Set up Redis on Rocky Linux 9: Best And Fast Cache

This tutorial is designed to guide you through the process of how to Set up Redis on Rocky Linux 9. Furthermore, you will learn how to Secure your Redis Server. Redis is a popular open-source, in-memory, key-value data store widely used as a primary database, cache, message broker, and queue. Its sub-millisecond response times make it ideal for fast and powerful real-time applications across industries like gaming, fintech, ad tech, social media, healthcare, and IoT.

Developers appreciate Redis for its ease of use, high performance, and scalability. Follow the steps below to install Redis Cache on Rocky Linux 9.

Before you begin, ensure you are logged in to your server as a non-root user with sudo privileges and have a basic firewall set up. You can refer to a guide like Initial Server Setup with Rocky Linux 9 for assistance.

1. Install Redis on Rocky Linux 9

Redis packages are readily available in the default Rocky Linux repository. Start by updating your local package index:

sudo dnf update -y

Next, install Redis Cache on Rocky Linux 9 using the following command:

sudo dnf install redis -y

Once the installation completes, you’ll need to modify the Redis configuration file.

2. Configure Redis Cache To Run as a Service

Open the Redis configuration file using your preferred text editor (e.g., vi):

sudo vi /etc/redis/redis.conf

Inside the configuration file, locate the supervised directive. This directive enables an init system to manage Redis as a service, providing greater control.

By default, it is set to no. Change it to systemd:

. . .
# If you run Redis from upstart or systemd, Redis can interact with your
# supervision tree. Options:
# supervised no - no supervision interaction
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
# supervised auto - detect upstart or systemd method based on
# UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready."
# They do not enable continuous liveness pings back to your supervisor.
supervised systemd
. . .

Save the changes and close the file.

Manage Redis Cache Service

Start the Redis service on Rocky Linux 9:

sudo systemctl start redis.service

To ensure Redis starts automatically at boot, enable it:

sudo systemctl enable redis

Verify that Redis is active and running:

sudo systemctl status redis

The output should resemble:

Test Redis’s functionality:

redis-cli ping

The output should be:

Output
PONG

This confirms that Redis Cache is running successfully on your Rocky Linux 9 server. Now you can enhance its security.

3. Secure Redis on Rocky Linux 9

A crucial aspect of protecting Redis is securing the server it runs on. This involves limiting Redis to only localhost or a private IP address and ensuring the server has an active firewall.

Reopen the Redis configuration file:

sudo vi /etc/redis/redis.conf

Locate the "bind" line and uncomment it by removing the # symbol:

. . .
bind 127.0.0.1

Note: If you need to bind Redis to another IP address, it is strongly recommended to bind it to a private IP address.

. . .
bind your_private_ip

Save and close the file after making the change.

Configure Firewall For Redis

Assuming firewalld is installed and enabled, you can configure it to restrict access to Redis.

Limit access to your Redis server to specific hosts by using their private IP addresses.

Create a dedicated Redis zone in your firewalld policy:

sudo firewall-cmd --permanent --new-zone=redis

Redis uses port 6379 by default. Open this port in the firewall:

sudo firewall-cmd --permanent --zone=redis --add-port=6379/tcp

Specify the private IP addresses allowed to access Redis:

sudo firewall-cmd --permanent --zone=redis --add-source=client_server_private_IP

Apply these changes by reloading the firewall:

sudo firewall-cmd --reload

Note: Services in the default zone apply to all connections, so you don’t need to add services like SSH to the Redis zone.

4. Redis Password Configuration on Rocky Linux 9

Configure a Redis Cache Password directly within the Redis configuration file.

Open the file again:

sudo vi /etc//redis/redis.conf

Find the "Security" section and locate the requirepass foobared directive. Uncomment it and replace foobared with a strong password:

requirepass your-password

Save and close the file.

Restart Redis to apply the changes:

sudo systemctl restart redis

Test Redis Password

Test the password by opening the Redis client:

redis-cli

Attempt to set a key-value pair before authenticating:

127.0.0.1:6379> set key1 10

Redis should return an error indicating authentication is required:

127.0.0.1:6379> NOAUTH Authentication required.

Authenticate with the configured password:

127.0.0.1:6379> auth your_redis_password

You should see "OK" as output.

Now, try setting the key-value pair again:

127.0.0.1:6379> set key1 10

The output should be "OK."

Retrieve the value of the key:

127.0.0.1:6379> get key1

Output
"10"

Exit the Redis client:

127.0.0.1:6379> quit

Note: Unauthorized access should now be difficult. Remember to re-authenticate after restarting Redis. Be aware that unencrypted passwords are visible to outside parties when connecting remotely without SSL or a VPN.

5. Rename Redis Commands

For enhanced security, Redis allows renaming or disabling potentially dangerous commands like FLUSHDB, FLUSHALL, KEYS, CONFIG, DEBUG, SHUTDOWN, SAVE, STOP, RENAME, etc.

Disable commands you won’t use or rename them.

Open the Redis configuration file and go to the Security section:

sudo vi /etc/redis/redis.conf

Note: These are examples. Choose commands to disable or rename based on your needs. Learn more about Redis commands at redis.io/commands.

Disable a command by renaming it to an empty string:

Rename a command:

Save and close the file.

