How to Disable Redis Protected-Mode in Production Environments: Configuration and Troubleshooting


2 views

Redis' protected-mode is a security feature introduced in version 3.2.0 that prevents external connections when:

  • No bind directive is specified
  • No password is configured via requirepass
  • The server isn't explicitly started with --protected-mode no

The error ERR Unsupported CONFIG parameter: protected-mode typically occurs in Redis versions below 3.2.0 where the protected-mode feature doesn't exist. Based on your version output (Redis server v=3.2.9), this shouldn't be happening.

# To verify your Redis version:
redis-server --version

For production environments, we recommend making changes through the configuration file rather than runtime commands:

# Edit redis.conf (path may vary)
sudo nano /etc/redis/redis.conf

# Find and modify these lines:
protected-mode no
# bind 127.0.0.1  # Comment this out or add your IPs
# requirepass yourpassword  # Uncomment if you want auth

# After saving, restart Redis
sudo systemctl restart redis

If you're unable to modify configuration parameters via CONFIG SET, check these potential causes:

# 1. Verify config file permissions
ls -l /etc/redis/redis.conf

# 2. Check if config commands are disabled
redis-cli
127.0.0.1:6379> CONFIG GET disable-commands

If you absolutely cannot modify the configuration, consider these workarounds:

# 1. Start Redis with custom parameters
redis-server --protected-mode no --bind 0.0.0.0

# 2. Use SSH tunneling for secure access
ssh -L 6379:localhost:6379 user@redis-server

Before disabling protected-mode, ensure you have:

  • Proper firewall rules (iptables/ufw)
  • Network-level encryption (VPN/TLS)
  • Monitoring for suspicious activity
# Example iptables rule for Redis
sudo iptables -A INPUT -p tcp --dport 6379 -s trusted_ip -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 6379 -j DROP

Redis' protected mode is a security feature introduced in version 3.2.0 that prevents unauthorized access when:

  • No bind directive is specified in redis.conf
  • No password is set via requirepass
  • Connections originate from non-loopback interfaces

For Redis 3.2.9 (your current version), you have several options:

Method 1: Permanent Configuration Change

Edit your redis.conf file:


# nano /etc/redis/redis.conf

# Set protected-mode to no
protected-mode no

# Optionally specify bind addresses
bind 127.0.0.1 your_server_ip

# Save and restart Redis
systemctl restart redis-server

Method 2: Runtime Configuration (When Possible)

For newer Redis versions that support runtime modification:


redis-cli
127.0.0.1:6379> CONFIG SET protected-mode no
127.0.0.1:6379> CONFIG REWRITE

When encountering ERR Unsupported CONFIG parameter errors:

Version Compatibility Check

First verify your Redis version supports protected-mode configuration:


redis-server --version
# For Redis 3.2.x, runtime changes aren't supported

Alternative Solutions

When runtime changes aren't supported:

  1. Bind additional IPs: 
    
# Edit redis.conf
bind 127.0.0.1 your_server_ip
  2. Set a password: 
    
requirepass your_strong_password

Before disabling protected-mode:

  • Ensure proper firewall rules are in place (iptables/ufw)
  • Consider using Redis ACL (available in v6+)
  • Enable TLS encryption for remote connections
  • Monitor authentication logs regularly

For production environments where you need external access:


# Recommended security settings:
protected-mode no
bind 127.0.0.1 your_private_ip
requirepass complex_password_here
rename-command FLUSHDB ""
rename-command CONFIG ""