In a production environment, Redis should never run without proper access control. If you’ve followed the basic Redis master-slave installation guide on Debian 12, it’s time to take the next step: securing your Redis nodes with passwords and user-based authentication (ACL), while ensuring replication remains functional.
This article focuses on three key areas:
- Enabling password authentication
- Setting up ACL users
- Secure master-slave replication using
masterauth
1. Enable Basic Password Authentication
The simplest way to secure Redis is via the requirepass directive.
On both master and slave:
Edit /etc/redis/redis.conf:
|
0 1 2 |
requirepass YourStrongPassword |
Restart Redis:
|
0 1 2 |
sudo systemctl restart redis |
This protects Redis with a global password. Clients must now authenticate before issuing commands.
2. Advanced: Redis ACL with Users and Permissions (Redis 6+)
Redis ACL allows you to define multiple users with specific command/key access.
Step 1: Enable ACL file
In /etc/redis/redis.conf:
|
0 1 2 |
aclfile /etc/redis/users.acl |
Step 2: Define a user
Create /etc/redis/users.acl:
|
0 1 2 |
user appuser on >SuperSecretPass ~* +@all |
appuseris the usernameonenables the user>sets the password~*gives access to all keys+@allenables all command categories
!! You still need to define requirepass if you want to secure replication. Redis master-slave uses the classic password, not ACL user.
Restart Redis:
|
0 1 2 |
sudo systemctl restart redis |
Test with redis-cli:
|
0 1 2 3 4 5 |
redis-cli > auth appuser SuperSecretPass > ping PONG |
Limiting Access to Specific Databases
Redis ACL does not support per-user access control to specific logical databases (e.g., SELECT 0, SELECT 1). All users can select any database unless you restrict the select command itself. You can limit users to a specific database by removing their ability to use the select command:
|
0 1 2 |
user readonlyuser on >ReadOnlyPass ~* +get +info -select |
This user can only operate on the default database (usually DB 0) and cannot switch databases.
Read-Only vs Read-Write Access
You can create users with precise command permissions:
Read-only user:
|
0 1 2 |
user readonlyuser on >ReadOnlyPass ~* +get +exists +ttl +info -@write -select |
This user can:
- read keys (
get,exists,ttl) - check info
- cannot write or switch DBs
Write-only user:
|
0 1 2 |
user writeuser on >WritePass ~* +set +del +incr +@write -@read -select |
This user can:
- write keys (
set,del,incr, etc.) - cannot read values (
get) or switch DBs
Fine-grained access is ideal for separating roles in applications or restricting automated tools.
3. Secure Master-Slave Replication with Password
Redis replicas authenticate to their master using masterauth. This does not support ACL users — it expects the password from requirepass on the master.
On Master (/etc/redis/redis.conf):
|
0 1 2 |
requirepass MasterSecret123 |
On Slave:
|
0 1 2 3 4 |
replicaof 10.10.10.1 6379 masterauth MasterSecret123 requirepass SlaveSecret456 |
This setup:
- Allows clients to connect to the slave with
SlaveSecret456 - Allows the slave to connect to the master using
MasterSecret123
After restarting both Redis instances, verify on the slave:
|
0 1 2 3 |
redis-cli -a SlaveSecret456 > info replication |
Look for:
|
0 1 2 3 |
role:slave master_link_status:up |
4. Node.js Example (ACL User)
Install ioredis:
|
0 1 2 |
npm install ioredis |
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 |
const Redis = require('ioredis'); const redis = new Redis({ host: '127.0.0.1', port: 6379, username: 'appuser', password: 'SuperSecretPass', }); redis.get('mykey') .then(console.log) .catch(console.error); |
If you’re only using requirepass, omit the username field.
Conclusion
By combining requirepass and Redis ACL, you get both backward compatibility and fine-grained control. For master-slave setups, requirepass is still mandatory for replication, while ACL enhances security for application access.
While Redis supports multiple logical databases (e.g., SELECT 1), it does not isolate them by user. The best practice is to run separate Redis instances or restrict the select command if database isolation is a concern.
With ACLs, you can define highly specific access profiles , read-only, write-only, or command-limited roles giving Redis enterprise-grade access control.