DEV Community

Cover image for Securing Redis with ACLs and Integrating Redis Insight in Docker
Ali nazari
Ali nazari

Posted on

Securing Redis with ACLs and Integrating Redis Insight in Docker

Securing your Redis deployment is crucial once you begin relying on it for caching, messaging, or as a primary datastore.

Redis 6 introduced an ACL (Access Control List) system that allows you to lock down commands and keys per user.

However, enabling ACLs often trips up monitoring tools like Redis Insight, which by default attempt to connect without credentials.

In this post, weโ€™ll walk through everythingโ€”from writing valid ACL definitions to integrating Redis Insight in Dockerโ€”ensuring you end up with a secure, fully observable Redis setup.

Why ACLs โ€œBreakโ€ Redis Insight by Default

Redis Insight, when installed on its own or bundled inside a โ€œRedis Stackโ€ container, assumes it can connect anonymously (no username, no password).

As soon as you enable an ACL file, the built-in default user has no permissions (or is turned off), so any unauthenticated client is refused.

Under the hood, Redis Insight is running, but cannot authenticate to your ACLโ€™s Redis server, so it never shows the database tree.

Writing a Valid users.acl

When you enable ACLs (โ€œaclfile /path/to/users.aclโ€ in your redis.conf), Redis reads that file at startup and refuses to launch if there are any parsing errors.

Here are the rules we discovered:

Syntax for each user

user <username> <on|off> >password ~<key-pattern> +<command-or-category>
Enter fullscreen mode Exit fullscreen mode
  • <username>: Name of the user (no spaces).

  • on|off: Whether the user is enabled or disabled.

  • >password: A plaintext password (preceded by >).

  • ~<key-pattern>: Glob pattern of keys the user can access (e.g. ~* for all).

  • +<command-or-category>: Either individual commands (e.g. +GET +SET) or built-in categories (e.g. +@all, +@read, +@admin, etc.).

Invalid category names

There is no @acl category. If you try +@acl, Redis complains:

Error in applying operation '+@acl': Unknown command or category name in ACL
Enter fullscreen mode Exit fullscreen mode

To grant ACLโ€management commands (e.g. ACL SETUSER, ACL LIST, etc.) you must use +@admin.

Examples of valid ACL lines

# Disable the default user so no anonymous connections can work
user default off

# A user โ€œinsightโ€ for Redis Insight; full permissions
user insight on >RedisInsightPass123 ~* +@all

# A user โ€œappuserโ€ for your application; full permissions
user appuser on >MyAppSuperSecretPassword ~* +@all
Enter fullscreen mode Exit fullscreen mode

With the above, Redis will refuse all connections except when a client does AUTH insight RedisInsightPass123 or AUTH appuser MyAppSuperSecretPassword.

Sample redis.conf for ACL Loading

Put this in a file (e.g. /home/user/Desktop/redis.conf). At minimum, it should contain:

# Bind to all interfaces (if you want external access):
bind 0.0.0.0

# Default port:
port 6379

# Tell Redis to load ACL definitions from our file
aclfile /usr/local/etc/redis/users.acl

# (Any other Redis settings you needโ€ฆ)
Enter fullscreen mode Exit fullscreen mode

Deploying Redis + ACL in Docker

We want Redis in one container, with ACLs enabled, and Redis Insight in another container on the same Docker network.

  1. Create or verify a Docker network
docker network inspect redis-net &>/dev/null || \
  docker network create redis-net
Enter fullscreen mode Exit fullscreen mode
  1. Prepare users.acl next to redis.conf
/home/user/Desktop/
โ”œโ”€โ”€ redis.conf
โ””โ”€โ”€ users.acl
Enter fullscreen mode Exit fullscreen mode

Contents of users.acl:

# Disable the default user entirely
user default off

# Grant โ€œinsightโ€ full permissions for monitoring
user insight on >RedisInsightPass123 ~* +@all

# Grant โ€œappuserโ€ full permissions for your application
user appuser on >MyAppSuperSecretPassword ~* +@all
Enter fullscreen mode Exit fullscreen mode
  1. Run the Redis container
docker rm -f redis-server-acl 2>/dev/null || true

docker run -d \
  --name redis-server-acl \
  --network redis-net \
  -p 6379:6379 \
  -v /home/user/Desktop/redis.conf:/redis.conf \
  -v /home/user/Desktop/users.acl:/usr/local/etc/redis/users.acl \
  redis/redis-stack:latest \
  redis-stack-server /redis.conf
Enter fullscreen mode Exit fullscreen mode
  • We mount redis.conf into /redis.conf inside the container.

