Skip to main content

Overview

Redis provides multiple security layers including network isolation, authentication, Access Control Lists (ACL), and protected mode. This guide covers security configuration and best practices.
Redis is designed to be accessed by trusted clients inside trusted environments. Never expose Redis directly to the internet without proper security measures.

Protected Mode

Protected mode is a security layer that prevents Redis instances from being accessed when left open on the internet.

How Protected Mode Works

When protected mode is enabled and the default user has no password:
  • Redis only accepts connections from:
    • IPv4 loopback (127.0.0.1)
    • IPv6 loopback (::1)
    • Unix domain sockets

Configuration

# Enable protected mode (default)
protected-mode yes

# Disable only if you have proper authentication and firewall
protected-mode no
Disable protected mode only if:
  1. You have configured authentication (requirepass or ACL)
  2. Your firewall properly restricts access
  3. You use the bind directive to limit network interfaces

Network Security

Bind Directive

Limit which network interfaces Redis listens on: 
# Secure default - localhost only
bind 127.0.0.1 -::1

# Specific private network interfaces
bind 192.168.1.100 10.0.0.1

# All interfaces (use with caution!)
# bind * -::*

Unix Domain Sockets

For local connections, Unix sockets provide better security than TCP: 
unixsocket /run/redis.sock
unixsocketperm 700
Connect using: 
redis-cli -s /run/redis.sock

Authentication

Legacy Password Authentication (requirepass)

Starting with Redis 6, requirepass is a compatibility layer on top of ACL. Consider using ACL for new deployments.
# Set a strong password
requirepass your_strong_password_here
Authenticate with: 
redis-cli
AUTH your_strong_password_here
Redis is very fast and can test up to 1 million passwords per second. Use very strong, long passwords from /dev/urandom or similar.

Password Best Practices

  • Use passwords at least 32 characters long
  • Generate from cryptographically secure random sources
  • Rotate passwords regularly
  • Never commit passwords to version control
  • Use environment variables or secrets management systems

Access Control Lists (ACL)

ACL provides fine-grained access control, introduced in Redis 6.0.

ACL Concepts

ACL allows you to:
  • Create multiple users
  • Define command permissions per user
  • Restrict key access patterns
  • Control pub/sub channel access
  • Enable/disable users

ACL Commands

ACL SETUSER

Create or modify a user: 
# Create a basic user
ACL SETUSER alice on >password123 ~* +@all

# Read-only user for specific keys
ACL SETUSER readonly on >readpass ~sensor:* +@read

# User for write operations on specific keys
ACL SETUSER writer on >writepass ~logs:* +@write

# User with command restrictions
ACL SETUSER limited on >limitpass ~* +get +set +incr

ACL Syntax

ACL rules format: 
ACL SETUSER <username> <rules>
User State:
  • on - Enable user (can authenticate)
  • off - Disable user (cannot authenticate)
  • nopass - No password required (use with caution!)
Password Management:
  • >password - Add password to user
  • #<hash> - Add hashed password
  • <password - Remove password
  • !<hash> - Remove hashed password
  • resetpass - Remove all passwords
Key Patterns:
  • ~* or allkeys - Access all keys
  • ~pattern - Access keys matching glob pattern
  • %R~pattern - Read access to pattern
  • %W~pattern - Write access to pattern
  • resetkeys - Remove all key patterns
Command Permissions:
  • +@<category> - Allow command category
  • -@<category> - Deny command category
  • +<command> - Allow specific command
  • -<command> - Deny specific command
  • +@all or allcommands - Allow all commands
  • -@all or nocommands - Deny all commands
Channel Patterns:
  • &* or allchannels - Access all pub/sub channels
  • &pattern - Access channels matching pattern
  • resetchannels - Remove all channel patterns
Command Categories:
  • @admin - Administrative commands
  • @dangerous - Potentially dangerous commands
  • @keyspace - Key operations
  • @read - Read operations
  • @write - Write operations
  • @set - Set commands
  • @sortedset - Sorted set commands
  • @list - List commands
  • @hash - Hash commands
  • @string - String commands
  • @pubsub - Pub/sub commands
  • @transaction - Transaction commands
  • @scripting - Script commands
  • @stream - Stream commands

ACL GETUSER

View user permissions: 
ACL GETUSER alice
Returns user flags, passwords (hashed), commands, keys, and channels.

