we are running Moodle 3.9 in a load-balanced setup with 6 Webservers. Session-Caching is done via Redis, application caching via memcached.
Concerning our setup I have two questions.
1) Right now we have configured our redis cache via config.php ($CFG->session_handler_class = '\core\session\redis'). We do not have done any configuration in the Moodle administration interface, as is described here: https://docs.moodle.org/39/en/Redis_cache_store.
However, "redis-cli monitor" shows that Moodle uses our redis cache. Is there any benefit of adding a redis store via the Moodle administration backend? Where is the difference between setting up redis in config.php and in the backend?
2) Moodle 3.9 introduced read only sessions: https://tracker.moodle.org/browse/MDL-58018
We would like to use this feature to prevent request serialisation (see Problem Statement in the above link), because right now, a single not logged in user can 'denial of service' our installation by issuing requests to the start page with a high frequency.
Can read only sessions be used to prevent this denial of service attempts? Are there any other mechanisms to prevent these? Is it perhaps a misconfiguration on our site that enables these problems?
Thank you for your input!