Redis & Advanced Caching
Redis Security
Redis Security
By default, Redis is designed for use in trusted environments. Securing Redis requires implementing authentication, access controls, encryption, and network isolation to protect your data from unauthorized access.
Critical Warning: Never expose Redis directly to the internet without proper security measures. An unsecured Redis instance can be compromised in minutes and used for data theft, cryptocurrency mining, or as part of a botnet.
Authentication with requirepass
The simplest security measure is password authentication using the requirepass directive:
redis.conf:
# Set a strong password
requirepass "MyStr0ng!P@ssw0rd#2024"
# Restart Redis for changes to take effect
sudo systemctl restart redis
# Set a strong password
requirepass "MyStr0ng!P@ssw0rd#2024"
# Restart Redis for changes to take effect
sudo systemctl restart redis
Connecting with Password:
# Using redis-cli
redis-cli
AUTH "MyStr0ng!P@ssw0rd#2024"
# Or pass password in connection
redis-cli -a "MyStr0ng!P@ssw0rd#2024"
# Using URL format
redis://default:MyStr0ng!P@ssw0rd#2024@localhost:6379
# Using redis-cli
redis-cli
AUTH "MyStr0ng!P@ssw0rd#2024"
# Or pass password in connection
redis-cli -a "MyStr0ng!P@ssw0rd#2024"
# Using URL format
redis://default:MyStr0ng!P@ssw0rd#2024@localhost:6379
Password Best Practices: Use passwords at least 32 characters long with mixed case, numbers, and symbols. Redis is extremely fast, so weak passwords can be brute-forced quickly.
Access Control Lists (ACL)
Redis 6.0+ introduced ACLs for fine-grained access control, allowing you to create multiple users with specific permissions:
Creating Users:
# Default user (disable for security)
ACL SETUSER default off
# Create admin user with full access
ACL SETUSER admin on >adminpass123 ~* &* +@all
# Create read-only user
ACL SETUSER readonly on >readpass456 ~* &* +@read -@write -@dangerous
# Create user for specific keys
ACL SETUSER app on >apppass789 ~app:* &* +@all -@dangerous
# Save ACL configuration
ACL SAVE
# Default user (disable for security)
ACL SETUSER default off
# Create admin user with full access
ACL SETUSER admin on >adminpass123 ~* &* +@all
# Create read-only user
ACL SETUSER readonly on >readpass456 ~* &* +@read -@write -@dangerous
# Create user for specific keys
ACL SETUSER app on >apppass789 ~app:* &* +@all -@dangerous
# Save ACL configuration
ACL SAVE
ACL Pattern Syntax:
- on/off: Enable or disable user
- >password: Set password (can have multiple)
- ~pattern: Key patterns user can access (~* = all keys, ~app:* = keys starting with "app:")
- &pattern: Pub/Sub channel patterns
- +command: Allow specific command
- -command: Deny specific command
- +@category: Allow command category (@read, @write, @admin, etc.)
- -@category: Deny command category
ACL Categories:
# View all ACL categories
ACL CAT
# View commands in a category
ACL CAT read
ACL CAT dangerous
# List all users
ACL LIST
# Get current user
ACL WHOAMI
# View specific user permissions
ACL GETUSER readonly
# View all ACL categories
ACL CAT
# View commands in a category
ACL CAT read
ACL CAT dangerous
# List all users
ACL LIST
# Get current user
ACL WHOAMI
# View specific user permissions
ACL GETUSER readonly
Persistent ACL Configuration
Store ACL rules in an external file for easier management:
redis.conf:
# Enable ACL file
aclfile /etc/redis/users.acl
/etc/redis/users.acl:
user default off
user admin on >adminpass123 ~* &* +@all
user readonly on >readpass456 ~* &* +@read -@write -@dangerous
user cache_app on >cachepass789 ~cache:* &* +get +set +del +expire
