Redis Cheatsheet 20 — Production Setup

Production Redis cheatsheet.

redis.conf

bind 0.0.0.0
protected-mode yes
port 6379
requirepass yoursecret

maxmemory 4gb
maxmemory-policy allkeys-lru

# Persistence (cache + queue use case)
save 900 1
save 300 10
save 60 10000
appendonly yes
appendfsync everysec
aof-use-rdb-preamble yes

# Tuning
tcp-backlog 511
tcp-keepalive 300
timeout 0
databases 1

# Logs
loglevel notice
logfile /var/log/redis/redis.log

# Slow log
slowlog-log-slower-than 10000
slowlog-max-len 1000

# Latency monitor
latency-monitor-threshold 100

# Memory
maxmemory-samples 10
activerehashing yes

# Disable dangerous commands
rename-command FLUSHALL ""
rename-command FLUSHDB ""
rename-command CONFIG ""
rename-command KEYS ""

Security

Strong requirepass or ACL.
TLS for client + replication.
Bind to internal network or localhost.
Firewall port 6379.
No root user.

# TLS
tls-port 6380
tls-cert-file /etc/redis/cert.pem
tls-key-file /etc/redis/key.pem
tls-ca-cert-file /etc/redis/ca.pem

systemd unit

[Unit]
Description=Redis
After=network.target

[Service]
Type=notify
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --supervised systemd
User=redis
Group=redis
LimitNOFILE=65536
PrivateTmp=true
ProtectSystem=full
ReadWritePaths=/var/lib/redis /var/log/redis
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

Docker

services:
  redis:
    image: redis:7-alpine
    restart: unless-stopped
    command: ["redis-server", "/etc/redis/redis.conf"]
    volumes:
      - ./redis.conf:/etc/redis/redis.conf:ro
      - redis-data:/data
    ports: ["6379:6379"]
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
    sysctls:
      net.core.somaxconn: 65535

volumes:
  redis-data:

Kernel

# /etc/sysctl.d/redis.conf
vm.overcommit_memory = 1
net.core.somaxconn = 65535

echo never > /sys/kernel/mm/transparent_hugepage/enabled

ulimit

redis soft nofile 65536
redis hard nofile 65536

Backups

# Daily
cp /var/lib/redis/dump.rdb /backup/dump-$(date +%F).rdb
zstd /backup/dump-$(date +%F).rdb
aws s3 cp /backup/dump-$(date +%F).rdb.zst s3://bucket/redis/

Or use replica + BGSAVE on replica to avoid primary I/O hit.

Monitoring

docker run -d \
  --name redis-exporter \
  -p 9121:9121 \
  -e REDIS_ADDR=redis://redis:6379 \
  -e REDIS_PASSWORD=... \
  oliver006/redis_exporter

Prometheus scrape :9121. Grafana dashboard 763 or 11835.

Sentinel for HA

# sentinel.conf
sentinel monitor mymaster <primary-ip> 6379 2
sentinel down-after-milliseconds mymaster 5000
sentinel failover-timeout mymaster 10000
sentinel auth-pass mymaster yoursecret

3 sentinels minimum. Place on separate hosts.

Cluster for scale

See cluster cheatsheet.

Client config

Connection pool (50-100 conns).
Timeout (1-2s).
Retries with backoff.
Health-check periodically.
Use cluster-aware client if cluster.

Pre-launch checklist

maxmemory set.
Eviction policy chosen.
Persistence configured (RDB + AOF).
Backups + tested restore.
TLS enabled (or VPN).
Auth/ACL.
Dangerous commands renamed.
Monitoring + alerts.
Slowlog enabled.
Replica + Sentinel (or Cluster).
Connection pool on clients.
Kernel tuning (THP off, overcommit).
Capacity planned (RAM + headroom for fork).
Runbook for: scale up, failover, recover.

redis.conf#

Security#

systemd unit#

Docker#

Kernel#

ulimit#

Backups#

Monitoring#

Sentinel for HA#

Cluster for scale#

Client config#

Pre-launch checklist#

Read this next#