Set up Redis 7 with master-replica clustering, SSL/TLS encryption, ACL authentication, and production-grade security hardening. Includes performance tuning, backup strategies, and monitoring configuration for high-availability deployments.
Prerequisites
- Root or sudo access
- At least 4GB RAM
- Network connectivity between cluster nodes
- Basic understanding of Redis concepts
What this solves
Redis is a high-performance in-memory data store used for caching, session management, and real-time applications. This tutorial shows you how to install Redis 7 with production-grade clustering, security hardening including SSL/TLS encryption and ACL authentication, plus performance optimization and backup configuration.
Step-by-step installation
Update system packages
Start by updating your package manager to ensure you get the latest versions.
sudo apt update && sudo apt upgrade -yInstall Redis 7 from official repository
Add the official Redis repository to get the latest Redis 7 version with all security updates.
curl -fsSL https://packages.redis.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/redis.list
sudo apt update
sudo apt install -y redis-server redis-toolsCreate Redis user and directories
Create a dedicated redis user and set up proper directory structure with correct permissions.
sudo useradd --system --home /var/lib/redis --shell /bin/false redis
sudo mkdir -p /etc/redis /var/lib/redis /var/log/redis
sudo chown redis:redis /var/lib/redis /var/log/redis
sudo chmod 755 /var/lib/redis
sudo chmod 755 /var/log/redisGenerate SSL certificates for Redis
Create SSL certificates for encrypted client-server and inter-cluster communication.
sudo mkdir -p /etc/redis/tls
cd /etc/redis/tls
sudo openssl genrsa -out ca-key.pem 4096
sudo openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 3650 -out ca-cert.pem -subj "/C=US/ST=State/L=City/O=Organization/CN=Redis-CA"
sudo openssl genrsa -out redis-key.pem 2048
sudo openssl req -new -key redis-key.pem -out redis.csr -subj "/C=US/ST=State/L=City/O=Organization/CN=redis-server"
sudo openssl x509 -req -in redis.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out redis-cert.pem -days 365 -sha256
sudo chown -R redis:redis /etc/redis/tls
sudo chmod 600 /etc/redis/tls/*.pem
sudo rm redis.csrNever use chmod 777. It gives every user on the system full access to your files. Instead, fix ownership with chown and use minimal permissions like 600 for private keys.
Configure Redis master node
Create the main Redis configuration with security hardening, SSL, and clustering enabled.
# Network and security
bind 127.0.0.1 203.0.113.10
port 0
tls-port 6380
tls-cert-file /etc/redis/tls/redis-cert.pem
tls-key-file /etc/redis/tls/redis-key.pem
tls-ca-cert-file /etc/redis/tls/ca-cert.pem
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
tls-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
protected-mode yes
Authentication and ACL
requirepass Str0ng_R3d1s_P@ssw0rd_2024!
aclfile /etc/redis/users.acl
General configuration
timeout 300
tcp-keepalive 300
daemonize yes
pidfile /var/run/redis/redis-master.pid
loglevel notice
logfile /var/log/redis/redis-master.log
Memory and persistence
maxmemory 2gb
maxmemory-policy allkeys-lru
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump-master.rdb
dir /var/lib/redis
Append Only File
appendonly yes
appendfilename "appendonly-master.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
Clustering
cluster-enabled yes
cluster-config-file nodes-master.conf
cluster-node-timeout 15000
cluster-announce-hostname redis-master.example.com
cluster-announce-port 6380
cluster-announce-tls-port 6380
Security hardening
disable-thp yes
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command CONFIG "CONFIG_8f3a9d2e1b7c6405"Configure Redis ACL users
Create ACL users with specific permissions for different application roles.
# Default user (disabled)
user default off
Admin user with full access
user admin on >Adm1n_R3d1s_P@ss_2024! allcommands allkeys
Application user with limited permissions
user app_user on >App_R3d1s_P@ss_2024! ~app:* +@read +@write +@string +@list +@set +@hash +@sortedset -@dangerous
Read-only user for monitoring
user monitor on >Mon1t0r_R3d1s_P@ss_2024! +@read +ping +info +clientConfigure Redis replica node
Set up a replica node for high availability and load distribution.
