In a production environment, Redis should never run without proper access control. If you’ve followed the basic Redis master-slave installation guide on Debian 12, it’s time to take the next step: securing your Redis nodes with passwords and user-based authentication (ACL), while ensuring replication remains functional.

This article focuses on three key areas:

1. Enabling password authentication
2. Setting up ACL users
3. Secure master-slave replication using masterauth

1. Enable Basic Password Authentication

The simplest way to secure Redis is via the requirepass directive.

On both master and slave:

Edit /etc/redis/redis.conf:

Restart Redis:

This protects Redis with a global password. Clients must now authenticate before issuing commands.

2. Advanced: Redis ACL with Users and Permissions (Redis 6+)

Redis ACL allows you to define multiple users with specific command/key access.

Step 1: Enable ACL file

In /etc/redis/redis.conf:

Step 2: Define a user

Create /etc/redis/users.acl:

• appuser is the username
• on enables the user
• > sets the password
• ~* gives access to all keys
• +@all enables all command categories

!! You still need to define requirepass if you want to secure replication. Redis master-slave uses the classic password, not ACL user.

Restart Redis:

Test with redis-cli:

Limiting Access to Specific Databases

Redis ACL does not support per-user access control to specific logical databases (e.g., SELECT 0, SELECT 1). All users can select any database unless you restrict the select command itself. You can limit users to a specific database by removing their ability to use the select command:

This user can only operate on the default database (usually DB 0) and cannot switch databases.

Read-Only vs Read-Write Access

You can create users with precise command permissions:

Read-only user:

This user can:

• read keys (get, exists, ttl)
• check info
• cannot write or switch DBs

Write-only user:

This user can:

• write keys (set, del, incr, etc.)
• cannot read values (get) or switch DBs

Fine-grained access is ideal for separating roles in applications or restricting automated tools.

3. Secure Master-Slave Replication with Password

Redis replicas authenticate to their master using masterauth. This does not support ACL users — it expects the password from requirepass on the master.

On Master (/etc/redis/redis.conf):

On Slave:

This setup:

• Allows clients to connect to the slave with SlaveSecret456
• Allows the slave to connect to the master using MasterSecret123

After restarting both Redis instances, verify on the slave:

Look for:

4. Node.js Example (ACL User)

Install ioredis:

If you’re only using requirepass, omit the username field.

Conclusion

By combining requirepass and Redis ACL, you get both backward compatibility and fine-grained control. For master-slave setups, requirepass is still mandatory for replication, while ACL enhances security for application access.

While Redis supports multiple logical databases (e.g., SELECT 1), it does not isolate them by user. The best practice is to run separate Redis instances or restrict the select command if database isolation is a concern.

With ACLs, you can define highly specific access profiles , read-only, write-only, or command-limited roles giving Redis enterprise-grade access control.