Script Valley
Redis: Complete Course
Redis in ProductionLesson 6.4

Redis security: authentication, TLS, and ACL user permissions

requirepass, AUTH command, ACL LIST, ACL SETUSER, channel permissions, key pattern permissions, TLS configuration, binding to localhost, RENAME-COMMAND

Securing Redis in production

Redis has no security by default. On a public network, an unsecured Redis server is a breach waiting to happen.

Password authentication

# redis.conf
requirepass your_strong_password_here

# Client auth
AUTH your_strong_password_here

Access Control Lists (ACL)

# Create a read-only user with key pattern access
ACL SETUSER readonlyuser on >readpass ~cache:* +GET +HGET +LRANGE

# List all users
ACL LIST

# Disable the dangerous default user
ACL SETUSER default off

TLS encryption

# redis.conf
tls-port 6380
tls-cert-file /etc/redis/tls/redis.crt
tls-key-file /etc/redis/tls/redis.key
tls-ca-cert-file /etc/redis/tls/ca.crt

Network binding

# Only listen on localhost and internal interface
bind 127.0.0.1 10.0.0.1
# Never bind to 0.0.0.0 in production

Restrict dangerous commands with RENAME-COMMAND. For example, rename FLUSHALL to a random string so accidental data wipes are prevented in application code.

Up next

Monitoring Redis with INFO, MONITOR, SLOWLOG, and latency commands

Sign in to track progress

Redis security: authentication, TLS, and ACL user permissions โ€” Redis in Production โ€” Redis: Complete Course โ€” Script Valley โ€” Script Valley