Joomla Redis

2/13/2022by admin
  • The Joomla installation with Redis cache is now complete. Of course, you don’t have to do any of this if you use one of our Linux Cloud VPS Hosting services, in which case you can simply ask our expert Linux admins to install Joomla and enable Redis for you. They are available 24×7 and will take care of your request immediately.
  • From version of Joomla 3.4 Redis is supported. I can just choose it within Joomla configuration. Redis 3.0.3 is installed on my VPS. My problem is the page load. I used website speed checker to try to measure the improvement. Basically I wanted to know the benefit from heaving Redis. I spent quite lot time on this and I ran several tests.
  • Redis is an open source, in-memory and typed data structure store, used as a database, cache and message broker. You can easily add it to your Lando app by adding an entry to the services top-level config in your Landofile.
  1. Joomla Redis Free
  2. Joomla Redis Tutorial
  3. Joomla Redis Web
  4. Joomla Redis Session
  5. Joomla Enable Redis
  6. Joomla Redis Connection Failed

From Joomla! Documentation

Deutsch • ‎English • ‎español • ‎eesti • ‎فارسی • ‎français • ‎हिन्दी • ‎italiano • ‎Nederlands • ‎português • ‎中文(台灣)‎


Low Priority - Core - System Information screen could expose redis or proxy credentials (affecting Joomla! 3.0.0 through 3.9.19) More information » Bug fixes and Improvements. Upload & Update tab of Joomla Update Component: Fix to allow upload of ZIP filetype only #29877; Local database server: Allow optional port numbers #29567.

Joomla has different ways of caching 'things'. Here is an overview for administrators and developers, what, where and when.
  • 1For Administrators
    • 1.4Summary
  • 2For Developers

As an administrator, Joomla provides you with the ability to cache parts of your site. You can choose to cache whole web pages or just parts of those pages. This guide explains how.

On a Joomla site web page there are 3 things which may be cached:

  1. The whole page itself – the Page cache
  2. The output from the Joomla component for that web page – known as the View cache
  3. The output from the modules shown on that page – known as the Module cache

You have a number of cache settings which allow you to control what gets cached:

  1. The system plugin 'System – Page Cache'
  2. The Global Configuration, System tab, Cache Settings. Here the System Cache option may be set to
    • OFF – Caching disabled
    • ON – Conservative caching
    • ON – Progressive caching
  3. Many modules within their options have an Advanced tab in which the Caching can be set to Use global or No caching

As described below, there are also rules for caching which are implemented within the Joomla code, and over which you have no control.

You can clear the cache through the administrator menu option System / Clear Cache. In general, you can think of Joomla having 3 levels of cache, increasing in aggresiveness

  1. Conservative caching
  2. Progressive caching
  3. Page caching

We'll look at these three in detail below.

In addition, Joomla developers can use caching facilities to store the result of database queries for example, to increase the responsiveness of the site, but this is outside the scope of administrator capabilities.

Page Caching

To switch this on, go to administrator Extensions / Plugins, find the System – Page Cache plugin, and enable it. This means that site pages will now be cached, and whenever they're requested again the cached page will be served, rather than it being generated by Joomla from the information in the database. The cached page will continue to be served until it's expired – as defined by the Cache Time parameter in the Global Configuration / System / Cache Settings.

If you're reading this page as a tutorial and want to test the page caching, then it's best to set the Global Configuration cache settings to

  • Cache Handler – File
  • Path to Cache Folder – leave blank
  • Cache Time – 15 (the default of 15 minutes)
  • System Cache – OFF – Caching disabled

To check page caching is working, go to a site webpage which displays an article. After you display that page you should find in the file system a cache/page directory with a file in it which has a filename like <string of hex digits>-cache-page-<string of hex digits>.php. (Joomla has to store separate cache pages for separate URLs so the second string of hex digits is a hash of the URL of the site webpage, to make the filename unique to that page).

Then use the administrator functionality to change the text of that article, and redisplay the site webpage. You should find the cached version, not your modified text.

