uarules=select_rules(read_json('user_agent'))
-local urlWhiteList=read_rule('urlWhiteList')
-local urlBlockList=read_rule('urlBlockList')
-local argsCheckList=read_rule('argsCheckList')
-local postCheckList=read_rule('postCheckList')
-local cookieBlockList=read_rule('cookieBlockList')
-local ipWhiteList=read_json('ipWhiteList')
-local ipBlockList=read_json('ipBlockList')
-local ccRate=read_str('ccRate')
-local fileExtBlockList = read_json('fileExtBlockList')
+local urlWhiteList=read_json('url_white')
+local urlBlockList=read_json('url_block')
+local ipWhiteList=read_json('ip_white')
+local ipBlockList=read_json('ip_block')
+local fileExtBlockList = read_json('file_ext_block')
+local ccRate=read_str('cc.json')
local html=read_str('html')
-local uarules=read_rule('user-agent')
local function say_html()
- if Redirect then
- ngx.header.content_type = "text/html"
- ngx.status = ngx.HTTP_FORBIDDEN
- ngx.say(html)
- ngx.exit(ngx.status)
- end
+ if Redirect then
+ ngx.header.content_type = "text/html"
+ ngx.status = ngx.HTTP_FORBIDDEN
+ ngx.say(html)
+ ngx.exit(ngx.status)
+ end
end
local function whiteurl()
- if UrlWhiteAllow then
- if urlWhiteList ~=nil then
- for _,rule in pairs(urlWhiteList) do
- if ngxmatch(ngx.var.uri,rule,"isjo") then
- return true
- end
- end
- end
- end
- return false
+ if UrlWhiteAllow then
+ if urlWhiteList ~=nil then
+ for _,rule in pairs(urlWhiteList) do
+ if ngxmatch(ngx.var.uri,rule,"isjo") then
+ return true
+ end
+ end
+ end
+ end
+ return false
end
local function fileExtCheck(ext)
- if FileExtDeny then
- local items = Set(fileExtBlockList)
- ext=string.lower(ext)
- if ext then
- for rule in pairs(items) do
- if ngx.re.match(ext,rule,"isjo") then
- log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
- say_html()
- end
- end
- end
- end
- return false
+ if FileExtDeny then
+ local items = Set(fileExtBlockList)
+ ext=string.lower(ext)
+ if ext then
+ for rule in pairs(items) do
+ if ngx.re.match(ext,rule,"isjo") then
+ log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
+ say_html()
+ end
+ end
+ end
+ end
+ return false
end
function Set (list)
- local set = {}
- for _, l in ipairs(list) do set[l] = true end
- return set
+ local set = {}
+ for _, l in ipairs(list) do set[l] = true end
+ return set
end
local function args()
- if ArgsDeny then
- if argsCheckList then
- for _,rule in pairs(argsCheckList) do
- local uriArgs = ngx.req.get_uri_args()
- for key, val in pairs(uriArgs) do
- if type(val)=='table' then
- local t={}
- for k,v in pairs(val) do
- if v == true then
- v=""
- end
- table.insert(t,v)
- end
- data=table.concat(t, " ")
- else
- data=val
- end
- if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then
- log('GET',ngx.var.request_uri,"-",rule)
- say_html()
- return true
- end
- end
- end
- end
- end
- return false
+ if ArgsDeny then
+ if argsCheckList then
+ for _,rule in pairs(argsCheckList) do
+ local uriArgs = ngx.req.get_uri_args()
+ for key, val in pairs(uriArgs) do
+ if type(val)=='table' then
+ local t={}
+ for k,v in pairs(val) do
+ if v == true then
+ v=""
+ end
+ table.insert(t,v)
+ end
+ data=table.concat(t, " ")
+ else
+ data=val
+ end
+ if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then
+ log('GET',ngx.var.request_uri,"-",rule)
+ say_html()
+ return true
+ end
+ end
+ end
+ end
+ end
+ return false
end
local function url()
- if UrlBlockDeny then
- for _,rule in pairs(urlBlockList) do
- if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then
- log('GET',ngx.var.request_uri,"-",rule)
- say_html()
- return true
- end
- end
- end
- return false
+ if UrlBlockDeny then
+ for _,rule in pairs(urlBlockList) do
+ if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then
+ log('GET',ngx.var.request_uri,"-",rule)
+ say_html()
+ return true
+ end
+ end
+ end
+ return false
end
function ua()
- local ua = ngx.var.http_user_agent
- if ua ~= nil then
- for _,rule in pairs(uarules) do
- if rule ~="" and ngxmatch(ua,rule,"isjo") then
- log('UA',ngx.var.request_uri,"-",rule)
- say_html()
- return true
- end
- end
- end
- return false
+ local ua = ngx.var.http_user_agent
+ if ua ~= nil then
+ for _,rule in pairs(uarules) do
+ if rule ~="" and ngxmatch(ua,rule,"isjo") then
+ log('UA',ngx.var.request_uri,"-",rule)
+ say_html()
+ return true
+ end
+ end
+ end
+ return false
end
function body(data)
- for _,rule in pairs(postCheckList) do
- if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then
- log('POST',ngx.var.request_uri,data,rule)
- say_html()
- return true
- end
- end
- return false
+ for _,rule in pairs(postCheckList) do
+ if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then
+ log('POST',ngx.var.request_uri,data,rule)
+ say_html()
+ return true
+ end
+ end
+ return false
end
local function cookie()
- local ck = ngx.var.http_cookie
- if CookieDeny and ck then
- for _,rule in pairs(cookieBlockList) do
- if rule ~="" and ngxmatch(ck,rule,"isjo") then
- log('Cookie',ngx.var.request_uri,"-",rule)
- say_html()
- return true
- end
- end
- end
- return false
+ local ck = ngx.var.http_cookie
+ if CookieDeny and ck then
+ for _,rule in pairs(cookieBlockList) do
+ if rule ~="" and ngxmatch(ck,rule,"isjo") then
+ log('Cookie',ngx.var.request_uri,"-",rule)
+ say_html()
+ return true
+ end
+ end
+ end
+ return false
end
local function denycc()
- if CCDeny and ccRate then
- local uri=ngx.var.uri
- CCcount=tonumber(string.match(ccRate,'(.*)/'))
- CCseconds=tonumber(string.match(ccRate,'/(.*)'))
- local uri = getClientIp()..uri
- local limit = ngx.shared.limit
- local req,_=limit:get(uri)
- if req then
- if req > CCcount then
- ngx.exit(503)
- return true
- else
- limit:incr(token,1)
- end
- else
- limit:set(uri,1,CCseconds)
- end
- end
- return false
+ if CCDeny and ccRate then
+ local uri=ngx.var.uri
+ CCcount=tonumber(string.match(ccRate,'(.*)/'))
+ CCseconds=tonumber(string.match(ccRate,'/(.*)'))
+ local uri = getClientIp()..uri
+ local limit = ngx.shared.limit
+ local req,_=limit:get(uri)
+ if req then
+ if req > CCcount then
+ ngx.exit(503)
+ return true
+ else
+ limit:incr(token,1)
+ end
+ else
+ limit:set(uri,1,CCseconds)
+ end
+ end
+ return false
end
local function get_boundary()
- local header = get_headers()["content-type"]
- if not header then
- return nil
- end
+ local header = get_headers()["content-type"]
+ if not header then
+ return nil
+ end
- if type(header) == "table" then
- header = header[1]
- end
+ if type(header) == "table" then
+ header = header[1]
+ end
- local m = match(header, ";%s*boundary=\"([^\"]+)\"")
- if m then
- return m
- end
+ local m = match(header, ";%s*boundary=\"([^\"]+)\"")
+ if m then
+ return m
+ end
- return match(header, ";%s*boundary=([^\",;]+)")
+ return match(header, ";%s*boundary=([^\",;]+)")
end
local function whiteip()
- if IpWhiteAllow then
- if next(ipWhiteList) ~= nil then
- for _,ip in pairs(ipWhiteList) do
- if getClientIp()==ip then
- return true
- end
- end
- end
- end
- return false
+ if IpWhiteAllow then
+ if next(ipWhiteList) ~= nil then
+ for _,ip in pairs(ipWhiteList) do
+ if getClientIp()==ip then
+ return true
+ end
+ end
+ end
+ end
+ return false
end
local function blockip()
- if IpBlockDeny then
- if next(ipBlockList) ~= nil then
- for _,ip in pairs(ipBlockList) do
- if getClientIp()==ip then
- ngx.exit(403)
- return true
- end
- end
- end
- end
- return false
+ if IpBlockDeny then
+ if next(ipBlockList) ~= nil then
+ for _,ip in pairs(ipBlockList) do
+ if getClientIp()==ip then
+ ngx.exit(403)
+ return true
+ end
+ end
+ end
+ end
+ return false
end
@@ -310,74 +334,74 @@ elseif url() then
elseif args() then
elseif cookie() then
elseif PostDeny then
- if method=="POST" then
- local boundary = get_boundary()
- if boundary then
- local len = string.len
+ if method=="POST" then
+ local boundary = get_boundary()
+ if boundary then
+ local len = string.len
local sock, err = ngx.req.socket()
- if not sock then
- return
+ if not sock then
+ return
end
- ngx.req.init_body(128 * 1024)
+ ngx.req.init_body(128 * 1024)
sock:settimeout(0)
- local content_length = nil
- content_length=tonumber(ngx.req.get_headers()['content-length'])
- local chunk_size = 4096
+ local content_length = nil
+ content_length=tonumber(ngx.req.get_headers()['content-length'])
+ local chunk_size = 4096
if content_length < chunk_size then
- chunk_size = content_length
- end
+ chunk_size = content_length
+ end
local size = 0
- while size < content_length do
- local data, err, partial = sock:receive(chunk_size)
- data = data or partial
- if not data then
- return
- end
- ngx.req.append_body(data)
- if body(data) then
- return true
- end
- size = size + len(data)
- local m = ngxmatch(data,[[Content-Disposition: form-data;(.+)filename="(.+)\\.(.*)"]],'ijo')
- if m then
- fileExtCheck(m[3])
- filetranslate = true
- else
- if ngxmatch(data,"Content-Disposition:",'isjo') then
- filetranslate = false
- end
- if filetranslate==false then
- if body(data) then
- return true
- end
- end
- end
- local less = content_length - size
- if less < chunk_size then
- chunk_size = less
- end
- end
- ngx.req.finish_body()
- else
- ngx.req.read_body()
- local args = ngx.req.get_post_args()
- if not args then
- return
- end
- for key, val in pairs(args) do
- if type(val) == "table" then
- if type(val[1]) == "boolean" then
- return
- end
- data=table.concat(val, ", ")
- else
- data=val
- end
- if data and type(data) ~= "boolean" and body(data) then
- body(key)
- end
- end
- end
+ while size < content_length do
+ local data, err, partial = sock:receive(chunk_size)
+ data = data or partial
+ if not data then
+ return
+ end
+ ngx.req.append_body(data)
+ if body(data) then
+ return true
+ end
+ size = size + len(data)
+ local m = ngxmatch(data,[[Content-Disposition: form-data;(.+)filename="(.+)\\.(.*)"]],'ijo')
+ if m then
+ fileExtCheck(m[3])
+ filetranslate = true
+ else
+ if ngxmatch(data,"Content-Disposition:",'isjo') then
+ filetranslate = false
+ end
+ if filetranslate==false then
+ if body(data) then