# Network and security
bind 127.0.0.1 203.0.113.11
port 0
tls-port 6381
tls-cert-file /etc/redis/tls/redis-cert.pem
tls-key-file /etc/redis/tls/redis-key.pem
tls-ca-cert-file /etc/redis/tls/ca-cert.pem
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
tls-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
protected-mode yes
Replication
replicaof 203.0.113.10 6380
masterauth Str0ng_R3d1s_P@ssw0rd_2024!
requirepass Str0ng_R3d1s_P@ssw0rd_2024!
aclfile /etc/redis/users.acl
General configuration
timeout 300
tcp-keepalive 300
daemonize yes
pidfile /var/run/redis/redis-replica.pid
loglevel notice
logfile /var/log/redis/redis-replica.log
Memory and persistence
maxmemory 2gb
maxmemory-policy allkeys-lru
replica-read-only yes
replica-serve-stale-data yes
dbfilename dump-replica.rdb
dir /var/lib/redis
Append Only File
appendonly yes
appendfilename "appendonly-replica.aof"
appendfsync everysec
Clustering
cluster-enabled yes
cluster-config-file nodes-replica.conf
cluster-node-timeout 15000
cluster-announce-hostname redis-replica.example.com
cluster-announce-port 6381
cluster-announce-tls-port 6381
Security hardening
disable-thp yes
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command CONFIG "CONFIG_8f3a9d2e1b7c6405"Set file permissions and ownership
Apply correct ownership and minimal permissions to all Redis configuration files.
sudo chown redis:redis /etc/redis/redis-master.conf /etc/redis/redis-replica.conf /etc/redis/users.acl
sudo chmod 640 /etc/redis/redis-master.conf /etc/redis/redis-replica.conf
sudo chmod 600 /etc/redis/users.acl
sudo mkdir -p /var/run/redis
sudo chown redis:redis /var/run/redis
sudo chmod 755 /var/run/redisCreate systemd service files
Set up systemd services for both Redis master and replica nodes.
[Unit]
Description=Redis Master Server
After=network.target
[Service]
Type=forking
User=redis
Group=redis
ExecStart=/usr/bin/redis-server /etc/redis/redis-master.conf
ExecStop=/usr/bin/redis-cli --tls --cert /etc/redis/tls/redis-cert.pem --key /etc/redis/tls/redis-key.pem --cacert /etc/redis/tls/ca-cert.pem -p 6380 shutdown
TimeoutStopSec=0
Restart=always
RestartSec=5
RuntimeDirectory=redis
RuntimeDirectoryMode=0755
Security settings
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/redis /var/log/redis /var/run/redis
[Install]
WantedBy=multi-user.targetCreate Redis replica service
Create the systemd service file for the replica node.
[Unit]
Description=Redis Replica Server
After=network.target
[Service]
Type=forking
User=redis
Group=redis
ExecStart=/usr/bin/redis-server /etc/redis/redis-replica.conf
ExecStop=/usr/bin/redis-cli --tls --cert /etc/redis/tls/redis-cert.pem --key /etc/redis/tls/redis-key.pem --cacert /etc/redis/tls/ca-cert.pem -p 6381 shutdown
TimeoutStopSec=0
Restart=always
RestartSec=5
RuntimeDirectory=redis
RuntimeDirectoryMode=0755
Security settings
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/redis /var/log/redis /var/run/redis
[Install]
WantedBy=multi-user.targetConfigure system limits for Redis
Optimize system limits for Redis performance and memory management.
redis soft nofile 65535
redis hard nofile 65535
redis soft memlock unlimited
redis hard memlock unlimitedConfigure kernel parameters
Set optimal kernel parameters for Redis performance and security.