# Enable ACL file
aclfile /etc/redis/users.acl
/etc/redis/users.acl:
user default off
user admin on >adminpass123 ~* &* +@all
user readonly on >readpass456 ~* &* +@read -@write -@dangerous
user cache_app on >cachepass789 ~cache:* &* +get +set +del +expire
Connecting with ACL User:
# redis-cli
redis-cli --user readonly --pass readpass456
# PHP
$redis = new Redis();
$redis->connect('127.0.0.1', 6379);
$redis->auth(['readonly', 'readpass456']);
# redis-cli
redis-cli --user readonly --pass readpass456
# PHP
$redis = new Redis();
$redis->connect('127.0.0.1', 6379);
$redis->auth(['readonly', 'readpass456']);
TLS/SSL Encryption
Encrypt Redis communication using TLS to prevent man-in-the-middle attacks and eavesdropping:
Generate SSL Certificates:
# Generate private key
openssl genrsa -out redis.key 2048
# Generate certificate signing request
openssl req -new -key redis.key -out redis.csr
# Generate self-signed certificate (valid 365 days)
openssl x509 -req -days 365 -in redis.csr -signkey redis.key -out redis.crt
# Generate CA certificate for clients
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Generate private key
openssl genrsa -out redis.key 2048
# Generate certificate signing request
openssl req -new -key redis.key -out redis.csr
# Generate self-signed certificate (valid 365 days)
openssl x509 -req -days 365 -in redis.csr -signkey redis.key -out redis.crt
# Generate CA certificate for clients
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
redis.conf TLS Configuration:
# Enable TLS
port 0
tls-port 6379
# Certificate files
tls-cert-file /etc/redis/ssl/redis.crt
tls-key-file /etc/redis/ssl/redis.key
tls-ca-cert-file /etc/redis/ssl/ca.crt
# TLS protocols
tls-protocols "TLSv1.2 TLSv1.3"
# Client certificate authentication (optional)
tls-auth-clients yes
# Enable TLS
port 0
tls-port 6379
# Certificate files
tls-cert-file /etc/redis/ssl/redis.crt
tls-key-file /etc/redis/ssl/redis.key
tls-ca-cert-file /etc/redis/ssl/ca.crt
# TLS protocols
tls-protocols "TLSv1.2 TLSv1.3"
# Client certificate authentication (optional)
tls-auth-clients yes
Connecting with TLS:
# redis-cli with TLS
redis-cli --tls --cert /path/to/client.crt --key /path/to/client.key --cacert /path/to/ca.crt
# PHP with TLS
$redis = new Redis();
$redis->connect('tls://127.0.0.1', 6379, 0, NULL, 0, 0, [
'stream' => [
'verify_peer' => true,
'verify_peer_name' => true,
'cafile' => '/path/to/ca.crt'
]
]);
# redis-cli with TLS
redis-cli --tls --cert /path/to/client.crt --key /path/to/client.key --cacert /path/to/ca.crt
# PHP with TLS
$redis = new Redis();
$redis->connect('tls://127.0.0.1', 6379, 0, NULL, 0, 0, [
'stream' => [
'verify_peer' => true,
'verify_peer_name' => true,
'cafile' => '/path/to/ca.crt'
]
]);
Protected Mode
Redis protected mode prevents external connections when no password is set:
redis.conf:
# Enable protected mode (default: yes)
protected-mode yes
# With protected mode, Redis only accepts connections from:
# - 127.0.0.1 (localhost)
# - ::1 (IPv6 localhost)
# - Unix sockets
# To accept external connections, you must:
# 1. Set requirepass or configure ACL, AND
# 2. Set bind to specific interfaces or disable protected mode
# Enable protected mode (default: yes)
protected-mode yes
# With protected mode, Redis only accepts connections from:
# - 127.0.0.1 (localhost)
# - ::1 (IPv6 localhost)
# - Unix sockets
# To accept external connections, you must:
# 1. Set requirepass or configure ACL, AND
# 2. Set bind to specific interfaces or disable protected mode
Warning: Never disable protected-mode without setting a password or ACL rules. This is the most common Redis security misconfiguration.
