Securing your Redis deployment is crucial once you begin relying on it for caching, messaging, or as a primary datastore.
Redis 6 introduced an ACL (Access Control List) system that allows you to lock down commands and keys per user.
However, enabling ACLs often trips up monitoring tools like Redis Insight, which by default attempt to connect without credentials.
In this post, weโll walk through everythingโfrom writing valid ACL definitions to integrating Redis Insight in Dockerโensuring you end up with a secure, fully observable Redis setup.
Why ACLs โBreakโ Redis Insight by Default
Redis Insight, when installed on its own or bundled inside a โRedis Stackโ container, assumes it can connect anonymously (no username, no password).
As soon as you enable an ACL file, the built-in default user has no permissions (or is turned off), so any unauthenticated client is refused.
Under the hood, Redis Insight is running, but cannot authenticate to your ACLโs Redis server, so it never shows the database tree.
Writing a Valid users.acl
When you enable ACLs (โaclfile /path/to/users.aclโ in your redis.conf), Redis reads that file at startup and refuses to launch if there are any parsing errors.
Here are the rules we discovered:
Syntax for each user
user <username> <on|off> >password ~<key-pattern> +<command-or-category>
<username>
: Name of the user (no spaces).on|off
: Whether the user is enabled or disabled.>password
: A plaintext password (preceded by >).~<key-pattern>
: Glob pattern of keys the user can access (e.g. ~* for all).+<command-or-category>
: Either individual commands (e.g. +GET +SET) or built-in categories (e.g. +@all, +@read, +@admin, etc.).
Invalid category names
There is no @acl
category. If you try +@acl
, Redis complains:
Error in applying operation '+@acl': Unknown command or category name in ACL
To grant ACLโmanagement commands (e.g. ACL SETUSER, ACL LIST, etc.) you must use +@admin
.
Examples of valid ACL lines
# Disable the default user so no anonymous connections can work
user default off
# A user โinsightโ for Redis Insight; full permissions
user insight on >RedisInsightPass123 ~* +@all
# A user โappuserโ for your application; full permissions
user appuser on >MyAppSuperSecretPassword ~* +@all
With the above, Redis will refuse all connections except when a client does AUTH insight RedisInsightPass123 or AUTH appuser MyAppSuperSecretPassword.
Sample redis.conf for ACL Loading
Put this in a file (e.g. /home/user/Desktop/redis.conf). At minimum, it should contain:
# Bind to all interfaces (if you want external access):
bind 0.0.0.0
# Default port:
port 6379
# Tell Redis to load ACL definitions from our file
aclfile /usr/local/etc/redis/users.acl
# (Any other Redis settings you needโฆ)
Deploying Redis + ACL in Docker
We want Redis in one container, with ACLs enabled, and Redis Insight in another container on the same Docker network.
- Create or verify a Docker network
docker network inspect redis-net &>/dev/null || \
docker network create redis-net
- Prepare users.acl next to redis.conf
/home/user/Desktop/
โโโ redis.conf
โโโ users.acl
Contents of users.acl
:
# Disable the default user entirely
user default off
# Grant โinsightโ full permissions for monitoring
user insight on >RedisInsightPass123 ~* +@all
# Grant โappuserโ full permissions for your application
user appuser on >MyAppSuperSecretPassword ~* +@all
- Run the Redis container
docker rm -f redis-server-acl 2>/dev/null || true
docker run -d \
--name redis-server-acl \
--network redis-net \
-p 6379:6379 \
-v /home/user/Desktop/redis.conf:/redis.conf \
-v /home/user/Desktop/users.acl:/usr/local/etc/redis/users.acl \
redis/redis-stack:latest \
redis-stack-server /redis.conf
We mount
redis.conf
into/redis.conf
inside the container.We mount
users.acl
into/usr/local/etc/redis/users.acl
(the path referenced byredis.conf
).The command redis-stack-server
/redis.conf
ensures Redis starts with ACL support.
- Verify ACLs are loading properly After a few seconds, check Redis logs for ACL errors:
docker logs redis-server-acl | grep ACL
You should see no errors. Then test from your host using redis-cli:
redis-cli -h 127.0.0.1 -p 6379 AUTH insight RedisInsightPass123
# Should print โOKโ
redis-cli> PING
# Should print โPONGโ
redis-cli> AUTH appuser MyAppSuperSecretPassword
# Should print โOKโ
redis-cli> PING
# Should print โPONGโ
Deploying Redis Insight in Docker
With Redis ACLs working and accepting connections, itโs time to run Redis Insight so that it can monitor the server.
- Remove any old Redis Insight container
docker rm -f redis-insight 2>/dev/null || true
- Run Redis Insight, exposing port 8001
docker run -d \
--name redis-insight \
--network redis-net \
-p 5540:5540 \
redis/redisinsight:latest
- Confirm the container is listening
Run docker ps | grep redis-insight. You should see โUp โฆ 0.0.0.0:5540->5540/tcp.โ
Exec into the container and verify the HTTP server is up:
docker exec -it redis-insight sh
# Inside:
netstat -tlnp | grep 5540 # or: ss -tlnp | grep 5540
wget -qO- http://127.0.0.1:5540/version
You should get a small JSON response confirming Redis Insightโs version.
- Open the Redis Insight UI
In your browser, navigate to:
http://localhost:5540
or, if Docker runs on a different machine, replace localhost with that hostโs IP.
- Add your ACL-protected Redis instance
Click โNew Connectionโ (or โAdd Redis Databaseโ).
Host:
redis-server-acl
(Thatโs the Docker container name. Because both containers share redis-net, Insight resolves it via internal DNS.)
Port: 6379
Username: insight
Password: RedisInsightPass123
Click โAdd Redis Databaseโ or โSave & Connect.โ
If everything is correct, youโll immediately see your keyโtree, CLI, metrics charts, slowlog viewer, and moreโall while your Redis server is protected by ACLs.
If you get an authentication error, reโcheck that your users.acl grants insight full access and that Redis has been restarted after you edited the ACL file.
Enabling ACLs in Redis is a best practice for any production deployment, but it does require a few tweaks if you also want to use tools like Redis Insight.
If you found this helpful, feel free to share
Letโs connect!!: ๐ค
Top comments (5)
This clears up so many headaches Iโve run into with Redis and ACLs, seriously helpful.
Glad it helped
lifesaver stuff for getting past the random acl headaches - you think most people ever double check tool security like this or just plug and forget?
Way too many folks skip the security review once things "just work."
Did you check what the query latency was before and after implementing this, and what does the Metrics chart print?