# Memory overcommit for Redis
vm.overcommit_memory = 1
Disable transparent huge pages
vm.nr_hugepages = 0
TCP settings for Redis
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
Network security
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1Apply kernel parameters
Load the new kernel parameters and disable transparent huge pages.
sudo sysctl -p /etc/sysctl.d/redis.conf
echo never | sudo tee /sys/kernel/mm/transparent_hugepage/enabled
echo 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' | sudo tee -a /etc/rc.local
sudo chmod +x /etc/rc.localConfigure firewall rules
Set up firewall rules to allow Redis cluster communication securely.
sudo ufw allow from 203.0.113.0/24 to any port 6380 proto tcp comment 'Redis master TLS'
sudo ufw allow from 203.0.113.0/24 to any port 6381 proto tcp comment 'Redis replica TLS'
sudo ufw allow from 203.0.113.0/24 to any port 16380 proto tcp comment 'Redis cluster bus'
sudo ufw reloadStart and enable Redis services
Start both Redis master and replica services and enable them for automatic startup.
sudo systemctl daemon-reload
sudo systemctl enable --now redis-master redis-replica
sudo systemctl status redis-master redis-replicaConfigure Redis backup script
Create an automated backup script for Redis data with compression and rotation.
#!/bin/bash
Redis backup configuration
BACKUP_DIR="/var/backups/redis"
RETENTION_DAYS=7
DATE=$(date +%Y%m%d_%H%M%S)
Create backup directory
mkdir -p $BACKUP_DIR
Redis connection details
REDIS_CLI="/usr/bin/redis-cli --tls --cert /etc/redis/tls/redis-cert.pem --key /etc/redis/tls/redis-key.pem --cacert /etc/redis/tls/ca-cert.pem"
Backup master node
echo "Starting Redis backup at $(date)"
$REDIS_CLI -p 6380 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning BGSAVE
Wait for background save to complete
while [ $($REDIS_CLI -p 6380 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning LASTSAVE) -eq $($REDIS_CLI -p 6380 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning LASTSAVE) ]; do
sleep 1
done
Copy and compress backup files
cp /var/lib/redis/dump-master.rdb $BACKUP_DIR/redis-master-$DATE.rdb
cp /var/lib/redis/appendonly-master.aof $BACKUP_DIR/redis-master-$DATE.aof
gzip $BACKUP_DIR/redis-master-$DATE.rdb
gzip $BACKUP_DIR/redis-master-$DATE.aof
Remove old backups
find $BACKUP_DIR -name "redis-master-*.gz" -mtime +$RETENTION_DAYS -delete
echo "Redis backup completed at $(date)"Set backup script permissions and schedule
Make the backup script executable and schedule it to run daily via cron.
sudo chmod 750 /etc/redis/backup.sh
sudo chown redis:redis /etc/redis/backup.sh
sudo mkdir -p /var/backups/redis
sudo chown redis:redis /var/backups/redis
sudo chmod 755 /var/backups/redis
echo '0 2 * redis /etc/redis/backup.sh >> /var/log/redis/backup.log 2>&1' | sudo tee -a /etc/crontabConfigure Redis monitoring
Set up Redis monitoring script to check cluster health and performance metrics.
#!/bin/bash
Redis monitoring script
REDIS_CLI="/usr/bin/redis-cli --tls --cert /etc/redis/tls/redis-cert.pem --key /etc/redis/tls/redis-key.pem --cacert /etc/redis/tls/ca-cert.pem"
LOG_FILE="/var/log/redis/monitor.log"
DATE=$(date '+%Y-%m-%d %H:%M:%S')
Function to log messages
log_message() {
echo "[$DATE] $1" >> $LOG_FILE
}
Check Redis master status
if $REDIS_CLI -p 6380 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning ping > /dev/null 2>&1; then
log_message "Redis master is running"
else
log_message "ERROR: Redis master is not responding"
fi
Check Redis replica status
if $REDIS_CLI -p 6381 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning ping > /dev/null 2>&1; then
log_message "Redis replica is running"
else
log_message "ERROR: Redis replica is not responding"
fi
Check memory usage
MEM_USED=$($REDIS_CLI -p 6380 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning info memory | grep used_memory_human | cut -d: -f2 | tr -d '\r')
log_message "Memory usage: $MEM_USED"
Check connected clients
CLIENTS=$($REDIS_CLI -p 6380 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning info clients | grep connected_clients | cut -d: -f2 | tr -d '\r')
log_message "Connected clients: $CLIENTS"Enable monitoring script
Make the monitoring script executable and schedule it to run every 5 minutes.
sudo chmod 750 /etc/redis/monitor.sh
sudo chown redis:redis /etc/redis/monitor.sh
echo '/5 * redis /etc/redis/monitor.sh' | sudo tee -a /etc/crontabVerify your setup
Test the Redis installation, clustering, SSL connection, and authentication.