Restart Redis to apply the changes:

sudo systemctl restart redis.service

Open the Redis client to test the new commands:

redis-cli

Authenticate:

127.0.0.1:6379> auth your_redis_password

If you renamed the config command to orca_config, using config will result in an error:

127.0.0.1:6379> config get requirepass

Output
(error) ERR unknown command `config`

Use the renamed command instead:

127.0.0.1:6379> orca_config get requirepass

Output
1) "requirepass"
2) "your_redis_password"

Exit the Redis client:

127.0.0.1:6379> exit

Warning: Renaming commands logged in the AOF file or transmitted to slaves can cause problems. The best time to rename commands is when you’re not using AOF persistence or right after installation.

Improve your Redis Security

Improve the security profile of your Redis Cache installation on Rocky Linux 9 by setting ownership and making permission changes.

Check the Redis data directory ownership and permissions:

ls -l /var/lib | grep redis

Output
drwxr-x--- 2 redis redis  Jan 05 12:20 redis

The Redis data directory is owned by the Redis user and group.

If the Redis directory has insecure permissions, change them:

sudo chmod 770 /var/lib/redis

Check the Redis configuration file permissions:

ls -l /etc/redis/redis.conf

Output
-rw-r----- 1 redis root 62345 Jan 05 12:19 /etc/redis/redis.conf

Set the file to be readable by the Redis user and group:

sudo chown redis:redis /etc/redis/redis.conf

Change the permissions so only the owner can read and write:

sudo chmod 600 /etc/redis/redis.conf

Verify the changes:

ls -l /var/lib | grep redis

Output
drwxrwx--- 2 redis redis  Jan 05 12:20 redis

ls -l /etc/redis/redis.conf

Output
-rw------- 1 redis redis 62345 Jan 05 12:19 /etc/redis/redis.conf

Restart Redis to apply the changes:

sudo systemctl restart redis

Your Redis Cache installation on Rocky Linux 9 is now secured.

Conclusion

You have successfully learned how to Set up Redis on Rocky Linux 9 and how to Secure your Redis Cache installation on your server.

Alternative Solutions for Securing Redis

While the above steps provide a solid foundation for securing Redis, here are two alternative approaches to consider:

1. Using Stunnel for SSL/TLS Encryption

The primary method discussed above does not inherently encrypt the communication between clients and the Redis server. This means that sensitive data, including the password, could be intercepted if the network is compromised. A robust solution is to use Stunnel to create an SSL/TLS tunnel.

Explanation: Stunnel is a free and open-source multi-platform application that provides universal TLS/SSL tunneling service. It allows you to encrypt arbitrary TCP connections inside TLS, thus securing the communication channel.

Implementation:

1. Install Stunnel:

sudo dnf install stunnel -y

2. Generate SSL Certificate:

openssl req -new -x509 -days 365 -nodes -out /etc/stunnel/redis.pem -keyout /etc/stunnel/redis.pem
chmod 600 /etc/stunnel/redis.pem

3. Configure Stunnel: Create or edit /etc/stunnel/redis.conf with the following content:

client = no
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[redis]
accept = 0.0.0.0:63790 # Or the port you wish to use
connect = 127.0.0.1:6379
cert = /etc/stunnel/redis.pem

4. Enable and Start Stunnel:

systemctl enable stunnel
systemctl start stunnel

5. Update Firewall: Allow traffic on the Stunnel port (e.g., 63790 in this example).

Now, your Redis communication is encrypted. Clients will need to connect to the Stunnel port (63790 in the example), and Stunnel will decrypt the traffic and forward it to Redis on port 6379. Configure your Redis clients to connect to the Stunnel port instead of the Redis port directly. This setup provides a secure, encrypted channel for Redis communication, mitigating the risk of password and data interception.

2. Using Redis ACL (Access Control List) – Redis 6 and Later

Redis 6 introduced Access Control Lists (ACLs), providing a more granular and flexible way to manage user permissions. Instead of a single password for everyone, you can create multiple users with different access levels.

Explanation: ACLs allow you to define what commands a user can execute and what keys they can access. This enhances security by limiting the impact of a compromised account.

Implementation:

1. Disable requirepass: In redis.conf, comment out or remove the requirepass directive. ACLs will now be the primary authentication mechanism.

2. Create Users: Connect to Redis using redis-cli. Initially, you’ll connect as the "default" user, which has no permissions. Use the ACL SETUSER command to create new users.

redis-cli

ACL SETUSER user1 on >mypassword +get +set ~prefix:*
ACL SETUSER user2 on >anotherpassword +info -@all

• user1: Username.
• on: Enables the user.
• >mypassword: Sets the password to "mypassword".
• +get +set: Grants permission to the get and set commands.
• ~prefix:*: Allows access to keys starting with "prefix:".
• user2: Another user.
• +info: Allows access to the info command.
• -@all: Denies access to all command categories.

3. Authenticate as the User: After creating a user, authenticate using the AUTH command:

AUTH user1 mypassword

4. Configure Clients: Update your Redis client configuration to use the appropriate username and password for each application or service.

Using ACLs provides a significant security improvement over a single shared password. You can tailor permissions to the specific needs of each application, minimizing the potential damage from a security breach.

By implementing either Stunnel or ACLs, you can further enhance the security of your Redis installation on Rocky Linux 9. The best approach will depend on your specific requirements and security policies.