Skip to content

Bind Redis to a private interface

Severity: criticalApplies to: Redis 6.x+Applies to: Redis 8.xApplies to: Valkey 8.x / 9.x
The fix/etc/redis/redis.conf
Terminal window
bind 127.0.0.1 -::1

If application servers connect over a private network, bind that address explicitly instead of loopback:

Terminal window
bind 127.0.0.1 10.0.0.5 -::1

Then restart:

Terminal window
sudo systemctl restart redis-server # Redis
sudo systemctl restart valkey # Valkey

This is the single most important line in the file. Redis’s security model assumes the network already excludes untrusted clients — authentication is described in its own docs as “a layer of redundancy” for when the network control fails, not as the primary defence.

That framing is correct, and it inverts the usual instinct. A password on a publicly reachable Redis is a speed bump: Redis serves queries fast enough that an attacker can test an enormous number of passwords per second, and the AUTH command is sent in the clear unless you have TLS. A Redis that cannot be reached needs no password to be safe.

Bind first. Everything else on this list is defence in depth behind it.

bind 127.0.0.1 -::1 — the - prefix marks an address as optional. Without it, Redis refuses to start if that address cannot be bound. With it, Redis starts anyway and logs a warning.

This matters for IPv6: on a host with IPv6 disabled, bind 127.0.0.1 ::1 fails at startup, while bind 127.0.0.1 -::1 starts cleanly. It is a startup-robustness flag, not a security one — but it’s the difference between a config that works everywhere and one that breaks on half your fleet.

A private-network bind still accepts connections from everything on that network, including every other tenant, container, or compromised host that can route to it. On a cloud VPC that can be a large blast radius.

Bind narrows the interface; a firewall narrows the source. They’re different controls and you generally want both.