+ return true
+ end
+ end
+ end
+ local less = content_length - size
+ if less < chunk_size then
+ chunk_size = less
+ end
+ end
+ ngx.req.finish_body()
+ else
+ ngx.req.read_body()
+ local args = ngx.req.get_post_args()
+ if not args then
+ return
+ end
+ for key, val in pairs(args) do
+ if type(val) == "table" then
+ if type(val[1]) == "boolean" then
+ return
+ end
+ data=table.concat(val, ", ")
+ else
+ data=val
+ end
+ if data and type(data) ~= "boolean" and body(data) then
+ body(key)
+ end
+ end
+ end
end
else
return
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/argsCheckList b/apps/nginx/versions/1.21.4/www/common/waf/rules/argsCheckList
deleted file mode 100644
index d5bf8e807..000000000
--- a/apps/nginx/versions/1.21.4/www/common/waf/rules/argsCheckList
+++ /dev/null
@@ -1,22 +0,0 @@
-\.\./
-\:\$
-\$\{
-select.+(from|limit)
-(?:(union(.*?)select))
-having|rongjitest
-sleep\((\s*)(\d*)(\s*)\)
-benchmark\((.*)\,(.*)\)
-base64_decode\(
-(?:from\W+information_schema\W)
-(?:(?:current_)user|database|schema|connection_id)\s*\(
-(?:etc\/\W*passwd)
-into(\s+)+(?:dump|out)file\s*
-group\s+by.+\(
-xwork.MethodAccessor
-(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
-xwork\.MethodAccessor
-(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
-java\.lang
-\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
-\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
-(onmouseover|onerror|onload)\=
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/args_check.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/args_check.json
new file mode 100644
index 000000000..0b1767cb5
--- /dev/null
+++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/args_check.json
@@ -0,0 +1,26 @@
+[
+ ["\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 1 ],
+ ["(?:etc\\/\\W*passwd)", "\u76ee\u5f55\u4fdd\u62a43", 1 ],
+ ["(gopher|doc|php|glob|^file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 1 ],
+ ["base64_decode\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee43", 1],
+ ["(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|char|chr|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee44", 1 ],
+ ["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee45", 1],
+ ["select.+(from|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42", 1 ],
+ ["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 1 ],
+ ["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
+ ["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
+ ["(?:(?:current_)user|database|concat|extractvalue|polygon|updatexml|geometrycollection|schema|multipoint|multipolygon|connection_id|linestring|multilinestring|exp|right|sleep|group_concat|load_file|benchmark|file_put_contents|urldecode|system|file_get_contents|select|substring|substr|fopen|popen|phpinfo|user|alert|scandir|shell_exec|eval|execute|concat_ws|strcmp|right)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 1 ],
+ ["\\<(iframe|script|body|img|layer|div|meta|style|base|object)", "XSS\u8fc7\u6ee41", 1],
+ ["(invokefunction|call_user_func_array|\\\\think\\\\)", "ThinkPHP payload\u5c01\u5835", 1 ],
+ ["^url_array\\[.*\\]$", "Metinfo6.x XSS\u6f0f\u6d1e", 1],
+ ["(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
+ ["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
+ ["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
+ ["(EXISTS\\(|SELECT\\#|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
+ ["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
+ ["(?:from.+?information_schema.+?)", "", 1],
+ ["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
+ ["'$", "test", 1],
+ ["\\${jndi:", "log4j2\u62e6\u622a", 1 ],
+ ["terrewrewrwr", "", 1]
+]
\ No newline at end of file
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/ccRate b/apps/nginx/versions/1.21.4/www/common/waf/rules/cc.json
similarity index 100%
rename from apps/nginx/versions/1.21.4/www/common/waf/rules/ccRate
rename to apps/nginx/versions/1.21.4/www/common/waf/rules/cc.json
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/cookieBlockList b/apps/nginx/versions/1.21.4/www/common/waf/rules/cookieBlockList
deleted file mode 100644
index 30554cacd..000000000
--- a/apps/nginx/versions/1.21.4/www/common/waf/rules/cookieBlockList
+++ /dev/null
@@ -1,20 +0,0 @@
-\.\./
-\:\$
-\$\{
-select.+(from|limit)
-(?:(union(.*?)select))
-having|rongjitest
-sleep\((\s*)(\d*)(\s*)\)
-benchmark\((.*)\,(.*)\)
-base64_decode\(
-(?:from\W+information_schema\W)
-(?:(?:current_)user|database|schema|connection_id)\s*\(
-(?:etc\/\W*passwd)
-into(\s+)+(?:dump|out)file\s*
-group\s+by.+\(
-xwork.MethodAccessor
-(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
-xwork\.MethodAccessor
-(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
-java\.lang
-\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/cookie_block.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/cookie_block.json
new file mode 100644
index 000000000..659a58c06
--- /dev/null
+++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/cookie_block.json
@@ -0,0 +1,12 @@
+[
+ ["base64_decode\\(","一句话木马过滤3",1],
+ ["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[","一句话木马过滤5",1],
+ ["select.+(from|limit)","SQL注入过滤2",1],
+ ["(?:(union(.*?)select))","SQL注入过滤3",1],
+ ["sleep\\((\\s*)(\\d*)(\\s*)\\)","SQL注入过滤5",1],
+ ["benchmark\\((.*)\\,(.*)\\)","SQL注入过滤6",1],
+ ["(?:from\\W+information_schema\\W)","SQL注入过滤7",1],
+ ["(?:(?:current_)user|database|schema|connection_id)\\s*\\(","SQL注入过滤8",1],
+ ["into(\\s+)+(?:dump|out)file\\s*","SQL注入过滤9",1],
+ ["group\\s+by.+\\(","SQL注入过滤10",1]
+]
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/fileExtBlockList b/apps/nginx/versions/1.21.4/www/common/waf/rules/file_ext_block.json
similarity index 100%
rename from apps/nginx/versions/1.21.4/www/common/waf/rules/fileExtBlockList
rename to apps/nginx/versions/1.21.4/www/common/waf/rules/file_ext_block.json
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/ipBlockList b/apps/nginx/versions/1.21.4/www/common/waf/rules/ip_block.json
similarity index 100%
rename from apps/nginx/versions/1.21.4/www/common/waf/rules/ipBlockList
rename to apps/nginx/versions/1.21.4/www/common/waf/rules/ip_block.json
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/ip_white.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/ip_white.json
new file mode 100644
index 000000000..0c01f2ace
--- /dev/null
+++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/ip_white.json
@@ -0,0 +1 @@
+["1.1.1.1"]
\ No newline at end of file
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/postCheckList b/apps/nginx/versions/1.21.4/www/common/waf/rules/postCheckList
deleted file mode 100644
index 87d094656..000000000
--- a/apps/nginx/versions/1.21.4/www/common/waf/rules/postCheckList
+++ /dev/null
@@ -1,19 +0,0 @@
-select.+(from|limit)
-(?:(union(.*?)select))
-having|rongjitest
-sleep\((\s*)(\d*)(\s*)\)
-benchmark\((.*)\,(.*)\)
-base64_decode\(
-(?:from\W+information_schema\W)
-(?:(?:current_)user|database|schema|connection_id)\s*\(
-(?:etc\/\W*passwd)
-into(\s+)+(?:dump|out)file\s*
-group\s+by.+\(
-xwork.MethodAccessor
-(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
-xwork\.MethodAccessor
-(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
-java\.lang
-\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
-\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
-(onmouseover|onerror|onload)\=
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/post_check.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/post_check.json
new file mode 100644
index 000000000..22d80c6e2
--- /dev/null
+++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/post_check.json
@@ -0,0 +1,22 @@
+[
+ ["\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 1],
+ ["(?:etc\\/\\W*passwd)", "\u76ee\u5f55\u4fdd\u62a43", 1],
+ ["(gopher|doc|php|glob|^file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 1],
+ ["base64_decode\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee41", 1],
+ ["(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode|scandir)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 1],
+ ["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee43", 1],
+ ["select.+(from|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42",1],
+ ["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43",1],
+ ["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
+ ["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
+ ["(?:(?:current_)user|database|concat|extractvalue|polygon|updatexml|geometrycollection|schema|multipoint|multipolygon|connection_id|linestring|multilinestring|exp|right|sleep|group_concat|load_file|benchmark|file_put_contents|urldecode|system|file_get_contents|select|substring|substr|fopen|popen|phpinfo|user|alert|scandir|shell_exec|eval|execute|concat_ws|strcmp|right)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48",1],
+ ["(extractvalue\\(|concat\\(|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
+ ["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\(|right\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
+ ["(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 1],
+ ["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
+ ["(EXISTS\\(|SELECT\\#|\\(SELECT|select\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
+ ["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
+ ["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
+ ["(?:from.+?information_schema.+?)", "", 1],
+ ["\\${jndi:", "log4j2\u62e6\u622a", 1]
+]
\ No newline at end of file
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/urlBlockList b/apps/nginx/versions/1.21.4/www/common/waf/rules/urlBlockList
deleted file mode 100644
index 31130d347..000000000
--- a/apps/nginx/versions/1.21.4/www/common/waf/rules/urlBlockList
+++ /dev/null
@@ -1,6 +0,0 @@
-\.(svn|htaccess|bash_history)
-\.(bak|inc|old|mdb|sql|backup|java|class)$
-(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar
-(phpmyadmin|jmx-console|jmxinvokerservlet)
