Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Connecting Rspamd to Redis and Nginx via Unix sockets #1905

Closed
quicktrick opened this issue Nov 3, 2017 · 7 comments
Closed

Connecting Rspamd to Redis and Nginx via Unix sockets #1905

quicktrick opened this issue Nov 3, 2017 · 7 comments

Comments

@quicktrick
Copy link

quicktrick commented Nov 3, 2017

This is not an issue, this is a config example (everything is working on openSUSE Tumbleweed, Rspamd 1.6.5).

Redis

/etc/redis/rspamd.conf (changes only)

bind 127.0.0.1
port 0
unixsocket /var/run/redis/rspamd.sock
unixsocketperm 770
pidfile /var/run/redis/rspamd.pid
logfile /var/log/redis/rspamd.log
dir /var/lib/redis/rspamd/

You should create the directory /var/lib/redis/rspamd and make it writable for user redis.

If you need to launch a separate Redis instance for Rspamd, follow these instructions.

/etc/rspamd/local.d/redis.conf

servers = "/var/run/redis/rspamd.sock";

/etc/rspamd/local.d/classifier-bayes.conf

backend = "redis";
autolearn = true;

Don't forget to add the user _rspamd to the group redis (run usermod -a -G redis _rspamd)

You can check the connection with this:

myserver:~ # redis-cli -s /run/redis/rspamd.sock
redis /run/redis/rspamd.sock> ping
PONG
redis /run/redis/rspamd.sock> monitor
OK
1509722016.014458 [0 unix:/var/run/redis/rspamd.sock] "SMEMBERS" "BAYES_HAM_keys"
1509722018.522879 [0 unix:/var/run/redis/rspamd.sock] "SMEMBERS" "BAYES_SPAM_keys"
1509722018.523305 [0 unix:/var/run/redis/rspamd.sock] "HLEN" "BAYES_SPAM"
1509722018.523334 [0 unix:/var/run/redis/rspamd.sock] "HGET" "BAYES_SPAM" "learns"
1509722024.892442 [0 unix:/var/run/redis/rspamd.sock] "SMEMBERS" "BAYES_SPAM_keys"
1509722024.892870 [0 unix:/var/run/redis/rspamd.sock] "HLEN" "BAYES_SPAM"
1509722024.892899 [0 unix:/var/run/redis/rspamd.sock] "HGET" "BAYES_SPAM" "learns"
...

Nginx

/etc/tmpfiles.d/rspamd.conf (create this file if needed and run systemd-tmpfiles --create)

d  /var/run/rspamd  0755  _rspamd  _rspamd  -

/etc/rspamd/local.d/worker-controller.inc

bind_socket = "/run/rspamd/worker-controller.socket mode=0666 owner=_rspamd";
password = "$2$paparrytknfm8...";
enable_password = "$2$paparrytknfm8...";

nginx.conf

location /rspamd/ {
    auth_basic "Restricted Area";
    auth_basic_user_file /srv/www/.mydomain.tld.htpasswd;

    map $status $loggable {
        ~^[23]  0;
        default 1;
    }
    access_log /var/log/nginx/rspamd.access.log combined if=$loggable;
    error_log /var/log/nginx/rspamd.error.log warn;
    
    proxy_pass http://unix:/run/rspamd/worker-controller.socket:/;
    
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

I wrote this mainly for myself to store as an example for future use.

@vstakhov
Copy link
Member

vstakhov commented Nov 4, 2017

Why this issue is closed? We should add this information to the documentation I suppose (e.g. to a FAQ section).

@vstakhov vstakhov reopened this Nov 4, 2017
@fatalbanana
Copy link
Contributor

fatalbanana commented Nov 4, 2017

Because it self-identifies as not an issue I suppose. :) This could go somewhere indeed but I'm not sure where, perhaps FAQ is best.

@vstakhov
Copy link
Member

vstakhov commented Nov 5, 2017

I have slightly changed Rspamd config sample to:

bind_socket = "/run/rspamd/worker-controller.socket mode=0660 owner=_rspamd group=www";

To avoid world readable/writable sockets. That should be a better approach if nginx uses www group.

@quicktrick
Copy link
Author

quicktrick commented Nov 6, 2017

@vstakhov

Всеволод, it doesn't work that way. Even after you add your Nginx user to the group _rspamd. I don't know why. I tried it before I wrote my instruction.

Oh, sorry, I didn't try the Nginx group as the socket owner. I'll try it later. But... at the first glance it looks somewhat illogical for me to use another group owner for the Rspamd's socket than _rspamd group itself. I think it's better to find out why the Nginx user doesn't work even after its adding to the group _rspamd.

There is one more issue with the sockets. Every time I stop Rspamd manually, the temporary directory /var/run/rspamd disappears. It seems like Rspamd removes it. And I have to run systemd-tmpfiles --create every time I start the service manually after stopping it.

Edit:
Vsevolod, I tried your change. It doesn't work on my server. Does it work on your server?

@fenice2
Copy link

fenice2 commented Nov 26, 2017

@fatalbanana

My 2c on this would be to add it to a new section of documentation that lists "How To" examples for rspamd configurations (and possibly 'tweaking'). While the FAQ, as such, is great for some information it's not the best place for anyone that wants to see or try a specific configuration in rspamd - not everyone that uses rspamd is an expert in this technology and yes, I'm in that bracket. :)

@Jean-Daniel
Copy link

Jean-Daniel commented Jan 16, 2018

I think that a quick change can be to simply add a line in the Upstream configuration doc to tell that servers also accept unix socket (in addition to ipv4 and ipv6). It would be very helpful and would have saved me a lot of time (I had to browse the sources to find how to specify a unix socket in the configuration…).

That does not prevent to also include the full sample elsewhere in the doc.

@fatalbanana
Copy link
Contributor

fatalbanana commented Feb 24, 2018

FAQ was updated. Please send PRs for the website: it lives here - tips for working on it are here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants