Securing your Redis deployment is crucial once you begin relying on it for caching, messaging, or as a primary datastore.
Redis 6 introduced an ACL (Access Control List) system that allows you to lock down commands and keys per user.
However, enabling ACLs often trips up monitoring tools like Redis Insight, which by default attempt to connect without credentials.
In this post, we’ll walk through everything—from writing valid ACL definitions to integrating Redis Insight in Docker—ensuring you end up with a secure, fully observable Redis setup.
Why ACLs “Break” Redis Insight by Default
Redis Insight, when installed on its own or bundled inside a “Redis Stack” container, assumes it can connect anonymously (no username, no password).
As soon as you enable an ACL file, the built-in default user has no permissions (or is turned off), so any unauthenticated client is refused.
Under the hood, Redis Insight is running, but cannot authenticate to your ACL’s Redis server, so it never shows the database tree.
Writing a Valid users.acl
When you enable ACLs (“aclfile /path/to/users.acl” in your redis.conf), Redis reads that file at startup and refuses to launch if there are any parsing errors.
Here are the rules we discovered:
Syntax for each user
user <username> <on|off> >password ~<key-pattern> +<command-or-category>
<username>: Name of the user (no spaces).on|off: Whether the user is enabled or disabled.>password: A plaintext password (preceded by >).~<key-pattern>: Glob pattern of keys the user can access (e.g. ~* for all).+<command-or-category>: Either individual commands (e.g. +GET +SET) or built-in categories (e.g. +@all, +@read, +@admin, etc.).
Invalid category names
There is no @acl category. If you try +@acl, Redis complains:
Error in applying operation '+@acl': Unknown command or category name in ACL
To grant ACL‐management commands (e.g. ACL SETUSER, ACL LIST, etc.) you must use +@admin.
Examples of valid ACL lines
# Disable the default user so no anonymous connections can work
user default off
# A user “insight” for Redis Insight; full permissions
user insight on >RedisInsightPass123 ~* +@all
# A user “appuser” for your application; full permissions
user appuser on >MyAppSuperSecretPassword ~* +@all
With the above, Redis will refuse all connections except when a client does AUTH insight RedisInsightPass123 or AUTH appuser MyAppSuperSecretPassword.
Sample redis.conf for ACL Loading
Put this in a file (e.g. /home/user/Desktop/redis.conf). At minimum, it should contain:
# Bind to all interfaces (if you want external access):
bind 0.0.0.0
# Default port:
port 6379
# Tell Redis to load ACL definitions from our file
aclfile /usr/local/etc/redis/users.acl
# (Any other Redis settings you need…)
Deploying Redis + ACL in Docker
We want Redis in one container, with ACLs enabled, and Redis Insight in another container on the same Docker network.
- Create or verify a Docker network
docker network inspect redis-net &>/dev/null || \
docker network create redis-net
- Prepare users.acl next to redis.conf
/home/user/Desktop/
├── redis.conf
└── users.acl
Contents of users.acl:
# Disable the default user entirely
user default off
# Grant “insight” full permissions for monitoring
user insight on >RedisInsightPass123 ~* +@all
# Grant “appuser” full permissions for your application
user appuser on >MyAppSuperSecretPassword ~* +@all
- Run the Redis container
docker rm -f redis-server-acl 2>/dev/null || true
docker run -d \
--name redis-server-acl \
--network redis-net \
-p 6379:6379 \
-v /home/user/Desktop/redis.conf:/redis.conf \
-v /home/user/Desktop/users.acl:/usr/local/etc/redis/users.acl \
redis/redis-stack:latest \
redis-stack-server /redis.conf
We mount
redis.confinto/redis.confinside the container.We mount
users.aclinto/usr/local/etc/redis/users.acl(the path referenced byredis.conf).The command redis-stack-server
/redis.confensures Redis starts with ACL support.
- Verify ACLs are loading properly After a few seconds, check Redis logs for ACL errors:
docker logs redis-server-acl | grep ACL
You should see no errors. Then test from your host using redis-cli:
redis-cli -h 127.0.0.1 -p 6379 AUTH insight RedisInsightPass123
# Should print “OK”
redis-cli> PING
# Should print “PONG”
redis-cli> AUTH appuser MyAppSuperSecretPassword
# Should print “OK”
redis-cli> PING
# Should print “PONG”
Deploying Redis Insight in Docker
With Redis ACLs working and accepting connections, it’s time to run Redis Insight so that it can monitor the server.
- Remove any old Redis Insight container
docker rm -f redis-insight 2>/dev/null || true
- Run Redis Insight, exposing port 8001
docker run -d \
--name redis-insight \
--network redis-net \
-p 5540:5540 \
redis/redisinsight:latest
- Confirm the container is listening
Run docker ps | grep redis-insight. You should see “Up … 0.0.0.0:5540->5540/tcp.”
Exec into the container and verify the HTTP server is up:
docker exec -it redis-insight sh
# Inside:
netstat -tlnp | grep 5540 # or: ss -tlnp | grep 5540
wget -qO- http://127.0.0.1:5540/version
You should get a small JSON response confirming Redis Insight’s version.
- Open the Redis Insight UI
In your browser, navigate to:
http://localhost:5540
or, if Docker runs on a different machine, replace localhost with that host’s IP.
- Add your ACL-protected Redis instance
Click “New Connection” (or “Add Redis Database”).
Host:
redis-server-acl
(That’s the Docker container name. Because both containers share redis-net, Insight resolves it via internal DNS.)
Port: 6379
Username: insight
Password: RedisInsightPass123
Click “Add Redis Database” or “Save & Connect.”
If everything is correct, you’ll immediately see your key‐tree, CLI, metrics charts, slowlog viewer, and more—all while your Redis server is protected by ACLs.
If you get an authentication error, re‐check that your users.acl grants insight full access and that Redis has been restarted after you edited the ACL file.
Enabling ACLs in Redis is a best practice for any production deployment, but it does require a few tweaks if you also want to use tools like Redis Insight.
If you found this helpful, feel free to share
Let’s connect!!: 🤝
lifesaver stuff for getting past the random acl headaches - you think most people ever double check tool security like this or just plug and forget?