Changing an article (or other Joomla item) does not clear the page cache for the webpage(s) where that article is displayed. To clear the page cache go to administrator System / Clear Cache. Click on the checkbox next to the Cache Group called 'page', and press the Delete button. When you redisplay your web page it should now show your amended text.

If your site has a function like a shopping basket then applying page caching will cause problems, as pages have to show what the customer has already selected, rather than displaying a cached page which is common to everyone. However, you can configure the System Page Cache plugin to exclude caching specified Menu Items or specified URLs and URL ranges (in the Advanced tab), so that only truly static pages are cached.

Conservative Caching

With Conservative Caching you can cache the View output from components and the output from those Modules which allow caching. But note that this will work only on pages which are not cached using the Page Cache, as for those pages the whole webpage is cached, and Conservative Caching isn't even considered.

To switch on Conservative Caching:

  1. Go to administrator Global Configuration / System and within Cache Settings set System Cache to ON – Conservative caching
  2. Go to Extensions / Modules and select the modules which you'd like to be cached. If that module permits caching then under the Advanced tab you should be able to set Caching to
  • Use Global – this module will be cached (with the Global option now having been set to Conservative caching)
  • No caching – this module will not be cached.

(Note that the Cache Time in the Global Configuration is in minutes but the Cache Time in the Module settings is in seconds.)

To check it's working, go to your site, ensure that you are logged out, and navigate to a web page which displays an article. Check your file system and you should find a folder cache/com_content containing a cache file.

You'll also find other directories such as cache/com_languages (as displaying the page involves loading the current language, and this will be cached as well) and also directories relating to module cache, eg cache/com_modules. These result from the use of cache which developers have coded within the Joomla application.

If you edit and save that article, and then refresh the site page you will find that the site displays the updated text this time. This is because whenever the edit is saved, Joomla clears the cache for that article.

However, you can demonstrate that the cache is working if you edit the cache file in the cache/com_content directory using a basic text editor. Using the editor change one letter within the article text in the cache file and save the file. Then when you refresh the webpage you should see the update which you made to the cache file.

Joomla Redis Free

How can you select which component views get cached, and under what circumstances? Alas, you can't do this. This is determined by the Joomla core component developers and coded in the component php code. And the criteria are different for each component. However, you can easily discover what criteria are used because for each of the site components they are coded in the site controller.php file. For example, at time of writing (Joomla version 3.9.2) for the contacts component we find in components/com_contact/controller.php

This means that the views associated with contacts will be cachable unless there is session data keyed by com_contact.contact.data – which will be the case if in the user session the user has displayed a contact form (eg on a page pointed to by a menuitem of type Contacts / Single Contact).

The equivalent file for articles components/com_content/controller.php contains:

The expression $user->get('id') is true if this is a logged in user, so this means that articles are never cached for logged in users. The subsequent expressions relate to other conditions when the caching is not performed, even if the user is not logged in.

So in this way you can discover the circumstances under which caching is performed, but changing these is not advisable. You can also demonstrate that modules are being cached by using the Joomla Breadcrumbs module, ensuring it's displayed in some module position on the webpage, setting its Caching option and manually editing the cached file in cache/mod_breadcrumbs.

Progressive Caching

Like Conservative Caching, Progressive Caching also caches the output from component views and from modules. The functional difference between the two is that with Progressive Caching for logged-off users all modules are always cached. In this case setting the No caching option for a module has no effect. If the caching storage option is to File then you can find the modules cache file (the output from all modules is stored within the same file) within the cache/com_modules directory.

To switch on progressive caching go to administrator Global Configuration / System and within Cache Settings set System Cache to ON – Progressive caching.

As regards the conditions for caching of Joomla core component views there is no difference between conservative and progressive caching. Despite what you may read on some websites and responses to stack overflow questions, it is not the case that conservative caching relates to when the user is not logged on and progressive caching to when the user is logged on.

Summary

A summary of the caching types is below.