# Check Redis services status
sudo systemctl status redis-master redis-replica
Test SSL connection to master
redis-cli --tls --cert /etc/redis/tls/redis-cert.pem --key /etc/redis/tls/redis-key.pem --cacert /etc/redis/tls/ca-cert.pem -p 6380 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning ping
Test SSL connection to replica
redis-cli --tls --cert /etc/redis/tls/redis-cert.pem --key /etc/redis/tls/redis-key.pem --cacert /etc/redis/tls/ca-cert.pem -p 6381 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning ping
Check cluster status
redis-cli --tls --cert /etc/redis/tls/redis-cert.pem --key /etc/redis/tls/redis-key.pem --cacert /etc/redis/tls/ca-cert.pem -p 6380 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning cluster nodes
Test ACL authentication
redis-cli --tls --cert /etc/redis/tls/redis-cert.pem --key /etc/redis/tls/redis-key.pem --cacert /etc/redis/tls/ca-cert.pem -p 6380 --user app_user --pass "App_R3d1s_P@ss_2024!" set test:key "test value"
Verify replication
redis-cli --tls --cert /etc/redis/tls/redis-cert.pem --key /etc/redis/tls/redis-key.pem --cacert /etc/redis/tls/ca-cert.pem -p 6381 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning get test:key
Check Redis version and info
redis-cli --tls --cert /etc/redis/tls/redis-cert.pem --key /etc/redis/tls/redis-key.pem --cacert /etc/redis/tls/ca-cert.pem -p 6380 -a "Str0ng_R3d1s_P@ssw0rd_2024!" --no-auth-warning info serverCommon issues
| Symptom | Cause | Fix |
|---|---|---|
| Redis won't start | Configuration syntax error | sudo journalctl -u redis-master -f to check logs |
| SSL connection fails | Certificate permissions or path issues | Check sudo ls -la /etc/redis/tls/ and verify ownership |
| ACL authentication rejected | User permissions or password mismatch | redis-cli ACL LIST to verify user configuration |
| Replication not working | Network connectivity or authentication | Check replica logs: sudo tail -f /var/log/redis/redis-replica.log |
| High memory usage | No maxmemory policy set | Verify maxmemory settings in configuration |
| Cluster nodes can't communicate | Firewall blocking cluster bus port | Ensure port 16380 is open between cluster nodes |
| Permission denied errors | Incorrect file ownership | sudo chown -R redis:redis /var/lib/redis /var/log/redis |
Next steps
- Install and configure Grafana with Prometheus for system monitoring to monitor Redis metrics
- Install and configure NGINX with HTTP/3 and modern security headers for Redis proxy setup
- Configure Redis Sentinel for automatic failover
- Set up Redis Cluster with multiple master nodes
- Configure Redis Lua scripting and modules
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# Redis 7 Cluster Installation Script with Security Hardening
# Production-ready installation for Ubuntu, Debian, AlmaLinux, Rocky Linux
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# Configuration variables
REDIS_PASSWORD="${REDIS_PASSWORD:-$(openssl rand -base64 32)}"
CLUSTER_IP="${1:-$(hostname -I | awk '{print $1}')}"
REDIS_USER="redis"
REDIS_HOME="/var/lib/redis"
REDIS_CONFIG_DIR="/etc/redis"
REDIS_LOG_DIR="/var/log/redis"
REDIS_TLS_DIR="/etc/redis/tls"
# Print colored output
log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
# Show usage
usage() {
echo "Usage: $0 [cluster_ip]"
echo "Example: $0 192.168.1.100"
exit 1
}
# Cleanup on error
cleanup() {
log_error "Installation failed. Cleaning up..."
