Redis: install and configure
Redis is a fast in-memory key-value store, typically deployed alongside your main application as a cache and/or session store. In this article you'll install Redis on your mHost VPS, enable it as a systemd service, set a password and lock down network access (requirepass, bind, protected-mode), test the server with redis-cli, and walk through typical usage — as a cache and as a session store.
What you'll need
- An mHost VPS running Ubuntu 22.04/24.04, Debian 11/12, or AlmaLinux/Rocky Linux 8/9.
- SSH access as root or a user with sudo.
- An application that needs a cache or sessions (your own code, FastAPI, Django, Node.js, etc.) — this article covers Redis on its own, without tying it to a specific framework. If you haven't deployed an app on this VPS yet, see the "Python and FastAPI: production deployment" or "Deploying Django on a VPS" articles.
Step 1. Install Redis
We'll install Redis from the official packages.redis.io repository rather than the distro's own repository. Reason: the Redis version in Ubuntu/Debian's standard repositories is often noticeably older than current, and on AlmaLinux/Rocky Linux 9 running dnf install redis from AppStream can install its fork Valkey under a similarly named package instead of genuine Redis. The official repository gives you the same, predictable, current Redis version across all three distro families.
Ubuntu / Debian
sudo apt-get install -y lsb-release curl gpg
curl -fsSL https://packages.redis.io/gpg | sudo gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg
sudo chmod 644 /usr/share/keyrings/redis-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/redis.list
sudo apt-get update
sudo apt-get install -y redisThe redis package is a meta-package that pulls in redis-server (the server itself) and redis-tools (including redis-cli).
AlmaLinux / Rocky Linux
Check the system's major version — you'll need it for the repository URL:
rpm -E %rhelCreate the repository file /etc/yum.repos.d/redis.repo. For AlmaLinux/Rocky Linux 9:
sudo tee /etc/yum.repos.d/redis.repo <<'EOF'
[Redis]
name=Redis
baseurl=http://packages.redis.io/rpm/rockylinux9
enabled=1
gpgcheck=1
EOFFor AlmaLinux/Rocky Linux 8 — the same, but with baseurl=http://packages.redis.io/rpm/rockylinux8.
Import the GPG key and install the package:
curl -fsSL https://packages.redis.io/gpg > /tmp/redis.key
sudo rpm --import /tmp/redis.key
sudo dnf install -y redisCheck that the package installed:
redis-server -vStep 2. Enable and start Redis via systemd
The systemd service name differs by distro family: redis-server on Ubuntu/Debian, redis on AlmaLinux/Rocky Linux. Remember which one is yours — you'll need it again later in this article.
Ubuntu / Debian
sudo systemctl enable --now redis-server
sudo systemctl status redis-serverOn Ubuntu/Debian the package usually already starts Redis and adds it to startup on its own — the command above will simply confirm that's the case.
AlmaLinux / Rocky Linux
sudo systemctl enable --now redis
sudo systemctl status redisOn AlmaLinux/Rocky Linux, unlike Ubuntu/Debian, Redis does not start or get added to startup automatically — this step is required.
Either way, the status should show active (running). Check that the server responds on the loopback interface:
redis-cli pingPONGStep 3. Secure it: bind, protected-mode, and a password (requirepass)
The configuration file lives in the same place across all three distro families — /etc/redis/redis.conf. Check the current bind and protected-mode values:
grep -E "^(bind|protected-mode)" /etc/redis/redis.confbind 127.0.0.1 -::1
protected-mode yesbind 127.0.0.1 -::1— Redis only listens on loopback:127.0.0.1(IPv4) and::1(IPv6). The dash before::1means "don't treat it as a startup error if IPv6 isn't available" — just skip that address. For the typical scenario (app and Redis on the same VPS), this is already a safe, working value — no change needed.protected-mode yes— an extra safety layer: if Redis ever ends up listening on all interfaces (bindempty or including0.0.0.0) with no password set, protected mode refuses any connection that isn't from loopback. Keep it enabled always, even whenbindis already restricted.
If an application on another VPS needs access to this Redis, add a specific IP to bind (not 0.0.0.0) — the server's public IP (the default case), or a private address if you've separately purchased the paid private-network add-on between mHost VPS instances:
bind 127.0.0.1 -::1 YOUR_OTHER_SERVER_IPNow set a password. Generate a long random string:
openssl rand -base64 32The command prints a random string — copy it and save it in a password manager, you'll need it several more times below.
