Securing Redis with ACLs and Integrating Redis Insight in Docker

Securing your Redis deployment is crucial once you begin relying on it for caching, messaging, or as a primary datastore.

Redis 6 introduced an ACL (Access Control List) system that allows you to lock down commands and keys per user.

However, enabling ACLs often trips up monitoring tools like Redis Insight, which by default attempt to connect without credentials.

In this post, we’ll walk through everything—from writing valid ACL definitions to integrating Redis Insight in Docker—ensuring you end up with a secure, fully observable Redis setup.

Why ACLs “Break” Redis Insight by Default

Redis Insight, when installed on its own or bundled inside a “Redis Stack” container, assumes it can connect anonymously (no username, no password).

As soon as you enable an ACL file, the built-in default user has no permissions (or is turned off), so any unauthenticated client is refused.

Under the hood, Redis Insight is running, but cannot authenticate to your ACL’s Redis server, so it never shows the database tree.

Writing a Valid users.acl

When you enable ACLs (“aclfile /path/to/users.acl” in your redis.conf), Redis reads that file at startup and refuses to launch if there are any parsing errors.

Here are the rules we discovered:

Syntax for each user

user <username> <on|off> >password ~<key-pattern> +<command-or-category>

• <username>: Name of the user (no spaces).

• on|off: Whether the user is enabled or disabled.

• >password: A plaintext password (preceded by >).

• ~<key-pattern>: Glob pattern of keys the user can access (e.g. ~* for all).

• +<command-or-category>: Either individual commands (e.g. +GET +SET) or built-in categories (e.g. +@all, +@read, +@admin, etc.).

Invalid category names

There is no @acl category. If you try +@acl, Redis complains:

Error in applying operation '+@acl': Unknown command or category name in ACL

To grant ACL‐management commands (e.g. ACL SETUSER, ACL LIST, etc.) you must use +@admin.

Examples of valid ACL lines

# Disable the default user so no anonymous connections can work
user default off

# A user “insight” for Redis Insight; full permissions
user insight on >RedisInsightPass123 ~* +@all

# A user “appuser” for your application; full permissions
user appuser on >MyAppSuperSecretPassword ~* +@all

With the above, Redis will refuse all connections except when a client does AUTH insight RedisInsightPass123 or AUTH appuser MyAppSuperSecretPassword.

Sample redis.conf for ACL Loading

Put this in a file (e.g. /home/user/Desktop/redis.conf). At minimum, it should contain:

# Bind to all interfaces (if you want external access):
bind 0.0.0.0

# Default port:
port 6379

# Tell Redis to load ACL definitions from our file
aclfile /usr/local/etc/redis/users.acl

# (Any other Redis settings you need…)

Deploying Redis + ACL in Docker

We want Redis in one container, with ACLs enabled, and Redis Insight in another container on the same Docker network.

1. Create or verify a Docker network

docker network inspect redis-net &>/dev/null || \
  docker network create redis-net

1. Prepare users.acl next to redis.conf

/home/user/Desktop/
├── redis.conf
└── users.acl

Contents of users.acl:

# Disable the default user entirely
user default off

# Grant “insight” full permissions for monitoring
user insight on >RedisInsightPass123 ~* +@all

# Grant “appuser” full permissions for your application
user appuser on >MyAppSuperSecretPassword ~* +@all

1. Run the Redis container

docker rm -f redis-server-acl 2>/dev/null || true

docker run -d \
  --name redis-server-acl \
  --network redis-net \
  -p 6379:6379 \
  -v /home/user/Desktop/redis.conf:/redis.conf \
  -v /home/user/Desktop/users.acl:/usr/local/etc/redis/users.acl \
  redis/redis-stack:latest \
  redis-stack-server /redis.conf

• We mount redis.conf into /redis.conf inside the container.

• We mount users.acl into /usr/local/etc/redis/users.acl (the path referenced by redis.conf).

• The command redis-stack-server /redis.conf ensures Redis starts with ACL support.

1. Verify ACLs are loading properly After a few seconds, check Redis logs for ACL errors:

docker logs redis-server-acl | grep ACL

You should see no errors. Then test from your host using redis-cli:

redis-cli -h 127.0.0.1 -p 6379 AUTH insight RedisInsightPass123
# Should print “OK”
redis-cli> PING
# Should print “PONG”
redis-cli> AUTH appuser MyAppSuperSecretPassword
# Should print “OK”
redis-cli> PING
# Should print “PONG”

Deploying Redis Insight in Docker

With Redis ACLs working and accepting connections, it’s time to run Redis Insight so that it can monitor the server.

1. Remove any old Redis Insight container

docker rm -f redis-insight 2>/dev/null || true

1. Run Redis Insight, exposing port 8001

docker run -d \
  --name redis-insight \
  --network redis-net \
  -p 5540:5540 \
  redis/redisinsight:latest

1. Confirm the container is listening

• Run docker ps | grep redis-insight. You should see “Up … 0.0.0.0:5540->5540/tcp.”

• Exec into the container and verify the HTTP server is up:
  

docker exec -it redis-insight sh
# Inside:
netstat -tlnp | grep 5540    # or: ss -tlnp | grep 5540
wget -qO- http://127.0.0.1:5540/version

You should get a small JSON response confirming Redis Insight’s version.

1. Open the Redis Insight UI

In your browser, navigate to:

http://localhost:5540

or, if Docker runs on a different machine, replace localhost with that host’s IP.

1. Add your ACL-protected Redis instance

• Click “New Connection” (or “Add Redis Database”).

• Host: redis-server-acl

(That’s the Docker container name. Because both containers share redis-net, Insight resolves it via internal DNS.)

• Port: 6379

• Username: insight

• Password: RedisInsightPass123

• Click “Add Redis Database” or “Save & Connect.”

If everything is correct, you’ll immediately see your key‐tree, CLI, metrics charts, slowlog viewer, and more—all while your Redis server is protected by ACLs.

If you get an authentication error, re‐check that your users.acl grants insight full access and that Redis has been restarted after you edited the ACL file.

Enabling ACLs in Redis is a best practice for any production deployment, but it does require a few tweaks if you also want to use tools like Redis Insight.

---

If you found this helpful, feel free to share

Let’s connect!!: 🤝

LinkedIn
GitHub

Comments

[Nevo David]

This clears up so many headaches I’ve run into with Redis and ACLs, seriously helpful.

[Ali nazari]

Glad it helped

[Nathan Tarbert]

lifesaver stuff for getting past the random acl headaches - you think most people ever double check tool security like this or just plug and forget?

[Ali nazari]

Way too many folks skip the security review once things "just work."

[Cyril Sebastian]

Did you check what the query latency was before and after implementing this, and what does the Metrics chart print?