ACL LIST

List all users in ACL format: 
ACL LIST

ACL USERS

Get list of usernames: 
ACL USERS

ACL WHOAMI

Get the current authenticated username: 
ACL WHOAMI

ACL DELUSER

Delete a user: 
ACL DELUSER alice
Deleting a user will terminate all active connections authenticated with that user.

ACL LOG

View security events (failed authentications, rejected commands): 
# View recent ACL failures
ACL LOG

# View last 10 entries
ACL LOG 10

# Reset the log
ACL LOG RESET
Configure log length: 
acllog-max-len 128

ACL Configuration File

Define users in a separate ACL file: 
# redis.conf
aclfile /etc/redis/users.acl
users.acl: 
# Default user (required)
user default on nopass ~* +@all

# Admin user
user admin on >strong_admin_password ~* +@all

# Application user - limited permissions
user app on >app_password ~app:* +@read +@write -@dangerous

# Read-only monitoring user
user monitor on >monitor_password ~* +@read +ping +info

# Worker for background jobs
user worker on >worker_password ~jobs:* ~results:* +@list +@string +get +set +del
The ACL file cannot be used together with requirepass. Choose one authentication method.

ACL Examples

Example 1: Read-Only User

ACL SETUSER readonly on >readonlypass ~* +@read -@write -@admin
This user can:
  • Execute all read commands
  • Access all keys
Cannot:
  • Execute write commands
  • Execute admin commands

Example 2: Cache-Only User

ACL SETUSER cache on >cachepass ~cache:* +get +set +del +ttl +expire
This user can:
  • GET, SET, DEL keys matching cache:*
  • Check TTL and set expiration
Cannot:
  • Access other keys
  • Execute other commands

Example 3: Pub/Sub User

ACL SETUSER pubsub on >pubsubpass resetchannels &notifications:* +publish +subscribe +psubscribe
This user can:
  • Publish to channels matching notifications:*
  • Subscribe to matching channels
Cannot:
  • Access keys
  • Use other channels

Example 4: Multi-Pattern Read/Write Separation

ACL SETUSER split on >splitpass %R~read:* %W~write:* +@all
This user:
  • Can read keys matching read:*
  • Can write keys matching write:*
  • Has all command permissions

Command Renaming

Command renaming is deprecated. Use ACL to remove commands from users instead.
For backward compatibility: 
# Rename dangerous command
rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52

# Disable command completely
rename-command FLUSHALL ""

Protected Configuration Directives

Redis has security directives to control dangerous operations: 
# Block protected configs from non-local connections
enable-protected-configs no

# Block debug commands
enable-debug-command no

# Block module loading commands  
enable-module-command no
Values:
  • no - Block for all connections
  • yes - Allow for all connections
  • local - Allow only for local connections (127.0.0.1, ::1, Unix socket)

Security Hardening Steps

1
Limit Network Exposure
2
# Bind to specific interface
bind 192.168.1.100

# Enable protected mode
protected-mode yes
3
Configure Authentication
4
# Use ACL for fine-grained control
ACL SETUSER default on >strong_default_password ~* +@all

# Or use requirepass for simple authentication
CONFIG SET requirepass strong_password_here
5
Restrict Command Access
6
# Create application user with limited permissions
ACL SETUSER myapp on >app_password ~myapp:* +@read +@write -@dangerous -@admin
7
Enable TLS/SSL
8
See TLS Configuration for encrypting client-server communication.
9
Monitor Security Events
10
# Regularly check ACL log
ACL LOG

# Monitor authentication failures in logs
CONFIG SET loglevel notice
11
Use Firewall Rules
12
Restrict Redis port access using iptables or cloud security groups:
13
# Example iptables rule
sudo iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 6379 -j DROP
14
Disable Dangerous Commands
15
# Remove dangerous commands from default user
ACL SETUSER default -flushall -flushdb -config -shutdown

Security Checklist

  • Configure bind directive to limit network interfaces
  • Enable protected-mode unless using ACL or requirepass
  • Set strong passwords (32+ characters)
  • Use ACL to create application-specific users
  • Restrict command access using ACL categories
  • Enable TLS for client-server communication
  • Configure firewall rules
  • Regularly audit ACL LOG
  • Keep Redis updated with security patches
  • Use Unix sockets for local connections
  • Disable or restrict dangerous commands
  • Monitor authentication attempts in logs

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us