-java\.lang
-/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp)
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/urlWhiteList b/apps/nginx/versions/1.21.4/www/common/waf/rules/urlWhiteList
deleted file mode 100644
index 4e3c6543a..000000000
--- a/apps/nginx/versions/1.21.4/www/common/waf/rules/urlWhiteList
+++ /dev/null
@@ -1 +0,0 @@
-^/123/$
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/ipWhiteList b/apps/nginx/versions/1.21.4/www/common/waf/rules/url_block.json
similarity index 100%
rename from apps/nginx/versions/1.21.4/www/common/waf/rules/ipWhiteList
rename to apps/nginx/versions/1.21.4/www/common/waf/rules/url_block.json
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/url_white.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/url_white.json
new file mode 100644
index 000000000..0637a088a
--- /dev/null
+++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/url_white.json
@@ -0,0 +1 @@
+[]
\ No newline at end of file
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/user-agent b/apps/nginx/versions/1.21.4/www/common/waf/rules/user-agent
deleted file mode 100644
index f929be2a1..000000000
--- a/apps/nginx/versions/1.21.4/www/common/waf/rules/user-agent
+++ /dev/null
@@ -1 +0,0 @@
-(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench| SF/)
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/user_agent.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/user_agent.json
new file mode 100644
index 000000000..1f812573a
--- /dev/null
+++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/user_agent.json
@@ -0,0 +1,17 @@
+[
+ ["(WPScan|HTTrack|antSword|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF/)", "\u5173\u952e\u8bcd\u8fc7\u6ee41", 1],
+ ["(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode|scandir)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 1],
+ ["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee43", 1],
+ ["select\\s+.+(from|limit)\\s+", "SQL\u6ce8\u5165\u8fc7\u6ee42", 1],
+ ["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 1],
+ ["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
+ ["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
+ ["(?:(?:current_)user|database|schema|connection_id)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 1],
+ ["(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
+ ["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
+ ["(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 1],
+ ["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\))", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
+ ["(EXISTS\\(|SELECT\\#|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
+ ["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
+ ["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1]
+]
\ No newline at end of file
diff --git a/apps/nginx/versions/1.21.4/www/common/waf/test.lua b/apps/nginx/versions/1.21.4/www/common/waf/test.lua
new file mode 100644
index 000000000..8236677f8
--- /dev/null
+++ b/apps/nginx/versions/1.21.4/www/common/waf/test.lua
@@ -0,0 +1,35 @@
+local cjson = require "cjson"
+local rulepath = "rules"
+
+local function read_json(var)
+ file = io.open(rulepath..'/'..var .. '.json',"r")
+ if file==nil then
+ return
+ end
+ str = file:read("*a")
+ file:close()
+ list = cjson.decode(str)
+ return list
+end
+
+
+local function select_rules(rules)
+ if not rules then return {} end
+ new_rules = {}
+ for i,v in ipairs(rules) do
+ if v[1] == 1 then
+ print("111")
+ table.insert(new_rules,v[2])
+ end
+ end
+ return new_rules
+end
+
+
+
+local rules = select_rules(read_json('user_agent'))
+
+for _,v in ipairs(rules) do
+ print(v)
+end
+
diff --git a/apps/redis/versions/6.0.16/conf/redis.conf b/apps/redis/versions/6.0.16/conf/redis.conf
index bea418487..218c4b0a8 100644
--- a/apps/redis/versions/6.0.16/conf/redis.conf
+++ b/apps/redis/versions/6.0.16/conf/redis.conf
@@ -1,12 +1,3 @@
-# Redis configuration rewrite by 1Panel
-timeout 0
-# maxclients 10000
-# maxmemory
-save 3600 1 300 100 60 10000
-appendonly no
-appendfsync everysec
-# End Redis configuration rewrite by 1Panel
-
# Redis configuration file example.
#
# Note that in order to read the configuration file, Redis must be
@@ -41,17 +32,8 @@ appendfsync everysec
# If instead you are interested in using includes to override configuration
# options, it is better to use include as the last line.
#
-# Included paths may contain wildcards. All files matching the wildcards will
-# be included in alphabetical order.
-# Note that if an include path contains a wildcards but no files match it when
-# the server is started, the include statement will be ignored and no error will
-# be emitted. It is safe, therefore, to include wildcard files from empty
-# directories.
-#
# include /path/to/local.conf
# include /path/to/other.conf
-# include /path/to/fragments/*.conf
-#
################################## MODULES #####################################
@@ -67,80 +49,42 @@ appendfsync everysec
# for connections from all available network interfaces on the host machine.
# It is possible to listen to just one or multiple selected interfaces using
# the "bind" configuration directive, followed by one or more IP addresses.
-# Each address can be prefixed by "-", which means that redis will not fail to
-# start if the address is not available. Being not available only refers to
-# addresses that does not correspond to any network interface. Addresses that
-# are already in use will always fail, and unsupported protocols will always BE
-# silently skipped.
#
# Examples:
#
-# bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses
-# bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6
-# bind * -::* # like the default, all available interfaces
+# bind 192.168.1.100 10.0.0.1
+# bind 127.0.0.1 ::1
#
# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
# internet, binding to all the interfaces is dangerous and will expose the
# instance to everybody on the internet. So by default we uncomment the
# following bind directive, that will force Redis to listen only on the
-# IPv4 and IPv6 (if available) loopback interface addresses (this means Redis
-# will only be able to accept client connections from the same host that it is
-# running on).
+# IPv4 loopback interface address (this means Redis will only be able to
+# accept client connections from the same host that it is running on).
#
# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
-# COMMENT OUT THE FOLLOWING LINE.
-#
-# You will also need to set a password unless you explicitly disable protected
-# mode.
+# JUST COMMENT OUT THE FOLLOWING LINE.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# bind 127.0.0.1 -::1
-
-# By default, outgoing connections (from replica to master, from Sentinel to
-# instances, cluster bus, etc.) are not bound to a specific local address. In
-# most cases, this means the operating system will handle that based on routing
-# and the interface through which the connection goes out.
-#
-# Using bind-source-addr it is possible to configure a specific address to bind
-# to, which may also affect how the connection gets routed.
-#
-# Example:
-#
-# bind-source-addr 10.0.0.1
+bind 0.0.0.0
# Protected mode is a layer of security protection, in order to avoid that
# Redis instances left open on the internet are accessed and exploited.
#
-# When protected mode is on and the default user has no password, the server
-# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address
-# (::1) or Unix domain sockets.
+# When protected mode is on and if:
+#
+# 1) The server is not binding explicitly to a set of addresses using the
+# "bind" directive.
+# 2) No password is configured.
+#
+# The server only accepts connections from clients connecting from the
+# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
+# sockets.
#
# By default protected mode is enabled. You should disable it only if
# you are sure you want clients from other hosts to connect to Redis
-# even if no authentication is configured.
-protected-mode no
-
-# Redis uses default hardened security configuration directives to reduce the
-# attack surface on innocent users. Therefore, several sensitive configuration
-# directives are immutable, and some potentially-dangerous commands are blocked.
-#
-# Configuration directives that control files that Redis writes to (e.g., 'dir'
-# and 'dbfilename') and that aren't usually modified during runtime
-# are protected by making them immutable.
-#
-# Commands that can increase the attack surface of Redis and that aren't usually
-# called by users are blocked by default.
-#
-# These can be exposed to either all connections or just local ones by setting
-# each of the configs listed below to either of these values:
-#
-# no - Block for any connection (remain immutable)
-# yes - Allow for any connection (no protection)
-# local - Allow only for local connections. Ones originating from the
-# IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets.
-#
-# enable-protected-configs no
-# enable-debug-command no
-# enable-module-command no
+# even if no authentication is configured, nor a specific set of interfaces
+# are explicitly listed using the "bind" directive.
+protected-mode yes
# Accept connections on the specified port, default is 6379 (IANA #815344).
# If port 0 is specified Redis will not listen on a TCP socket.
@@ -161,11 +105,11 @@ tcp-backlog 511
# incoming connections. There is no default, so Redis will not listen
# on a unix socket when not specified.
#
-# unixsocket /run/redis.sock
+# unixsocket /tmp/redis.sock
# unixsocketperm 700
# Close the connection after a client is idle for N seconds (0 to disable)
-# timeout 0
+timeout 0
# TCP keepalive.
#
@@ -184,16 +128,6 @@ tcp-backlog 511
# Redis default starting with Redis 3.2.1.
tcp-keepalive 300
-# Apply OS-specific mechanism to mark the listening socket with the specified
-# ID, to support advanced routing and filtering capabilities.
