Require authentication with Redis ACL users
/etc/redis/redis.confuser default offuser app on >REPLACE_WITH_LONG_RANDOM_SECRET ~app:* &* +@all -@dangerousGenerate a real secret rather than inventing one:
openssl rand -base64 48Then restart, and update your application’s connection string to authenticate as
app.
Why it matters
Section titled “Why it matters”Redis executes whatever it is told. Without authentication, anyone who reaches
the port can read every key, delete the dataset with a single FLUSHALL, and —
via CONFIG SET — write files as the Redis user, which is
a well-trodden path to code execution.
Authentication is the layer that survives a network mistake. It is not the primary control — binding is — but it is what stands between a misconfigured firewall rule and a total compromise.
Use ACL users, not requirepass
Section titled “Use ACL users, not requirepass”Since Redis 6, ACLs are the recommended authentication method, and
requirepass is a compatibility layer that simply sets the password for the
default user. It is not a separate, simpler system — it is one shared account
with unlimited permissions.
That distinction is the whole argument:
requirepass |
ACL users | |
|---|---|---|
| Identity | One shared secret | Named users |
| Permissions | Everything | Scoped per user |
| Rotation | Restart every client at once | Per user |
| Audit | Cannot tell callers apart | ACL WHOAMI, per-user |
Turning off default and creating a named user for each caller costs one line
each and gives you the thing shared secrets can never give you: the ability to
revoke one client without breaking the rest.
Reading the rule syntax
Section titled “Reading the rule syntax”user app on >secret ~app:* &* +@all -@dangerous| Token | Meaning |
|---|---|
on |
Account enabled |
>secret |
Add this password |
~app:* |
May only touch keys matching app:* |
&* |
May use any pub/sub channel |
+@all -@dangerous |
Allow everything except the dangerous category |
Key patterns are the underused half. A cache user scoped to ~cache:* cannot
read your session keys even if the credential leaks — that’s a blast-radius
reduction no password length gives you.
For an aclfile instead of inline config, see
restricting commands, which covers the category
rules in detail.
Related
Section titled “Related”- Bind Redis to a private interface — do this first.
- Restrict dangerous commands with ACLs — the category rules in full.
- Secure the config and data files — where the secret lives.