Open the configuration file:
sudo nano /etc/redis/redis.confWhile you're in there, make sure the protected-mode yes line from the check above isn't commented out — if it's missing entirely or commented out, add/uncomment it in exactly that form. Then find the commented-out line # requirepass foobared in the SECURITY section (or just search for requirepass — in nano that's Ctrl+W) and set it to:
requirepass YOUR_STRONG_PASSWORDReplace YOUR_STRONG_PASSWORD with the password the openssl rand command generated above. Save the file and restart the service — using your service name from step 2:
sudo systemctl restart redis-server # Ubuntu / Debiansudo systemctl restart redis # AlmaLinux / Rocky LinuxCheck that a password is now actually required:
redis-cli ping(error) NOAUTH Authentication required.If Redis needs to be reachable from another VPS, open the port only for that server's IP address:
sudo ufw allow from YOUR_TRUSTED_IP to any port 6379 proto tcpOn AlmaLinux/Rocky Linux (firewalld), the equivalent using a rich rule:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="YOUR_TRUSTED_IP" port port="6379" protocol="tcp" accept'
sudo firewall-cmd --reloadFor a detailed walkthrough of ufw commands and firewall logic, see the "The ufw firewall: managing ports" article. Don't use ufw allow 6379/tcp or firewall-cmd --add-port=6379/tcp without specifying a source — that opens the port to everyone, not just your trusted server.
Step 4. Test Redis with redis-cli
Passing the password via -a right on the command line is convenient for a one-off check, but unsafe for scripts — it ends up in shell history and is visible in ps aux output. For regular use, pass it through the REDISCLI_AUTH environment variable instead:
export REDISCLI_AUTH='YOUR_STRONG_PASSWORD'
redis-cli pingPONGFor a quick one-off manual check, -a is fine too:
redis-cli -a 'YOUR_STRONG_PASSWORD' pingWarning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
PONGThe warning is expected and harmless — it's just a reminder not to use -a in scripts. If you know what you're doing and want to suppress it (say, in a cron job), add the --no-auth-warning flag.
Redis also understands URI-style connections — with the username default (the default username for password-only authentication without ACLs):
redis-cli -u 'redis://default:YOUR_STRONG_PASSWORD@127.0.0.1:6379/0' pingIf REDISCLI_AUTH is already set in your current session, you can enter interactive mode without -a at all — or authenticate right inside it with the AUTH command:
127.0.0.1:6379> AUTH YOUR_STRONG_PASSWORD
OK
127.0.0.1:6379> PING
PONGCheck the basic commands — write, read, TTL, delete:
127.0.0.1:6379> SET greeting "hello from mhost"
OK
127.0.0.1:6379> GET greeting
"hello from mhost"
127.0.0.1:6379> EXPIRE greeting 60
(integer) 1
127.0.0.1:6379> TTL greeting
(integer) 60
127.0.0.1:6379> DEL greeting
(integer) 1Step 5. Typical use: cache and session store
As a cache
For a cache, you'd typically cap the memory Redis is allowed to use and turn on automatic eviction of old keys, so the application doesn't have to track data volume itself. Check how much RAM is free on the VPS:
free -hAdd a memory limit and eviction policy to /etc/redis/redis.conf (the MEMORY MANAGEMENT section), leaving headroom for the rest of the processes on the server:
maxmemory 256mb
maxmemory-policy allkeys-lruallkeys-lru makes Redis evict the least-recently-used keys itself once the limit is hit, regardless of whether they have a TTL set. That's memcached-like behavior, and it's enough for most caches.
Apply it without a restart, and persist the change to the file:
redis-cli -a 'YOUR_STRONG_PASSWORD' CONFIG SET maxmemory 256mb
redis-cli -a 'YOUR_STRONG_PASSWORD' CONFIG SET maxmemory-policy allkeys-lru
redis-cli -a 'YOUR_STRONG_PASSWORD' CONFIG REWRITECONFIG REWRITE writes the current values back into redis.conf so they survive a restart (you could skip the file edit above entirely and just use CONFIG SET + CONFIG REWRITE instead — either path lands in the same place).
Caching itself, from the application side, is just a SET with an expiration:
127.0.0.1:6379> SET cache:user:42 "{\"name\":\"demo\"}" EX 300
OKThe cache:user:42 key disappears on its own after 300 seconds — on a cache miss, the application just recomputes the value and writes it back.
As a session store
Most frameworks connect to Redis for sessions either via a connection string like redis://default:YOUR_STRONG_PASSWORD@127.0.0.1:6379/0 or via separate host/port/password settings — in Python (for example, via django-redis in Django), in Node.js (connect-redis on top of express-session), in PHP (many frameworks, including Laravel, support SESSION_DRIVER=redis out of the box). The exact environment variable names depend on the framework.
If the same Redis instance serves both cache and sessions, separate them by database number (SELECT, 16 databases available by default, 0–15) so the keys don't collide:
127.0.0.1:6379> SELECT 1
OK
127.0.0.1:6379[1]> SET session:abc123 "..."
OKBy default, Redis periodically snapshots data to disk (RDB, the save directive in redis.conf) — sessions will survive a service restart. If Redis is used purely as a disposable cache and losing data on restart is fine, you can turn persistence off for extra performance by setting save "" in redis.conf — but that's a separate topic, beyond the scope of this article.
What's next
Redis is installed, password-protected, and running as a systemd service. If you haven't gone through the general VPS security checklist yet, see the "Basic VPS security checklist" article. And once more: if Redis ever needs to become reachable from beyond loopback, go through all of step 3 — requirepass, a restricted bind, and a firewall rule scoped to a specific IP — all three together, not just one of them.