$OpenBSD: patch-redis_conf,v 1.23 2020/09/03 04:29:27 tb Exp $

Redis TLSv1.3 support is conditional on TLS1_3_VERSION being public.
This is not currently the case and the ciphersuites config is a no-op.

Main changes in this file:

* Redis socket and pid files were moved to /var/run/redis
* Suggest using the system-wide root certificates /etc/ssl/certs.pem
* Using TLSv1.3 will currently trigger a log warning
* redis will daemonize and use syslog

Index: redis.conf
--- redis.conf.orig
+++ redis.conf
@@ -106,8 +106,8 @@ tcp-backlog 511
 # incoming connections. There is no default, so Redis will not listen
 # on a unix socket when not specified.
 #
-# unixsocket /tmp/redis.sock
-# unixsocketperm 700
+# unixsocket /var/run/redis/redis.sock
+# unixsocketperm 770
 
 # Close the connection after a client is idle for N seconds (0 to disable)
 timeout 0
@@ -154,6 +154,7 @@ tcp-keepalive 300
 # of these, and will not implicitly use the system wide configuration.
 #
 # tls-ca-cert-file ca.crt
+# tls-ca-cert-file /etc/ssl/cert.pem
 # tls-ca-cert-dir /etc/ssl/certs
 
 # By default, clients (including replica servers) on a TLS port are required
@@ -184,14 +185,14 @@ tcp-keepalive 300
 #
 # tls-protocols "TLSv1.2 TLSv1.3"
 
-# Configure allowed ciphers.  See the ciphers(1ssl) manpage for more information
+# Configure allowed ciphers.  See SSL_set_cipher_list(3) for more information
 # about the syntax of this string.
 #
 # Note: this configuration applies only to <= TLSv1.2.
 #
 # tls-ciphers DEFAULT:!MEDIUM
 
-# Configure allowed TLSv1.3 ciphersuites.  See the ciphers(1ssl) manpage for more
+# Configure allowed TLSv1.3 ciphersuites.  See SSL_set_cipher_list(3) for more
 # information about the syntax of this string, and specifically for TLSv1.3
 # ciphersuites.
 #
@@ -221,8 +222,9 @@ tcp-keepalive 300
 ################################# GENERAL #####################################
 
 # By default Redis does not run as a daemon. Use 'yes' if you need it.
-# Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
-daemonize no
+# Note that Redis will write a pid file in /var/run/redis/redis.pid
+# when daemonized.
+daemonize yes
 
 # If you run Redis from upstart or systemd, Redis can interact with your
 # supervision tree. Options:
@@ -240,11 +242,11 @@ supervised no
 #
 # When the server runs non daemonized, no pid file is created if none is
 # specified in the configuration. When the server is daemonized, the pid file
-# is used even if not specified, defaulting to "/var/run/redis.pid".
+# is used even if not specified, defaulting to "/var/run/redis/redis.pid".
 #
 # Creating a pid file is best effort: if Redis is not able to create it
 # nothing bad happens, the server will start and run normally.
-pidfile /var/run/redis_6379.pid
+pidfile /var/run/redis/redis_6379.pid
 
 # Specify the server verbosity level.
 # This can be one of:
@@ -257,17 +259,18 @@ loglevel notice
 # Specify the log file name. Also the empty string can be used to force
 # Redis to log on the standard output. Note that if you use standard
 # output for logging but daemonize, logs will be sent to /dev/null
-logfile ""
+# logfile ""
 
 # To enable logging to the system logger, just set 'syslog-enabled' to yes,
 # and optionally update the other syslog parameters to suit your needs.
-# syslog-enabled no
+syslog-enabled yes
 
 # Specify the syslog identity.
-# syslog-ident redis
+syslog-ident redis
 
-# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
-# syslog-facility local0
+# Specify the syslog facility. Must be one of DAEMON, USER or between
+# LOCAL0-LOCAL7.
+syslog-facility daemon
 
 # Set the number of databases. The default database is DB 0, you can select
 # a different one on a per-connection basis using SELECT <dbid> where
@@ -362,7 +365,7 @@ rdb-del-sync-files no
 # The Append Only File will also be created inside this directory.
 #
 # Note that you must specify a directory here, not a file name.
-dir ./
+dir ${DBDIR}
 
 ################################# REPLICATION #################################
 
@@ -786,7 +789,7 @@ acllog-max-len 128
 # AUTH <password> as usually, or more explicitly with AUTH default <password>
 # if they follow the new protocol: both will work.
 #
-# requirepass foobared
+# requirepass very-strong-password
 
 # Command renaming (DEPRECATED).
 #
@@ -830,6 +833,7 @@ acllog-max-len 128
 # limit accordingly in case of very large clusters.
 #
 # maxclients 10000
+maxclients 96
 
 ############################## MEMORY MANAGEMENT ################################
 