-#
-# On Linux, the ID represents a connection mark.
-# On FreeBSD, the ID represents a socket cookie ID.
-# On OpenBSD, the ID represents a route table ID.
-#
-# The default value is 0, which implies no marking is required.
-# socket-mark-id 0
-
################################# TLS/SSL #####################################
# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
@@ -209,32 +143,8 @@ tcp-keepalive 300
#
# tls-cert-file redis.crt
# tls-key-file redis.key
-#
-# If the key file is encrypted using a passphrase, it can be included here
-# as well.
-#
-# tls-key-file-pass secret
-# Normally Redis uses the same certificate for both server functions (accepting
-# connections) and client functions (replicating from a master, establishing
-# cluster bus connections, etc.).
-#
-# Sometimes certificates are issued with attributes that designate them as
-# client-only or server-only certificates. In that case it may be desired to use
-# different certificates for incoming (server) and outgoing (client)
-# connections. To do that, use the following directives:
-#
-# tls-client-cert-file client.crt
-# tls-client-key-file client.key
-#
-# If the key file is encrypted using a passphrase, it can be included here
-# as well.
-#
-# tls-client-key-file-pass secret
-
-# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange,
-# required by older versions of OpenSSL (<3.0). Newer versions do not require
-# this configuration and recommend against it.
+# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange:
#
# tls-dh-params-file redis.dh
@@ -267,12 +177,9 @@ tcp-keepalive 300
#
# tls-cluster yes
-# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended
-# that older formally deprecated versions are kept disabled to reduce the attack surface.
-# You can explicitly specify TLS versions to support.
-# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2",
-# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination.
-# To enable only TLSv1.2 and TLSv1.3, use:
+# Explicitly specify TLS versions to support. Allowed values are case insensitive
+# and include "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" (OpenSSL >= 1.1.1) or
+# any combination. To enable only TLSv1.2 and TLSv1.3, use:
#
# tls-protocols "TLSv1.2 TLSv1.3"
@@ -314,7 +221,6 @@ tcp-keepalive 300
# By default Redis does not run as a daemon. Use 'yes' if you need it.
# Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
-# When Redis is supervised by upstart or systemd, this parameter has no impact.
daemonize no
# If you run Redis from upstart or systemd, Redis can interact with your
@@ -323,17 +229,11 @@ daemonize no
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
# requires "expect stop" in your upstart job config
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
-# on startup, and updating Redis status on a regular
-# basis.
# supervised auto - detect upstart or systemd method based on
# UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready."
# They do not enable continuous pings back to your supervisor.
-#
-# The default is "no". To run under upstart/systemd, you can simply uncomment
-# the line below:
-#
-# supervised auto
+supervised no
# If a pid file is specified, Redis writes it where specified at startup
# and removes it at exit.
@@ -344,10 +244,7 @@ daemonize no
#
# Creating a pid file is best effort: if Redis is not able to create it
# nothing bad happens, the server will start and run normally.
-#
-# Note that on modern Linux systems "/run/redis.pid" is more conforming
-# and should be used instead.
-pidfile "/var/run/redis_6379.pid"
+pidfile /var/run/redis_6379.pid
# Specify the server verbosity level.
# This can be one of:
@@ -372,74 +269,44 @@ logfile ""
# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
# syslog-facility local0
-# To disable the built in crash log, which will possibly produce cleaner core
-# dumps when they are needed, uncomment the following:
-#
-# crash-log-enabled no
-
-# To disable the fast memory check that's run as part of the crash log, which
-# will possibly let redis terminate sooner, uncomment the following:
-#
-# crash-memcheck-enabled no
-
# Set the number of databases. The default database is DB 0, you can select
# a different one on a per-connection basis using SELECT where
# dbid is a number between 0 and 'databases'-1
databases 16
# By default Redis shows an ASCII art logo only when started to log to the
-# standard output and if the standard output is a TTY and syslog logging is
-# disabled. Basically this means that normally a logo is displayed only in
-# interactive sessions.
+# standard output and if the standard output is a TTY. Basically this means
+# that normally a logo is displayed only in interactive sessions.
#
# However it is possible to force the pre-4.0 behavior and always show a
# ASCII art logo in startup logs by setting the following option to yes.
-always-show-logo no
-
-# By default, Redis modifies the process title (as seen in 'top' and 'ps') to
-# provide some runtime information. It is possible to disable this and leave
-# the process name as executed by setting the following to no.
-set-proc-title yes
-
-# When changing the process title, Redis uses the following template to construct
-# the modified title.
-#
-# Template variables are specified in curly brackets. The following variables are
-# supported:
-#
-# {title} Name of process as executed if parent, or type of child process.
-# {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or
-# Unix socket if only that's available.
-# {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]".
-# {port} TCP port listening on, or 0.
-# {tls-port} TLS port listening on, or 0.
-# {unixsocket} Unix domain socket listening on, or "".
-# {config-file} Name of configuration file used.
-#
-proc-title-template "{title} {listen-addr} {server-mode}"
+always-show-logo yes
################################ SNAPSHOTTING ################################
+#
+# Save the DB on disk:
+#
+# save
+#
+# Will save the DB if both the given number of seconds and the given
+# number of write operations against the DB occurred.
+#
+# In the example below the behavior will be to save:
+# after 900 sec (15 min) if at least 1 key changed
+# after 300 sec (5 min) if at least 10 keys changed
+# after 60 sec if at least 10000 keys changed
+#
+# Note: you can disable saving completely by commenting out all "save" lines.
+#
+# It is also possible to remove all the previously configured save
+# points by adding a save directive with a single empty string argument
+# like in the following example:
+#
+# save ""
-# Save the DB to disk.
-#
-# save [ ...]
-#
-# Redis will save the DB if the given number of seconds elapsed and it
-# surpassed the given number of write operations against the DB.
-#
-# Snapshotting can be completely disabled with a single empty string argument
-# as in following example:
-#
-# save ""
-#
-# Unless specified otherwise, by default Redis will save the DB:
-# * After 3600 seconds (an hour) if at least 1 change was performed
-# * After 300 seconds (5 minutes) if at least 100 changes were performed
-# * After 60 seconds if at least 10000 changes were performed
-#
-# You can set these explicitly by uncommenting the following line.
-#
-# save 3600 1 300 100 60 10000
+save 900 1
+save 300 10
+save 60 10000
# By default Redis will stop accepting writes if RDB snapshots are enabled
# (at least one save point) and the latest background save failed.
@@ -471,23 +338,8 @@ rdbcompression yes
# tell the loading code to skip the check.
rdbchecksum yes
-# Enables or disables full sanitization checks for ziplist and listpack etc when
-# loading an RDB or RESTORE payload. This reduces the chances of a assertion or
-# crash later on while processing commands.
-# Options:
-# no - Never perform full sanitization
-# yes - Always perform full sanitization
-# clients - Perform full sanitization only for user connections.
-# Excludes: RDB files, RESTORE commands received from the master
-# connection, and client connections which have the
-# skip-sanitize-payload ACL flag.
-# The default should be 'clients' but since it currently affects cluster
-# resharding via MIGRATE, it is temporarily set to 'no' by default.
-#
-# sanitize-dump-payload no
-
# The filename where to dump the DB
-dbfilename "dump.rdb"
+dbfilename dump.rdb
# Remove RDB files used by replication in instances without persistence
# enabled. By default this option is disabled, however there are environments
@@ -510,7 +362,7 @@ rdb-del-sync-files no
# The Append Only File will also be created inside this directory.
#
# Note that you must specify a directory here, not a file name.
-dir "/data"
+dir ./
################################# REPLICATION #################################
@@ -560,10 +412,9 @@ dir "/data"
# still reply to client requests, possibly with out of date data, or the
# data set may just be empty if this is the first synchronization.
#
-# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error
-# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'"
-# to all data access commands, excluding commands such as:
-# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
+# 2) If replica-serve-stale-data is set to 'no' the replica will reply with
+# an error "SYNC with master in progress" to all commands except:
+# INFO, REPLICAOF, AUTH, PING, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST,
# HOST and LATENCY.
#
@@ -612,7 +463,7 @@ replica-read-only yes
#
# With slow disks and fast (large bandwidth) networks, diskless replication
# works better.
-repl-diskless-sync yes
+repl-diskless-sync no
# When diskless replication is enabled, it is possible to configure the delay
# the server waits in order to spawn the child that transfers the RDB via socket
@@ -626,18 +477,12 @@ repl-diskless-sync yes
# it entirely just set it to 0 seconds and the transfer will start ASAP.
repl-diskless-sync-delay 5
-# When diskless replication is enabled with a delay, it is possible to let
-# the replication start before the maximum delay is reached if the maximum
-# number of replicas expected have connected. Default of 0 means that the
-# maximum is not defined and Redis will wait the full delay.
-repl-diskless-sync-max-replicas 0
-
# -----------------------------------------------------------------------------
# WARNING: RDB diskless load is experimental. Since in this setup the replica
# does not immediately store an RDB on disk, it may cause data loss during
# failovers. RDB diskless load + Redis modules not handling I/O reads may also
# cause Redis to abort in case of I/O errors during the initial synchronization
-# stage with the master. Use only if you know what you are doing.
+# stage with the master. Use only if your do what you are doing.
# -----------------------------------------------------------------------------
#
# Replica can load the RDB it reads from the replication link directly from the
@@ -646,23 +491,19 @@ repl-diskless-sync-max-replicas 0
#
# In many cases the disk is slower than the network, and storing and loading
# the RDB file may increase replication time (and even increase the master's
-# Copy on Write memory and replica buffers).
+# Copy on Write memory and salve buffers).
# However, parsing the RDB file directly from the socket may mean that we have
# to flush the contents of the current database before the full rdb was
# received. For this reason we have the following options:
#
# "disabled" - Don't use diskless load (store the rdb file to the disk first)
# "on-empty-db" - Use diskless load only when it is completely safe.
-# "swapdb" - Keep current db contents in RAM while parsing the data directly
-# from the socket. Replicas in this mode can keep serving current
-# data set while replication is in progress, except for cases where
-# they can't recognize master as having a data set from same
-# replication history.
-# Note that this requires sufficient memory, if you don't have it,
-# you risk an OOM kill.
+# "swapdb" - Keep a copy of the current db contents in RAM while parsing
+# the data directly from the socket. note that this requires
+# sufficient memory, if you don't have it, you risk an OOM kill.
repl-diskless-load disabled
-# Master send PINGs to its replicas in a predefined interval. It's possible to
+# Replicas send PINGs to server in a predefined interval. It's possible to
# change this interval with the repl_ping_replica_period option. The default
# value is 10 seconds.
#
@@ -737,43 +578,6 @@ repl-disable-tcp-nodelay no
# By default the priority is 100.
replica-priority 100
-# The propagation error behavior controls how Redis will behave when it is
-# unable to handle a command being processed in the replication stream from a master
-# or processed while reading from an AOF file. Errors that occur during propagation
-# are unexpected, and can cause data inconsistency. However, there are edge cases
-# in earlier versions of Redis where it was possible for the server to replicate or persist
-# commands that would fail on future versions. For this reason the default behavior
-# is to ignore such errors and continue processing commands.
-#
-# If an application wants to ensure there is no data divergence, this configuration
-# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas'
-# to only panic when a replica encounters an error on the replication stream. One of
-# these two panic values will become the default value in the future once there are
-# sufficient safety mechanisms in place to prevent false positive crashes.
-#
-# propagation-error-behavior ignore
-
-# Replica ignore disk write errors controls the behavior of a replica when it is
-# unable to persist a write command received from its master to disk. By default,
-# this configuration is set to 'no' and will crash the replica in this condition.
-# It is not recommended to change this default, however in order to be compatible
-# with older versions of Redis this config can be toggled to 'yes' which will just
-# log a warning and execute the write command it got from the master.
-#
-# replica-ignore-disk-write-errors no
-
-# -----------------------------------------------------------------------------
-# By default, Redis Sentinel includes all replicas in its reports. A replica
-# can be excluded from Redis Sentinel's announcements. An unannounced replica
-# will be ignored by the 'sentinel replicas ' command and won't be
-# exposed to Redis Sentinel's clients.
-#
-# This option does not change the behavior of replica-priority. Even with
-# replica-announced set to 'no', the replica can be promoted to master. To
-# prevent this behavior, set replica-priority to 0.
-#
-# replica-announced yes
-
# It is possible for a master to stop accepting writes if there are less than
# N replicas connected, having a lag less or equal than M seconds.
#
@@ -829,7 +633,7 @@ replica-priority 100
# Redis implements server assisted support for client side caching of values.
# This is implemented using an invalidation table that remembers, using
-# a radix key indexed by key name, what clients have which keys. In turn
+# 16 millions of slots, what clients may have certain subsets of keys. In turn
# this is used in order to send invalidation messages to clients. Please
# check this page to understand more about the feature:
#
@@ -893,12 +697,8 @@ replica-priority 100
# off Disable the user: it's no longer possible to authenticate
# with this user, however the already authenticated connections
# will still work.
-# skip-sanitize-payload RESTORE dump-payload sanitization is skipped.
-# sanitize-payload RESTORE dump-payload is sanitized (default).
-# + Allow the execution of that command.
-# May be used with `|` for allowing subcommands (e.g "+config|get")
-# - Disallow the execution of that command.
-# May be used with `|` for blocking subcommands (e.g "-config|set")
+# + Allow the execution of that command
+# - Disallow the execution of that command
# +@ Allow the execution of all the commands in such category
# with valid categories are like @admin, @set, @sortedset, ...
# and so forth, see the full list in the server.c file where
@@ -906,11 +706,10 @@ replica-priority 100
# The special category @all means all the commands, but currently
# present in the server, and that will be loaded in the future
# via modules.
-# +|first-arg Allow a specific first argument of an otherwise
-# disabled command. It is only supported on commands with
-# no sub-commands, and is not allowed as negative form
-# like -SELECT|1, only additive starting with "+". This
-# feature is deprecated and may be removed in the future.
+# +|subcommand Allow a specific subcommand of an otherwise
+# disabled command. Note that this form is not
+# allowed as negative like -DEBUG|SEGFAULT, but
+# only additive starting with "+".
# allcommands Alias for +@all. Note that it implies the ability to execute
# all the future commands loaded via the modules system.
# nocommands Alias for -@all.
@@ -918,17 +717,8 @@ replica-priority 100
# commands. For instance ~* allows all the keys. The pattern
# is a glob-style pattern like the one of KEYS.
# It is possible to specify multiple patterns.
-# %R~ Add key read pattern that specifies which keys can be read
-# from.
-# %W~ Add key write pattern that specifies which keys can be
-# written to.
# allkeys Alias for ~*
# resetkeys Flush the list of allowed keys patterns.
-# & Add a glob-style pattern of Pub/Sub channels that can be
-# accessed by the user. It is possible to specify multiple channel
-# patterns.
-# allchannels Alias for &*
-# resetchannels Flush the list of allowed channel patterns.
# > Add this password to the list of valid password for the user.
# For example >mypass will add "mypass" to the list.
# This directive clears the "nopass" flag (see later).
@@ -947,14 +737,6 @@ replica-priority 100
# reset Performs the following actions: resetpass, resetkeys, off,
# -@all. The user returns to the same state it has immediately
# after its creation.
-# () Create a new selector with the options specified within the
-# parentheses and attach it to the user. Each option should be
-# space separated. The first character must be ( and the last
-# character must be ).
-# clearselectors Remove all of the currently attached selectors.
-# Note this does not change the "root" user permissions,
-# which are the permissions directly applied onto the
-# user (outside the parentheses).
#
# ACL rules can be specified in any order: for instance you can start with
# passwords, then flags, or key patterns. However note that the additive
@@ -976,40 +758,6 @@ replica-priority 100
#
# Basically ACL rules are processed left-to-right.
#
-# The following is a list of command categories and their meanings:
-# * keyspace - Writing or reading from keys, databases, or their metadata
-# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE,
-# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace,
-# key or metadata will also have `write` category. Commands that only read
-# the keyspace, key or metadata will have the `read` category.
-# * read - Reading from keys (values or metadata). Note that commands that don't
-# interact with keys, will not have either `read` or `write`.
-# * write - Writing to keys (values or metadata)
-# * admin - Administrative commands. Normal applications will never need to use
-# these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc.
-# * dangerous - Potentially dangerous (each should be considered with care for
-# various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS,
-# CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc.
-# * connection - Commands affecting the connection or other connections.
-# This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc.
-# * blocking - Potentially blocking the connection until released by another
-# command.
-# * fast - Fast O(1) commands. May loop on the number of arguments, but not the
-# number of elements in the key.
-# * slow - All commands that are not Fast.
-# * pubsub - PUBLISH / SUBSCRIBE related
-# * transaction - WATCH / MULTI / EXEC related commands.
-# * scripting - Scripting related.
-# * set - Data type: sets related.
-# * sortedset - Data type: zsets related.
-# * list - Data type: lists related.
-# * hash - Data type: hashes related.
-# * string - Data type: strings related.
-# * bitmap - Data type: bitmaps related.
-# * hyperloglog - Data type: hyperloglog related.
-# * geo - Data type: geo related.
-# * stream - Data type: streams related.
-#
# For more information about ACL configuration please refer to
# the Redis web site at https://redis.io/topics/acl
@@ -1039,24 +787,8 @@ acllog-max-len 128
# AUTH as usually, or more explicitly with AUTH default
# if they follow the new protocol: both will work.
#
-# The requirepass is not compatible with aclfile option and the ACL LOAD
-# command, these will cause requirepass to be ignored.
-#
# requirepass foobared
-# New users are initialized with restrictive permissions by default, via the
-# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it
-# is possible to manage access to Pub/Sub channels with ACL rules as well. The
-# default Pub/Sub channels permission if new users is controlled by the
-# acl-pubsub-default configuration directive, which accepts one of these values:
-#
-# allchannels: grants access to all Pub/Sub channels
-# resetchannels: revokes access to all Pub/Sub channels
-#
-# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission.
-#
-# acl-pubsub-default resetchannels
-
# Command renaming (DEPRECATED).
#
# ------------------------------------------------------------------------
@@ -1145,12 +877,14 @@ acllog-max-len 128
# Both LRU, LFU and volatile-ttl are implemented using approximated
# randomized algorithms.
#
-# Note: with any of the above policies, when there are no suitable keys for
-# eviction, Redis will return an error on write operations that require
-# more memory. These are usually commands that create new keys, add data or
-# modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE,
-# SORT (due to the STORE argument), and EXEC (if the transaction includes any
-# command that requires memory).
+# Note: with any of the above policies, Redis will return an error on write
+# operations, when there are no suitable keys for eviction.
+#
+# At the date of writing these commands are: set setnx setex append
+# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd
+# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby
+# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby
+# getset mset msetnx exec sort
#
# The default is:
#
@@ -1167,14 +901,6 @@ acllog-max-len 128
#
# maxmemory-samples 5
-# Eviction processing is designed to function well with the default setting.