Network Security
Limit network exposure using bind and firewall rules:
Bind to Specific Interfaces:
# redis.conf
# Bind to localhost only (most secure)
bind 127.0.0.1 ::1
# Bind to specific private IP
bind 127.0.0.1 192.168.1.100
# Bind to all interfaces (requires authentication)
bind 0.0.0.0
# redis.conf
# Bind to localhost only (most secure)
bind 127.0.0.1 ::1
# Bind to specific private IP
bind 127.0.0.1 192.168.1.100
# Bind to all interfaces (requires authentication)
bind 0.0.0.0
Firewall Rules (iptables):
# Allow Redis only from application server
sudo iptables -A INPUT -p tcp -s 192.168.1.50 --dport 6379 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 6379 -j DROP
# Save rules
sudo iptables-save > /etc/iptables/rules.v4
# Allow Redis only from application server
sudo iptables -A INPUT -p tcp -s 192.168.1.50 --dport 6379 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 6379 -j DROP
# Save rules
sudo iptables-save > /etc/iptables/rules.v4
Cloud Security: In AWS, Azure, or GCP, use security groups/network ACLs to restrict Redis access to specific VPC/VNET resources only.
Renaming Dangerous Commands
Rename or disable dangerous commands to prevent accidental or malicious misuse:
redis.conf:
# Disable dangerous commands
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command KEYS ""
rename-command CONFIG ""
rename-command SHUTDOWN ""
rename-command DEBUG ""
# Or rename to obscure names
rename-command FLUSHDB "FLUSHDB_MySecret_2024"
rename-command CONFIG "CONFIG_Admin_Only_9876"
# Disable dangerous commands
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command KEYS ""
rename-command CONFIG ""
rename-command SHUTDOWN ""
rename-command DEBUG ""
# Or rename to obscure names
rename-command FLUSHDB "FLUSHDB_MySecret_2024"
rename-command CONFIG "CONFIG_Admin_Only_9876"
Dangerous Commands:
- FLUSHDB/FLUSHALL: Delete all data
- KEYS: Block server on large datasets
- CONFIG: Change server configuration
- SHUTDOWN: Stop Redis server
- DEBUG: Debug commands that can crash server
- SAVE/BGSAVE: Force disk writes that may impact performance
Disable or Limit Client Output Buffer
Prevent clients from consuming excessive memory:
redis.conf:
# Limit client output buffer (hard limit / soft limit / soft seconds)
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
# Maximum number of clients
maxclients 10000
# Limit client output buffer (hard limit / soft limit / soft seconds)
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
# Maximum number of clients
maxclients 10000
Disable Dangerous Modules
If using Redis modules, load only trusted modules and verify signatures:
redis.conf:
# Load only necessary modules
loadmodule /usr/lib/redis/modules/redisearch.so
# Disable module loading at runtime
enable-module-command no
# Load only necessary modules
loadmodule /usr/lib/redis/modules/redisearch.so
# Disable module loading at runtime
enable-module-command no
Monitoring and Auditing
Enable logging and monitor for suspicious activity:
redis.conf Logging:
# Log level (debug, verbose, notice, warning)
loglevel notice
# Log file location
logfile /var/log/redis/redis-server.log
# Log queries slower than X microseconds
slowlog-log-slower-than 10000
slowlog-max-len 128
# Log level (debug, verbose, notice, warning)
loglevel notice
# Log file location
logfile /var/log/redis/redis-server.log
# Log queries slower than X microseconds
slowlog-log-slower-than 10000
slowlog-max-len 128
Monitor Failed Auth Attempts:
# View slowlog
SLOWLOG GET 10
# Monitor commands in real-time
MONITOR
# Check client connections
CLIENT LIST
# View slowlog
SLOWLOG GET 10
# Monitor commands in real-time
MONITOR
# Check client connections
CLIENT LIST
Security Checklist
Production Redis Security Checklist:
- ✅ Enable authentication (requirepass or ACL)
- ✅ Use strong passwords (32+ characters)
- ✅ Bind to specific interfaces (not 0.0.0.0)
- ✅ Enable protected mode
- ✅ Use firewall rules to restrict access
- ✅ Enable TLS/SSL for encryption
- ✅ Rename or disable dangerous commands
- ✅ Use ACLs for fine-grained access control
- ✅ Never expose Redis to the internet
- ✅ Keep Redis updated to latest version
- ✅ Monitor logs for suspicious activity
- ✅ Use dedicated Redis user (not root)
- ✅ Disable unnecessary modules
- ✅ Set appropriate file permissions on redis.conf (600)
- ✅ Regular security audits and penetration testing
Exercise: Set up a secure Redis instance with: 1) ACL with three users (admin, app, readonly), 2) TLS encryption, 3) Renamed dangerous commands, 4) Firewall rules. Test connections with different users and verify proper access restrictions.