Redis Configuration for HA¶
Section: High Availability | Article 16
Audience: System Administrators
Last Updated: 2026-04-07
Overview¶
Redis is required for all RP-PAM high-availability deployments. It serves three critical functions:
| Function | Description |
|---|---|
| Leader election | Nodes use a Redis-based distributed lock to elect the cluster leader |
| Distributed cache | Session tokens, rate-limit counters, and hot configuration data are cached in Redis |
| Heartbeat coordination | Each node publishes heartbeats to Redis so other nodes can detect failures |
A single Redis instance is sufficient for most deployments. For production environments that require Redis-level HA, see Redis Sentinel at the end of this article.
Prerequisites¶
| Requirement | Detail |
|---|---|
| Redis version | 6.2 or later (7.x recommended) |
| Network access | All RP-PAM nodes must be able to reach Redis on port 6379 (or your chosen port) |
| Memory | Minimum 256 MB dedicated to Redis; 1 GB recommended for clusters with 50+ active sessions |
| RP-PAM license | Enterprise or MSP tier (Standard does not include HA) |
Install Redis on Linux¶
Ubuntu / Debian¶
sudo apt update
sudo apt install -y redis-server
# Verify installation
redis-server --version
# Expected: Redis server v=7.x.x ...
# Enable and start
sudo systemctl enable redis-server
sudo systemctl start redis-server
sudo systemctl status redis-server
RHEL / CentOS / Rocky / Alma¶
sudo dnf install -y redis
# Verify installation
redis-server --version
# Enable and start
sudo systemctl enable redis
sudo systemctl start redis
sudo systemctl status redis
Install Redis on Windows (Docker)¶
Redis does not have an official Windows build. The recommended approach for Windows environments is Docker.
Prerequisites¶
- Docker Desktop installed and running, or Docker Engine on Windows Server with Hyper-V/WSL2
Pull and Run Redis¶
PowerShell:
# Pull the Redis 7 image
docker pull redis:7
# Run Redis with a password and persistence
docker run -d `
--name rppam-redis `
-p 6379:6379 `
-v rppam-redis-data:/data `
--restart unless-stopped `
redis:7 `
--requirepass "YOUR_STRONG_REDIS_PASSWORD" `
--appendonly yes
# Verify it is running
docker ps --filter name=rppam-redis
Linux (bash):
docker pull redis:7
docker run -d \
--name rppam-redis \
-p 6379:6379 \
-v rppam-redis-data:/data \
--restart unless-stopped \
redis:7 \
--requirepass "YOUR_STRONG_REDIS_PASSWORD" \
--appendonly yes
docker ps --filter name=rppam-redis
Alternative: Memurai (Native Windows)¶
If Docker is not an option, Memurai is a Redis-compatible server that runs natively on Windows. Download it from https://www.memurai.com/. Configuration is identical to Redis — use the same connection string format in rppam.config.
Configure Redis Security¶
Set a Strong Password (requirepass)¶
Every production Redis instance must have a password. Without one, anyone with network access to port 6379 can read and modify cluster data.
If installed directly on Linux, edit the Redis configuration file:
Find and set:
Generate a strong password (at least 32 characters):
# PowerShell equivalent
-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 48 | ForEach-Object { [char]$_ })
Restart Redis after changing the configuration:
Bind to Specific Interfaces¶
By default, Redis may bind only to 127.0.0.1. For HA, you must allow connections from other RP-PAM nodes.
In /etc/redis/redis.conf:
# Allow connections from any interface (secure with firewall rules)
bind 0.0.0.0
# Or bind to a specific interface
bind 10.0.1.20
Disable Dangerous Commands (Recommended)¶
Prevent accidental or malicious use of commands that could destroy data:
rename-command FLUSHALL ""
rename-command FLUSHDB ""
rename-command CONFIG "RPPAM_CONFIG_b7d3a1"
rename-command DEBUG ""
Enable TLS (Recommended for Production)¶
If your Redis instance supports TLS:
tls-port 6379
port 0
tls-cert-file /etc/redis/tls/redis.crt
tls-key-file /etc/redis/tls/redis.key
tls-ca-cert-file /etc/redis/tls/ca.crt
tls-auth-clients optional
When TLS is enabled, update the rppam.config connection string accordingly (see below).
Enable Persistence¶
Redis must persist data to survive restarts. RP-PAM requires AOF (Append Only File) persistence at minimum.
In /etc/redis/redis.conf:
For Docker deployments, the --appendonly yes flag passed at container creation handles this. Data is stored in the rppam-redis-data volume.
Verify Redis Is Working¶
From the Redis Host¶
redis-cli -a YOUR_STRONG_REDIS_PASSWORD ping
# Expected: PONG
redis-cli -a YOUR_STRONG_REDIS_PASSWORD info server | head -10
From an RP-PAM Node (Remote)¶
Linux:
PowerShell (if redis-cli is available via Docker):
If you receive Could not connect, check:
1. Redis is running (sudo systemctl status redis-server)
2. Redis is bound to the correct interface (bind directive)
3. Firewall allows port 6379 from the RP-PAM node
Configure rppam.config¶
Add or update the redis section in rppam.config on every RP-PAM node.