-# If there is an unusually large amount of write traffic, this value may need to
-# be increased. Decreasing this value may reduce latency at the risk of
-# eviction processing effectiveness
-# 0 = minimum latency, 10 = default, 100 = process without regard to latency
-#
-# maxmemory-eviction-tenacity 10
-
# Starting from Redis 5, by default a replica will ignore its maxmemory setting
# (unless it is promoted to master after a failover or manually). It means
# that the eviction of keys will be just handled by the master, sending the
@@ -1268,13 +994,6 @@ replica-lazy-flush no
lazyfree-lazy-user-del no
-# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous
-# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the
-# commands. When neither flag is passed, this directive will be used to determine
-# if the data should be deleted asynchronously.
-
-lazyfree-lazy-user-flush no
-
################################ THREADED I/O #################################
# Redis is mostly single threaded, however there are certain threaded
@@ -1313,7 +1032,7 @@ lazyfree-lazy-user-flush no
# Usually threading reads doesn't help much.
#
# NOTE 1: This configuration directive cannot be changed at runtime via
-# CONFIG SET. Also, this feature currently does not work when SSL is
+# CONFIG SET. Aso this feature currently does not work when SSL is
# enabled.
#
# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make
@@ -1331,7 +1050,7 @@ lazyfree-lazy-user-flush no
# attempt to have background child processes killed before all others, and
# replicas killed before masters.
#
-# Redis supports these options:
+# Redis supports three options:
#
# no: Don't make changes to oom-score-adj (default).
# yes: Alias to "relative" see below.
@@ -1352,18 +1071,6 @@ oom-score-adj no
# oom-score-adj-values to positive values will always succeed.
oom-score-adj-values 0 200 800
-#################### KERNEL transparent hugepage CONTROL ######################
-
-# Usually the kernel Transparent Huge Pages control is set to "madvise" or
-# or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which
-# case this config has no effect. On systems in which it is set to "always",
-# redis will attempt to disable it specifically for the redis process in order
-# to avoid latency problems specifically with fork(2) and CoW.
-# If for some reason you prefer to keep it enabled, you can set this config to
-# "no" and the kernel global to "always".
-
-disable-thp yes
-
############################## APPEND ONLY MODE ###############################
# By default Redis asynchronously dumps the dataset on disk. This mode is
@@ -1382,43 +1089,14 @@ disable-thp yes
# If the AOF is enabled on startup Redis will load the AOF, that is the file
# with the better durability guarantees.
#
-# Please check https://redis.io/topics/persistence for more information.
+# Please check http://redis.io/topics/persistence for more information.
-# appendonly no
+appendonly no
-# The base name of the append only file.
-#
-# Redis 7 and newer use a set of append-only files to persist the dataset
-# and changes applied to it. There are two basic types of files in use:
-#
-# - Base files, which are a snapshot representing the complete state of the
-# dataset at the time the file was created. Base files can be either in
-# the form of RDB (binary serialized) or AOF (textual commands).
-# - Incremental files, which contain additional commands that were applied
-# to the dataset following the previous file.
-#
-# In addition, manifest files are used to track the files and the order in
-# which they were created and should be applied.
-#
-# Append-only file names are created by Redis following a specific pattern.
-# The file name's prefix is based on the 'appendfilename' configuration
-# parameter, followed by additional information about the sequence and type.
-#
-# For example, if appendfilename is set to appendonly.aof, the following file
-# names could be derived:
-#
-# - appendonly.aof.1.base.rdb as a base file.
-# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files.
-# - appendonly.aof.manifest as a manifest file.
+# The name of the append only file (default: "appendonly.aof")
appendfilename "appendonly.aof"
-# For convenience, Redis stores all persistent append-only files in a dedicated
-# directory. The name of the directory is determined by the appenddirname
-# configuration parameter.
-
-appenddirname "appendonlydir"
-
# The fsync() call tells the Operating System to actually write data on disk
# instead of waiting for more data in the output buffer. Some OS will really flush
# data on disk, some other OS will just try to do it ASAP.
@@ -1443,7 +1121,7 @@ appenddirname "appendonlydir"
# If unsure, use "everysec".
# appendfsync always
-# appendfsync everysec
+appendfsync everysec
# appendfsync no
# When the AOF fsync policy is set to always or everysec, and a background
@@ -1458,7 +1136,7 @@ appenddirname "appendonlydir"
# BGSAVE or BGREWRITEAOF is in progress.
#
# This means that while another child is saving, the durability of Redis is
-# the same as "appendfsync no". In practical terms, this means that it is
+# the same as "appendfsync none". In practical terms, this means that it is
# possible to lose up to 30 seconds of log in the worst scenario (with the
# default Linux settings).
#
@@ -1511,69 +1189,34 @@ auto-aof-rewrite-min-size 64mb
# will be found.
aof-load-truncated yes
-# Redis can create append-only base files in either RDB or AOF formats. Using
-# the RDB format is always faster and more efficient, and disabling it is only
-# supported for backward compatibility purposes.
+# When rewriting the AOF file, Redis is able to use an RDB preamble in the
+# AOF file for faster rewrites and recoveries. When this option is turned
+# on the rewritten AOF file is composed of two different stanzas:
+#
+# [RDB file][AOF tail]
+#
+# When loading, Redis recognizes that the AOF file starts with the "REDIS"
+# string and loads the prefixed RDB file, then continues loading the AOF
+# tail.
aof-use-rdb-preamble yes
-# Redis supports recording timestamp annotations in the AOF to support restoring
-# the data from a specific point-in-time. However, using this capability changes
-# the AOF format in a way that may not be compatible with existing AOF parsers.
-aof-timestamp-enabled no
+################################ LUA SCRIPTING ###############################
-################################ SHUTDOWN #####################################
-
-# Maximum time to wait for replicas when shutting down, in seconds.
+# Max execution time of a Lua script in milliseconds.
#
-# During shut down, a grace period allows any lagging replicas to catch up with
-# the latest replication offset before the master exists. This period can
-# prevent data loss, especially for deployments without configured disk backups.
+# If the maximum execution time is reached Redis will log that a script is
+# still in execution after the maximum allowed time and will start to
+# reply to queries with an error.
#
-# The 'shutdown-timeout' value is the grace period's duration in seconds. It is
-# only applicable when the instance has replicas. To disable the feature, set
-# the value to 0.
+# When a long running script exceeds the maximum execution time only the
+# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
+# used to stop a script that did not yet call any write commands. The second
+# is the only way to shut down the server in the case a write command was
+# already issued by the script but the user doesn't want to wait for the natural
+# termination of the script.
#
-# shutdown-timeout 10
-
-# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default
-# an RDB snapshot is written to disk in a blocking operation if save points are configured.
-# The options used on signaled shutdown can include the following values:
-# default: Saves RDB snapshot only if save points are configured.
-# Waits for lagging replicas to catch up.
-# save: Forces a DB saving operation even if no save points are configured.
-# nosave: Prevents DB saving operation even if one or more save points are configured.
-# now: Skips waiting for lagging replicas.
-# force: Ignores any errors that would normally prevent the server from exiting.
-#
-# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously.
-# Example: "nosave force now"
-#
-# shutdown-on-sigint default
-# shutdown-on-sigterm default
-
-################ NON-DETERMINISTIC LONG BLOCKING COMMANDS #####################
-
-# Maximum time in milliseconds for EVAL scripts, functions and in some cases
-# modules' commands before Redis can start processing or rejecting other clients.
-#
-# If the maximum execution time is reached Redis will start to reply to most
-# commands with a BUSY error.
-#
-# In this state Redis will only allow a handful of commands to be executed.
-# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some
-# module specific 'allow-busy' commands.
-#
-# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not
-# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop
-# the server in the case a write command was already issued by the script when
-# the user doesn't want to wait for the natural termination of the script.
-#
-# The default is 5 seconds. It is possible to set it to 0 or a negative value
-# to disable this mechanism (uninterrupted execution). Note that in the past
-# this config had a different name, which is now an alias, so both of these do
-# the same:
-# lua-time-limit 5000
-# busy-reply-threshold 5000
+# Set it to 0 or a negative value for unlimited execution without warnings.
+lua-time-limit 5000
################################ REDIS CLUSTER ###############################
@@ -1597,11 +1240,6 @@ aof-timestamp-enabled no
#
# cluster-node-timeout 15000
-# The cluster port is the port that the cluster bus will listen for inbound connections on. When set
-# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires
-# you to specify the cluster bus port when executing cluster meet.
-# cluster-port 0
-
# A replica of a failing master will avoid to start a failover if its data
# looks too old.
#
@@ -1660,21 +1298,12 @@ aof-timestamp-enabled no
# master in your cluster.
#
# Default is 1 (replicas migrate only if their masters remain with at least
-# one replica). To disable migration just set it to a very large value or
-# set cluster-allow-replica-migration to 'no'.
+# one replica). To disable migration just set it to a very large value.
# A value of 0 can be set but is useful only for debugging and dangerous
# in production.
#
# cluster-migration-barrier 1
-# Turning off this option allows to use less automatic cluster configuration.
-# It both disables migration to orphaned masters and migration from masters
-# that became empty.
-#
-# Default is 'yes' (allow automatic migrations).