  • We mount users.acl into /usr/local/etc/redis/users.acl (the path referenced by redis.conf).

  • The command redis-stack-server /redis.conf ensures Redis starts with ACL support.

  1. Verify ACLs are loading properly After a few seconds, check Redis logs for ACL errors:
docker logs redis-server-acl | grep ACL
Enter fullscreen mode Exit fullscreen mode

You should see no errors. Then test from your host using redis-cli:

redis-cli -h 127.0.0.1 -p 6379 AUTH insight RedisInsightPass123
# Should print โ€œOKโ€
redis-cli> PING
# Should print โ€œPONGโ€
redis-cli> AUTH appuser MyAppSuperSecretPassword
# Should print โ€œOKโ€
redis-cli> PING
# Should print โ€œPONGโ€
Enter fullscreen mode Exit fullscreen mode

Deploying Redis Insight in Docker

With Redis ACLs working and accepting connections, itโ€™s time to run Redis Insight so that it can monitor the server.

  1. Remove any old Redis Insight container
docker rm -f redis-insight 2>/dev/null || true
Enter fullscreen mode Exit fullscreen mode
  1. Run Redis Insight, exposing port 8001
docker run -d \
  --name redis-insight \
  --network redis-net \
  -p 5540:5540 \
  redis/redisinsight:latest
Enter fullscreen mode Exit fullscreen mode
  1. Confirm the container is listening
  • Run docker ps | grep redis-insight. You should see โ€œUp โ€ฆ 0.0.0.0:5540->5540/tcp.โ€

  • Exec into the container and verify the HTTP server is up:

docker exec -it redis-insight sh
# Inside:
netstat -tlnp | grep 5540    # or: ss -tlnp | grep 5540
wget -qO- http://127.0.0.1:5540/version
Enter fullscreen mode Exit fullscreen mode

You should get a small JSON response confirming Redis Insightโ€™s version.

  1. Open the Redis Insight UI

In your browser, navigate to:

http://localhost:5540

or, if Docker runs on a different machine, replace localhost with that hostโ€™s IP.

  1. Add your ACL-protected Redis instance
  • Click โ€œNew Connectionโ€ (or โ€œAdd Redis Databaseโ€).

  • Host: redis-server-acl

(Thatโ€™s the Docker container name. Because both containers share redis-net, Insight resolves it via internal DNS.)

  • Port: 6379

  • Username: insight

  • Password: RedisInsightPass123

  • Click โ€œAdd Redis Databaseโ€ or โ€œSave & Connect.โ€

If everything is correct, youโ€™ll immediately see your keyโ€tree, CLI, metrics charts, slowlog viewer, and moreโ€”all while your Redis server is protected by ACLs.

If you get an authentication error, reโ€check that your users.acl grants insight full access and that Redis has been restarted after you edited the ACL file.

Enabling ACLs in Redis is a best practice for any production deployment, but it does require a few tweaks if you also want to use tools like Redis Insight.


If you found this helpful, feel free to share

Letโ€™s connect!!: ๐Ÿค

LinkedIn
GitHub

Top comments (5)

Collapse
 
nevodavid profile image
Nevo David

This clears up so many headaches Iโ€™ve run into with Redis and ACLs, seriously helpful.

Collapse
 
silentwatcher_95 profile image
Ali nazari

Glad it helped

Collapse
 
nathan_tarbert profile image
Nathan Tarbert

lifesaver stuff for getting past the random acl headaches - you think most people ever double check tool security like this or just plug and forget?

Collapse
 
silentwatcher_95 profile image
Ali nazari

Way too many folks skip the security review once things "just work."

Collapse
 
cyrilsebastian profile image
Cyril Sebastian

Did you check what the query latency was before and after implementing this, and what does the Metrics chart print?