systemctl stop redis-server 2>/dev/null || true
systemctl disable redis-server 2>/dev/null || true
rm -rf /etc/redis /var/lib/redis /var/log/redis 2>/dev/null || true
userdel redis 2>/dev/null || true
}
trap cleanup ERR
# Check prerequisites
check_prerequisites() {
if [[ $EUID -ne 0 ]]; then
log_error "This script must be run as root"
exit 1
fi
if [[ ! "$CLUSTER_IP" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
log_error "Invalid IP address format"
usage
fi
}
# Detect distribution
detect_distro() {
if [[ ! -f /etc/os-release ]]; then
log_error "Cannot detect distribution"
exit 1
fi
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_UPDATE="apt update && apt upgrade -y"
PKG_INSTALL="apt install -y"
FIREWALL_CMD="ufw"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_UPDATE="dnf update -y"
PKG_INSTALL="dnf install -y"
FIREWALL_CMD="firewall-cmd"
;;
amzn)
PKG_MGR="yum"
PKG_UPDATE="yum update -y"
PKG_INSTALL="yum install -y"
FIREWALL_CMD="firewall-cmd"
;;
*)
log_error "Unsupported distribution: $ID"
exit 1
;;
esac
log_info "Detected distribution: $ID"
}
# Update system packages
update_system() {
log_info "[1/8] Updating system packages..."
eval $PKG_UPDATE
}
# Install Redis 7
install_redis() {
log_info "[2/8] Installing Redis 7..."
if [[ "$PKG_MGR" == "apt" ]]; then
curl -fsSL https://packages.redis.io/gpg | gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" > /etc/apt/sources.list.d/redis.list
apt update
$PKG_INSTALL redis-server redis-tools
else
$PKG_INSTALL https://packages.redis.io/rpm/el9/x86_64/redis-7.2.4-1.el9.x86_64.rpm
fi
systemctl stop redis-server || systemctl stop redis || true
systemctl disable redis-server || systemctl disable redis || true
}
# Create Redis user and directories
setup_directories() {
log_info "[3/8] Creating Redis user and directories..."
id $REDIS_USER &>/dev/null || useradd --system --home $REDIS_HOME --shell /bin/false $REDIS_USER
mkdir -p $REDIS_CONFIG_DIR $REDIS_HOME $REDIS_LOG_DIR $REDIS_TLS_DIR /var/run/redis
chown $REDIS_USER:$REDIS_USER $REDIS_HOME $REDIS_LOG_DIR /var/run/redis
chown -R $REDIS_USER:$REDIS_USER $REDIS_CONFIG_DIR
chmod 755 $REDIS_HOME $REDIS_LOG_DIR
chmod 750 $REDIS_CONFIG_DIR
chmod 755 /var/run/redis
}
# Generate SSL certificates
generate_ssl() {
log_info "[4/8] Generating SSL certificates..."
cd $REDIS_TLS_DIR
openssl genrsa -out ca-key.pem 4096
openssl req -x509 -new -nodes -key ca-key.pem -sha256 -days 3650 -out ca-cert.pem -subj "/C=US/ST=State/L=City/O=Organization/CN=Redis-CA"
openssl genrsa -out redis-key.pem 2048
openssl req -new -key redis-key.pem -out redis.csr -subj "/C=US/ST=State/L=City/O=Organization/CN=redis-server"
openssl x509 -req -in redis.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out redis-cert.pem -days 365 -sha256
chown -R $REDIS_USER:$REDIS_USER $REDIS_TLS_DIR
chmod 600 $REDIS_TLS_DIR/*.pem
rm -f redis.csr
}
# Configure Redis
configure_redis() {
log_info "[5/8] Configuring Redis with clustering and security..."