-#
-# cluster-allow-replica-migration yes
-
# By default Redis Cluster nodes stop accepting queries if they detect there
# is at least a hash slot uncovered (no available node is serving it).
# This way if the cluster is partially down (for example a range of hash slots
@@ -1689,7 +1318,7 @@ aof-timestamp-enabled no
# cluster-require-full-coverage yes
# This option, when set to yes, prevents replicas from trying to failover its
-# master during master failures. However the replica can still perform a
+# master during master failures. However the master can still perform a
# manual failover, if forced to do so.
#
# This is useful in different scenarios, especially in the case of multiple
@@ -1699,7 +1328,7 @@ aof-timestamp-enabled no
# cluster-replica-no-failover no
# This option, when set to yes, allows nodes to serve read traffic while the
-# cluster is in a down state, as long as it believes it owns the slots.
+# the cluster is in a down state, as long as it believes it owns the slots.
#
# This is useful for two cases. The first case is for when an application
# doesn't require consistency of data during node failures or network partitions.
@@ -1714,54 +1343,8 @@ aof-timestamp-enabled no
#
# cluster-allow-reads-when-down no
-# This option, when set to yes, allows nodes to serve pubsub shard traffic while
-# the cluster is in a down state, as long as it believes it owns the slots.
-#
-# This is useful if the application would like to use the pubsub feature even when
-# the cluster global stable state is not OK. If the application wants to make sure only
-# one shard is serving a given channel, this feature should be kept as yes.
-#
-# cluster-allow-pubsubshard-when-down yes
-
-# Cluster link send buffer limit is the limit on the memory usage of an individual
-# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed
-# this limit. This is to primarily prevent send buffers from growing unbounded on links
-# toward slow peers (E.g. PubSub messages being piled up).
-# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field
-# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase.
-# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single
-# PubSub message by default. (client-query-buffer-limit default value is 1gb)
-#
-# cluster-link-sendbuf-limit 0
-
-# Clusters can configure their announced hostname using this config. This is a common use case for
-# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based
-# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS
-# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is
-# communicated along the clusterbus to all nodes, setting it to an empty string will remove
-# the hostname and also propagate the removal.
-#
-# cluster-announce-hostname ""
-
-# Clusters can advertise how clients should connect to them using either their IP address,
-# a user defined hostname, or by declaring they have no endpoint. Which endpoint is
-# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type
-# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how
-# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS.
-# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?'
-# will be returned instead.
-#
-# When a cluster advertises itself as having an unknown endpoint, it's indicating that
-# the server doesn't know how clients can reach the cluster. This can happen in certain
-# networking situations where there are multiple possible routes to the node, and the
-# server doesn't know which one the client took. In this case, the server is expecting
-# the client to reach out on the same endpoint it used for making the last request, but use
-# the port provided in the response.
-#
-# cluster-preferred-endpoint-type ip
-
# In order to setup your cluster make sure to read the documentation
-# available at https://redis.io web site.
+# available at http://redis.io web site.
########################## CLUSTER DOCKER/NAT support ########################
@@ -1771,21 +1354,16 @@ aof-timestamp-enabled no
#
# In order to make Redis Cluster working in such environments, a static
# configuration where each node knows its public address is needed. The
-# following four options are used for this scope, and are:
+# following two options are used for this scope, and are:
#
# * cluster-announce-ip
# * cluster-announce-port
-# * cluster-announce-tls-port
# * cluster-announce-bus-port
#
-# Each instructs the node about its address, client ports (for connections
-# without and with TLS) and cluster message bus port. The information is then
-# published in the header of the bus packets so that other nodes will be able to
-# correctly map the address of the node publishing the information.
-#
-# If cluster-tls is set to yes and cluster-announce-tls-port is omitted or set
-# to zero, then cluster-announce-port refers to the TLS port. Note also that
-# cluster-announce-tls-port has no effect if cluster-tls is set to no.
+# Each instructs the node about its address, client port, and cluster message
+# bus port. The information is then published in the header of the bus packets
+# so that other nodes will be able to correctly map the address of the node
+# publishing the information.
#
# If the above options are not used, the normal Redis Cluster auto-detection
# will be used instead.
@@ -1798,8 +1376,7 @@ aof-timestamp-enabled no
# Example:
#
# cluster-announce-ip 10.1.1.5
-# cluster-announce-tls-port 6379
-# cluster-announce-port 0
+# cluster-announce-port 6379
# cluster-announce-bus-port 6380
################################## SLOW LOG ###################################
@@ -1824,7 +1401,7 @@ slowlog-log-slower-than 10000
# There is no limit to this length. Just be aware that it will consume memory.
# You can reclaim memory used by the slow log with SLOWLOG RESET.
-slowlog-max-len 10086
+slowlog-max-len 128
################################ LATENCY MONITOR ##############################
@@ -1847,24 +1424,10 @@ slowlog-max-len 10086
# "CONFIG SET latency-monitor-threshold " if needed.
latency-monitor-threshold 0
-################################ LATENCY TRACKING ##############################
-
-# The Redis extended latency monitoring tracks the per command latencies and enables
-# exporting the percentile distribution via the INFO latencystats command,
-# and cumulative latency distributions (histograms) via the LATENCY command.
-#
-# By default, the extended latency monitoring is enabled since the overhead
-# of keeping track of the command latency is very small.
-# latency-tracking yes
-
-# By default the exported latency percentiles via the INFO latencystats command
-# are the p50, p99, and p999.
-# latency-tracking-info-percentiles 50 99 99.9
-
############################# EVENT NOTIFICATION ##############################
# Redis can notify Pub/Sub clients about events happening in the key space.
-# This feature is documented at https://redis.io/topics/notifications
+# This feature is documented at http://redis.io/topics/notifications
#
# For instance if keyspace events notification is enabled, and a client
# performs a DEL operation on key "foo" stored in the Database 0, two
@@ -1886,11 +1449,9 @@ latency-monitor-threshold 0
# z Sorted set commands
# x Expired events (events generated every time a key expires)
# e Evicted events (events generated when a key is evicted for maxmemory)
-# n New key events (Note: not included in the 'A' class)
# t Stream commands
-# d Module key type events
# m Key-miss events (Note: It is not included in the 'A' class)
-# A Alias for g$lshzxetd, so that the "AKE" string means all the events
+# A Alias for g$lshzxet, so that the "AKE" string means all the events
# (Except key-miss events which are excluded from 'A' due to their
# unique nature).
#
@@ -1913,13 +1474,71 @@ latency-monitor-threshold 0
# specify at least one of K or E, no events will be delivered.
notify-keyspace-events ""
+############################### GOPHER SERVER #################################
+
+# Redis contains an implementation of the Gopher protocol, as specified in
+# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt).
+#
+# The Gopher protocol was very popular in the late '90s. It is an alternative
+# to the web, and the implementation both server and client side is so simple
+# that the Redis server has just 100 lines of code in order to implement this
+# support.
+#
+# What do you do with Gopher nowadays? Well Gopher never *really* died, and
+# lately there is a movement in order for the Gopher more hierarchical content
+# composed of just plain text documents to be resurrected. Some want a simpler
+# internet, others believe that the mainstream internet became too much
+# controlled, and it's cool to create an alternative space for people that
+# want a bit of fresh air.
+#
+# Anyway for the 10nth birthday of the Redis, we gave it the Gopher protocol
+# as a gift.
+#
+# --- HOW IT WORKS? ---
+#
+# The Redis Gopher support uses the inline protocol of Redis, and specifically
+# two kind of inline requests that were anyway illegal: an empty request
+# or any request that starts with "/" (there are no Redis commands starting
+# with such a slash). Normal RESP2/RESP3 requests are completely out of the
+# path of the Gopher protocol implementation and are served as usual as well.
+#
+# If you open a connection to Redis when Gopher is enabled and send it
+# a string like "/foo", if there is a key named "/foo" it is served via the
+# Gopher protocol.
+#
+# In order to create a real Gopher "hole" (the name of a Gopher site in Gopher
+# talking), you likely need a script like the following:
+#
+# https://github.com/antirez/gopher2redis
+#
+# --- SECURITY WARNING ---
+#
+# If you plan to put Redis on the internet in a publicly accessible address
+# to server Gopher pages MAKE SURE TO SET A PASSWORD to the instance.
+# Once a password is set:
+#
+# 1. The Gopher server (when enabled, not by default) will still serve
+# content via Gopher.
+# 2. However other commands cannot be called before the client will
+# authenticate.
+#
+# So use the 'requirepass' option to protect your instance.
+#
+# Note that Gopher is not currently supported when 'io-threads-do-reads'
+# is enabled.
+#
+# To enable Gopher support, uncomment the following line and set the option
+# from no (the default) to yes.
+#
+# gopher-enabled no
+
############################### ADVANCED CONFIG ###############################
# Hashes are encoded using a memory efficient data structure when they have a
# small number of entries, and the biggest entry does not exceed a given
# threshold. These thresholds can be configured using the following directives.
-hash-max-listpack-entries 512
-hash-max-listpack-value 64
+hash-max-ziplist-entries 512
+hash-max-ziplist-value 64
# Lists are also encoded in a special way to save a lot of space.
# The number of entries allowed per internal list node can be specified
@@ -1934,7 +1553,7 @@ hash-max-listpack-value 64
# per list node.
# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
# but if your use case is unique, adjust the settings as necessary.
-list-max-listpack-size -2
+list-max-ziplist-size -2
# Lists may also be compressed.
# Compress depth is the number of quicklist ziplist nodes from *each* side of
@@ -1962,8 +1581,8 @@ set-max-intset-entries 512
# Similarly to hashes and lists, sorted sets are also specially encoded in
# order to save a lot of space. This encoding is only used when the length and
# elements of a sorted set are below the following limits:
-zset-max-listpack-entries 128
-zset-max-listpack-value 64
+zset-max-ziplist-entries 128
+zset-max-ziplist-value 64
# HyperLogLog sparse representation bytes limit. The limit includes the
# 16 bytes header. When an HyperLogLog using the sparse representation crosses
@@ -1985,9 +1604,9 @@ hll-sparse-max-bytes 3000
# maximum number of items it may contain before switching to a new node when
# appending new stream entries. If any of the following settings are set to
# zero, the limit is ignored, so for instance it is possible to set just a
-# max entries limit by setting max-bytes to 0 and max-entries to the desired
+# max entires limit by setting max-bytes to 0 and max-entries to the desired
# value.
-stream-node-max-bytes 4kb
+stream-node-max-bytes 4096
stream-node-max-entries 100
# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in
@@ -2018,7 +1637,7 @@ activerehashing yes
# The limit can be set differently for the three different classes of clients:
#
# normal -> normal clients including MONITOR clients
-# replica -> replica clients
+# replica -> replica clients
# pubsub -> clients subscribed to at least one pubsub channel or pattern
#
# The syntax of every client-output-buffer-limit directive is the following:
@@ -2042,13 +1661,6 @@ activerehashing yes
# Instead there is a default limit for pubsub and replica clients, since
# subscribers and replicas receive data in a push fashion.
#
-# Note that it doesn't make sense to set the replica clients output buffer
-# limit lower than the repl-backlog-size config (partial sync will succeed
-# and then replica will get disconnected).