Page Caching

  • Configuration: Built-in Plugin (Extensions -> Plugin Manager -> System - Page Cache)
  • Caches: each whole page of your site
  • Based on: URL
  • More info:
    • Optional browser caching: Also caches on your visitors' browser/computer
    • Only caches pages for guest visitors (not for logged in visitors). Be careful using this plugin if you have an interactive site where you want to server content based on session/cookie information rather than on the plain URL only. Features like a shopping cart will not work.

View Caching

  • Configuration: Global Config->Cache
  • Caches: each view of a component
  • Based on: URL, view, parameters, ...
  • More info: Component developers have to include this in their code to work. Mostly this is not done. The Joomla main content component uses this, but only for guest visitors of your site though this is not obligated for every component.

Module Caching

  • Configuration: Global Config->Cache
  • Caches: each module (individually customized via each module's Advanced Parameters)
  • Based on: the module id, the user's view levels and the Itemid parameter in the HTTP request
  • More info: You must disable it on some modules to avoid problems

Further Caching

If you want to check out other cache systems and possibilities, you might want to check out the third-party extensions around caching.

Joomla Redis Tutorial

Caching engines or storages

  • Configuration: Global Config->Cache

Here you can choose which system you want your site to use for all caching. Current options are: APC, Eaccelorator, File, Memcache, Redis, XCache.

APC, for example, also caches your php opcode.

The class JCache allows a lot of different sorts and levels of caching. The following sub-classes are made specifically, but you can add your own, or use the main one in many different ways.

Don't forget that the first level of cache encountered, will override any deeper caching. I suppose that too many levels is also counterproductive (to be verified though).

  • JCacheView caches and returns the output of a given view (in MVC). A cache id is automatically generated from the URI, specific view and its specific method, or you can give your own.

This can automatically be done via the base controller's display function. For example in the controller of your component:

There are also some urlparams to consider. Check this 'joomla stack'

Also, be aware that any updates (such as hits or visit counts) will NOT be updated (unless you add this outside this method and thus any deeper MVC-part.)

  • JCachePage caches and returns the body of the page.
  • JCacheCallback caches and returns the output and results of functions or methods.
Joomla redis session

If you want to cache queries, this is a good class for it, as illustrated here: Using caching to speed up your code

  • JCacheOutput caches and returns output.

This is rather meant for caching a specific part of php code. It acts like an output buffer, but cached.

References

Retrieved from 'https://docs.joomla.org/index.php?title=Cache&oldid=648538'

This document provides an introduction to the topic of security from the point of view of Redis: the access control provided by Redis, code security concerns, attacks that can be triggered from the outside by selecting malicious inputs and other similar topics are covered.

For security related contacts please open an issue on GitHub, or when you feel it is really important that the security of the communication is preserved, use the GPG key at the end of this document.

*Redis general security model

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.

For instance, in the common context of a web application implemented using Redis as a database, cache, or messaging system, the clients inside the front-end (web side) of the application will query Redis to generate pages or to perform operations requested or triggered by the web application user.

In this case, the web application mediates access between Redis and untrusted clients (the user browsers accessing the web application).

This is a specific example, but, in general, untrusted access to Redis should always be mediated by a layer implementing ACLs, validating user input, and deciding what operations to perform against the Redis instance.

*Network security

Access to the Redis port should be denied to everybody but trusted clients in the network, so the servers running Redis should be directly accessible only by the computers implementing the application using Redis.

In the common case of a single computer directly exposed to the internet, such as a virtualized Linux instance (Linode, EC2, ...), the Redis port should be firewalled to prevent access from the outside. Clients will still be able to access Redis using the loopback interface.

Note that it is possible to bind Redis to a single interface by adding a line like the following to the redis.conf file:

Failing to protect the Redis port from the outside can have a big security impact because of the nature of Redis. For instance, a single FLUSHALL command can be used by an external attacker to delete the whole data set.

*Protected mode

Unfortunately many users fail to protect Redis instances from being accessed from external networks. Many instances are simply left exposed on the internet with public IPs. For this reasons since version 3.2.0, when Redis is executed with the default configuration (binding all the interfaces) and without any password in order to access it, it enters a special mode called protected mode. In this mode Redis only replies to queries from the loopback interfaces, and reply to other clients connecting from other addresses with an error, explaining what is happening and how to configure Redis properly.