Windows path: C:\ProgramData\Ravenphyre\RP-PAM\rppam.config
Linux path: /etc/rppam/rppam.config
Without TLS¶
{
"redis": {
"enabled": true,
"connectionString": "10.0.1.20:6379,password=YOUR_STRONG_REDIS_PASSWORD,ssl=false,abortConnect=false",
"keyPrefix": "rppam:",
"tlsEnabled": false
}
}
With TLS¶
{
"redis": {
"enabled": true,
"connectionString": "10.0.1.20:6379,password=YOUR_STRONG_REDIS_PASSWORD,ssl=true,abortConnect=false",
"keyPrefix": "rppam:",
"tlsEnabled": true,
"tlsCertPath": "/etc/rppam/certs/redis-client.pfx",
"tlsCertPassword": "encrypted:base64-encrypted-password-here"
}
}
Connection String Parameters¶
| Parameter | Description | Default |
|---|---|---|
password |
The requirepass password |
(none) |
ssl |
Enable TLS | false |
abortConnect |
If true, throw immediately on connection failure. Set to false for HA (retry on reconnect). |
true |
connectTimeout |
Connection timeout in milliseconds | 5000 |
syncTimeout |
Synchronous operation timeout in milliseconds | 5000 |
connectRetry |
Number of connection retries | 3 |
Key Prefix¶
The keyPrefix setting (rppam: by default) ensures RP-PAM keys do not collide with other applications sharing the same Redis instance. If you run multiple RP-PAM clusters against the same Redis, give each cluster a unique prefix (e.g., rppam-prod:, rppam-staging:).
Restart RP-PAM¶
After updating rppam.config, restart the RP-PAM service on each node.
Windows PowerShell:
Linux:
Verify Redis connectivity from the cluster health endpoint:
PowerShell:
$health = Invoke-RestMethod -Uri "http://localhost:7101/system/health/cluster" `
-Headers @{ Authorization = "Bearer $adminJwt" }
$health.redisConnected
# Expected: True
Linux:
curl -s http://localhost:7101/system/health/cluster \
-H "Authorization: Bearer $ADMIN_JWT" | jq .redisConnected
# Expected: true
Redis Sentinel for Production¶
For environments where Redis itself must be highly available, use Redis Sentinel. Sentinel monitors Redis instances and automatically promotes a replica if the primary fails.
Architecture¶
RP-PAM Node 1 ──┐
RP-PAM Node 2 ──┤──► Redis Sentinel (3 sentinels)
RP-PAM Node 3 ──┘ │
┌──────┼──────┐
▼ ▼ ▼
Redis Redis Redis
Primary Replica Replica
Minimum Requirements¶
- 3 Sentinel instances (can co-locate with RP-PAM nodes or Redis replicas)
- 1 Redis primary + 2 Redis replicas
- All instances must be able to communicate on ports 6379 (Redis) and 26379 (Sentinel)
Connection String for Sentinel¶
When using Sentinel, the rppam.config connection string changes:
{
"redis": {
"enabled": true,
"connectionString": "10.0.1.20:26379,10.0.1.21:26379,10.0.1.22:26379,serviceName=rppam-master,password=YOUR_STRONG_REDIS_PASSWORD,abortConnect=false",
"keyPrefix": "rppam:",
"tlsEnabled": false
}
}
The serviceName must match the master name configured in your Sentinel configuration.
Note: Full Redis Sentinel setup is beyond the scope of this guide. Refer to the official Redis Sentinel documentation for detailed configuration instructions.
Troubleshooting¶
| Problem | Cause | Solution |
|---|---|---|
redisConnected: false in cluster health |
RP-PAM cannot reach Redis | Verify Redis is running; check firewall allows port 6379 from all nodes |
NOAUTH Authentication required |
Password mismatch | Ensure the password in the connection string matches the requirepass in Redis |
Connection refused |
Redis not bound to the correct interface | Check the bind directive in redis.conf; set to 0.0.0.0 or the specific IP |
| High memory usage on Redis | Too many cached sessions or large key prefix collision | Check redis-cli info memory; increase maxmemory or review keyPrefix uniqueness |
LOADING Redis is loading the dataset in memory |
Redis restarted and is replaying AOF | Wait for loading to complete; this typically takes seconds to minutes depending on data size |
| Docker container exits immediately | Incorrect command syntax or port conflict | Check docker logs rppam-redis for error details |
| TLS handshake failure | Certificate mismatch or expired cert | Verify certificates are valid and trusted; check tlsCertPath in rppam.config |
Next Steps¶
- VIP Failover Configuration -- Configure a virtual IP for automatic client failover
- Witness Node Setup -- Add a lightweight quorum voter for even-number clusters
- Failover Testing -- Verify your HA cluster handles failures correctly
RP-PAM v1.0.0 -- Copyright 2026 Ravenphyre. All rights reserved.