-# Such a configuration is ignored (the size of repl-backlog-size will be used).
-# This doesn't have memory consumption implications since the replica client
-# will share the backlog buffers memory.
-#
# Both the hard or the soft limit can be disabled by setting them to zero.
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
@@ -2062,25 +1674,6 @@ client-output-buffer-limit pubsub 32mb 8mb 60
#
# client-query-buffer-limit 1gb
-# In some scenarios client connections can hog up memory leading to OOM
-# errors or data eviction. To avoid this we can cap the accumulated memory
-# used by all client connections (all pubsub and normal clients). Once we
-# reach that limit connections will be dropped by the server freeing up
-# memory. The server will attempt to drop the connections using the most
-# memory first. We call this mechanism "client eviction".
-#
-# Client eviction is configured using the maxmemory-clients setting as follows:
-# 0 - client eviction is disabled (default)
-#
-# A memory value can be used for the client eviction threshold,
-# for example:
-# maxmemory-clients 1g
-#
-# A percentage value (between 1% and 100%) means the client eviction threshold
-# is based on a percentage of the maxmemory setting. For example to set client
-# eviction at 5% of maxmemory:
-# maxmemory-clients 5%
-
# In the Redis protocol, bulk requests, that are, elements representing single
# strings, are normally limited to 512 mb. However you can change this limit
# here, but must be 1mb or greater
@@ -2121,13 +1714,13 @@ hz 10
dynamic-hz yes
# When a child rewrites the AOF file, if the following option is enabled
-# the file will be fsync-ed every 4 MB of data generated. This is useful
+# the file will be fsync-ed every 32 MB of data generated. This is useful
# in order to commit the file to the disk more incrementally and avoid
# big latency spikes.
aof-rewrite-incremental-fsync yes
# When redis saves RDB file, if the following option is enabled
-# the file will be fsync-ed every 4 MB of data generated. This is useful
+# the file will be fsync-ed every 32 MB of data generated. This is useful
# in order to commit the file to the disk more incrementally and avoid
# big latency spikes.
rdb-save-incremental-fsync yes
@@ -2224,7 +1817,7 @@ rdb-save-incremental-fsync yes
# defragmentation process. If you are not sure about what they mean it is
# a good idea to leave the defaults untouched.
-# Active defragmentation is disabled by default
+# Enabled active defragmentation
# activedefrag no
# Minimum amount of fragmentation waste to start active defrag
@@ -2281,11 +1874,4 @@ jemalloc-bg-thread yes
# by setting the following config which takes a space delimited list of warnings
# to suppress
#
-# ignore-warnings ARM64-COW-BUG
-
-# Generated by CONFIG REWRITE
-save 3600 1
-save 300 100
-save 60 10000
-latency-tracking-info-percentiles 50 99 99.9
-user default on nopass ~* &* +@all
\ No newline at end of file
+# ignore-warnings ARM64-COW-BUG
\ No newline at end of file
diff --git a/apps/redis/versions/7.0.5/conf/redis.conf b/apps/redis/versions/7.0.5/conf/redis.conf
index f7340d000..f5c611031 100644
--- a/apps/redis/versions/7.0.5/conf/redis.conf
+++ b/apps/redis/versions/7.0.5/conf/redis.conf
@@ -1,12 +1,3 @@
-# Redis configuration rewrite by 1Panel
-timeout 0
-# maxclients 10000
-# maxmemory
-save 3600 1 300 100 60 10000
-appendonly no
-appendfsync everysec
-# End Redis configuration rewrite by 1Panel
-
# Redis configuration file example.
#
# Note that in order to read the configuration file, Redis must be
@@ -93,7 +84,7 @@ appendfsync everysec
# You will also need to set a password unless you explicitly disable protected
# mode.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# bind 127.0.0.1 -::1
+bind 0.0.0.0
# By default, outgoing connections (from replica to master, from Sentinel to
# instances, cluster bus, etc.) are not bound to a specific local address. In
@@ -165,7 +156,7 @@ tcp-backlog 511
# unixsocketperm 700
# Close the connection after a client is idle for N seconds (0 to disable)
-# timeout 0
+timeout 0
# TCP keepalive.
#
@@ -918,10 +909,10 @@ replica-priority 100
# commands. For instance ~* allows all the keys. The pattern
# is a glob-style pattern like the one of KEYS.
# It is possible to specify multiple patterns.
-# %R~ Add key read pattern that specifies which keys can be read
+# %R~ Add key read pattern that specifies which keys can be read
# from.
# %W~ Add key write pattern that specifies which keys can be
-# written to.
+# written to.
# allkeys Alias for ~*
# resetkeys Flush the list of allowed keys patterns.
# & Add a glob-style pattern of Pub/Sub channels that can be
@@ -948,10 +939,10 @@ replica-priority 100
# -@all. The user returns to the same state it has immediately
# after its creation.
# () Create a new selector with the options specified within the
-# parentheses and attach it to the user. Each option should be
-# space separated. The first character must be ( and the last
+# parentheses and attach it to the user. Each option should be
+# space separated. The first character must be ( and the last
# character must be ).
-# clearselectors Remove all of the currently attached selectors.
+# clearselectors Remove all of the currently attached selectors.
# Note this does not change the "root" user permissions,
# which are the permissions directly applied onto the
# user (outside the parentheses).
@@ -977,7 +968,7 @@ replica-priority 100
# Basically ACL rules are processed left-to-right.
#
# The following is a list of command categories and their meanings:
-# * keyspace - Writing or reading from keys, databases, or their metadata
+# * keyspace - Writing or reading from keys, databases, or their metadata
# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE,
# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace,
# key or metadata will also have `write` category. Commands that only read
@@ -1385,7 +1376,7 @@ disable-thp yes
#
# Please check https://redis.io/topics/persistence for more information.
-# appendonly no
+appendonly no
# The base name of the append only file.
#
@@ -1444,7 +1435,7 @@ appenddirname "appendonlydir"
# If unsure, use "everysec".
# appendfsync always
-# appendfsync everysec
+appendfsync everysec
# appendfsync no
# When the AOF fsync policy is set to always or everysec, and a background
@@ -1598,8 +1589,8 @@ aof-timestamp-enabled no
#
# cluster-node-timeout 15000
-# The cluster port is the port that the cluster bus will listen for inbound connections on. When set
-# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires
+# The cluster port is the port that the cluster bus will listen for inbound connections on. When set
+# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires
# you to specify the cluster bus port when executing cluster meet.
# cluster-port 0
@@ -1734,12 +1725,12 @@ aof-timestamp-enabled no
# PubSub message by default. (client-query-buffer-limit default value is 1gb)
#
# cluster-link-sendbuf-limit 0
-
-# Clusters can configure their announced hostname using this config. This is a common use case for
+
+# Clusters can configure their announced hostname using this config. This is a common use case for
# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based
# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS
-# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is
-# communicated along the clusterbus to all nodes, setting it to an empty string will remove
+# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is
+# communicated along the clusterbus to all nodes, setting it to an empty string will remove
# the hostname and also propagate the removal.
#
# cluster-announce-hostname ""
@@ -1748,13 +1739,13 @@ aof-timestamp-enabled no
# a user defined hostname, or by declaring they have no endpoint. Which endpoint is
# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type
# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how
-# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS.
-# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?'
+# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS.
+# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?'
# will be returned instead.
#
# When a cluster advertises itself as having an unknown endpoint, it's indicating that
-# the server doesn't know how clients can reach the cluster. This can happen in certain
-# networking situations where there are multiple possible routes to the node, and the
+# the server doesn't know how clients can reach the cluster. This can happen in certain
+# networking situations where there are multiple possible routes to the node, and the
# server doesn't know which one the client took. In this case, the server is expecting
# the client to reach out on the same endpoint it used for making the last request, but use
# the port provided in the response.
@@ -2067,7 +2058,7 @@ client-output-buffer-limit pubsub 32mb 8mb 60
# errors or data eviction. To avoid this we can cap the accumulated memory
# used by all client connections (all pubsub and normal clients). Once we
# reach that limit connections will be dropped by the server freeing up
-# memory. The server will attempt to drop the connections using the most
+# memory. The server will attempt to drop the connections using the most
# memory first. We call this mechanism "client eviction".
#
# Client eviction is configured using the maxmemory-clients setting as follows:
@@ -2282,4 +2273,4 @@ jemalloc-bg-thread yes
# by setting the following config which takes a space delimited list of warnings
# to suppress
#
-# ignore-warnings ARM64-COW-BUG
+# ignore-warnings ARM64-COW-BUG
\ No newline at end of file