cat > $REDIS_CONFIG_DIR/redis.conf << EOF
# Network and security
bind 127.0.0.1 $CLUSTER_IP
port 0
tls-port 6380
tls-cert-file $REDIS_TLS_DIR/redis-cert.pem
tls-key-file $REDIS_TLS_DIR/redis-key.pem
tls-ca-cert-file $REDIS_TLS_DIR/ca-cert.pem
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
tls-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
protected-mode yes
# Authentication
requirepass $REDIS_PASSWORD
aclfile $REDIS_CONFIG_DIR/users.acl
# General configuration
timeout 300
tcp-keepalive 300
daemonize yes
pidfile /var/run/redis/redis-master.pid
loglevel notice
logfile $REDIS_LOG_DIR/redis-master.log
# Memory and persistence
maxmemory 2gb
maxmemory-policy allkeys-lru
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump-master.rdb
dir $REDIS_HOME
# Append Only File
appendonly yes
appendfilename "appendonly-master.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
# Clustering
cluster-enabled yes
cluster-config-file nodes-master.conf
cluster-node-timeout 15000
cluster-announce-ip $CLUSTER_IP
cluster-announce-port 6380
cluster-announce-tls-port 6380
# Security hardening
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command SHUTDOWN REDIS_SHUTDOWN_$(openssl rand -hex 8)
EOF
# Create ACL file
cat > $REDIS_CONFIG_DIR/users.acl << EOF
user default off
user admin on >$REDIS_PASSWORD ~* &* +@all
user readonly on >$(openssl rand -base64 16) ~* +@read
EOF
chown $REDIS_USER:$REDIS_USER $REDIS_CONFIG_DIR/redis.conf $REDIS_CONFIG_DIR/users.acl
chmod 640 $REDIS_CONFIG_DIR/redis.conf $REDIS_CONFIG_DIR/users.acl
}
# Create systemd service
setup_service() {
log_info "[6/8] Setting up Redis service..."
cat > /etc/systemd/system/redis-cluster.service << EOF
[Unit]
Description=Redis In-Memory Data Store (Cluster)
After=network.target
[Service]
User=$REDIS_USER
Group=$REDIS_USER
ExecStart=/usr/bin/redis-server $REDIS_CONFIG_DIR/redis.conf
ExecStop=/usr/bin/redis-cli --tls --cert $REDIS_TLS_DIR/redis-cert.pem --key $REDIS_TLS_DIR/redis-key.pem --cacert $REDIS_TLS_DIR/ca-cert.pem -a $REDIS_PASSWORD shutdown
TimeoutStopSec=0
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable redis-cluster
}
# Configure firewall
configure_firewall() {
log_info "[7/8] Configuring firewall..."
if [[ "$FIREWALL_CMD" == "ufw" ]]; then
ufw --force enable 2>/dev/null || true
ufw allow 6380/tcp comment "Redis TLS"
else
systemctl start firewalld 2>/dev/null || true
firewall-cmd --permanent --add-port=6380/tcp 2>/dev/null || true
firewall-cmd --reload 2>/dev/null || true
fi
}
# Start and verify Redis
start_and_verify() {
log_info "[8/8] Starting Redis and verifying installation..."
systemctl start redis-cluster
sleep 3
if systemctl is-active --quiet redis-cluster; then
log_info "Redis cluster is running successfully"
log_info "Configuration file: $REDIS_CONFIG_DIR/redis.conf"
log_info "Log file: $REDIS_LOG_DIR/redis-master.log"
log_info "TLS enabled on port 6380"
log_warn "IMPORTANT: Redis password: $REDIS_PASSWORD"
log_warn "Save this password securely!"
else
log_error "Redis failed to start. Check logs: journalctl -u redis-cluster"
exit 1
fi
}
# Main execution
main() {
check_prerequisites
detect_distro
update_system
install_redis
setup_directories
generate_ssl
configure_redis
setup_service
configure_firewall
start_and_verify
log_info "Redis 7 cluster installation completed successfully!"
}
main "$@"Review the script before running. Execute with: bash install.sh
#redis
#redis-cluster
#redis-security
#ssl-tls
#acl-authentication
#database-clustering
#redis-backup
#redis-monitoring