We expect protected mode to seriously decrease the security issues caused by unprotected Redis instances executed without proper administration, however the system administrator can still ignore the error given by Redis and just disable protected mode or manually bind all the interfaces.

*Authentication feature

While Redis does not try to implement Access Control, it provides a tiny layer of authentication that is optionally turned on editing the redis.conf file.

When the authorization layer is enabled, Redis will refuse any query by unauthenticated clients. A client can authenticate itself by sending the AUTH command followed by the password.

The password is set by the system administrator in clear text inside the redis.conf file. It should be long enough to prevent brute force attacks for two reasons:

  • Redis is very fast at serving queries. Many passwords per second can be tested by an external client.
  • The Redis password is stored inside the redis.conf file and inside the client configuration, so it does not need to be remembered by the system administrator, and thus it can be very long.

The goal of the authentication layer is to optionally provide a layer of redundancy. If firewalling or any other system implemented to protect Redis from external attackers fail, an external client will still not be able to access the Redis instance without knowledge of the authentication password.

The AUTH command, like every other Redis command, is sent unencrypted, so it does not protect against an attacker that has enough access to the network to perform eavesdropping.

*TLS support

Redis has optional support for TLS on all communication channels, including client connections, replication links and the Redis Cluster bus protocol.

*Disabling of specific commands

Joomla Redis Web

It is possible to disable commands in Redis or to rename them into an unguessable name, so that normal clients are limited to a specified set of commands.

For instance, a virtualized server provider may offer a managed Redis instance service. In this context, normal users should probably not be able to call the Redis CONFIG command to alter the configuration of the instance, but the systems that provide and remove instances should be able to do so.

In this case, it is possible to either rename or completely shadow commands from the command table. This feature is available as a statement that can be used inside the redis.conf configuration file. For example:

In the above example, the CONFIG command was renamed into an unguessable name. It is also possible to completely disable it (or any other command) by renaming it to the empty string, like in the following example:

*Attacks triggered by carefully selected inputs from external clients

There is a class of attacks that an attacker can trigger from the outside even without external access to the instance. An example of such attacks are the ability to insert data into Redis that triggers pathological (worst case) algorithm complexity on data structures implemented inside Redis internals.

For instance an attacker could supply, via a web form, a set of strings that are known to hash to the same bucket into a hash table in order to turn the O(1) expected time (the average time) to the O(N) worst case, consuming more CPU than expected, and ultimately causing a Denial of Service.

To prevent this specific attack, Redis uses a per-execution pseudo-random seed to the hash function.

Redis implements the SORT command using the qsort algorithm. Currently, the algorithm is not randomized, so it is possible to trigger a quadratic worst-case behavior by carefully selecting the right set of inputs.

*String escaping and NoSQL injection

The Redis protocol has no concept of string escaping, so injection is impossible under normal circumstances using a normal client library. The protocol uses prefixed-length strings and is completely binary safe.

Lua scripts executed by the EVAL and EVALSHA commands follow the same rules, and thus those commands are also safe.

While it would be a very strange use case, the application should avoid composing the body of the Lua script using strings obtained from untrusted sources.

*Code security

In a classical Redis setup, clients are allowed full access to the command set, but accessing the instance should never result in the ability to control the system where Redis is running.

Joomla Redis Session

Internally, Redis uses all the well known practices for writing secure code, to prevent buffer overflows, format bugs and other memory corruption issues. However, the ability to control the server configuration using the CONFIG command makes the client able to change the working dir of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to compromise the system and/or run untrusted code as the same user as Redis is running.

Joomla Enable Redis

Redis does not requires root privileges to run. It is recommended to run it as an unprivileged redis user that is only used for this purpose. The Redis authors are currently investigating the possibility of adding a new configuration parameter to prevent CONFIG SET/GET dir and other similar run-time configuration directives. This would prevent clients from forcing the server to write Redis dump files at arbitrary locations.

Joomla Redis Connection Failed

*GPG key

Key fingerprint

Comments are closed.