Redis Caching for Tor Hidden Services: Compensating for Circuit Latency

Install Redis on the .onion server: apt install redis-server. Configure /etc/redis/redis.conf for security: bind 127.0.0.1 (Redis should never be accessible outside the server), requirepass yourRedisPassword (authentication for Redis), maxmemory 256mb (set a memory limit appropriate for your server - prevents Redis consuming all available RAM), maxmemory-policy allkeys-lru (evict least-recently-used keys when memory is full). Enable persistence: appendonly yes ensures Redis data survives restarts (important for session caches). For .onion-specific settings, Redis's in-memory nature makes it fast enough that additional performance tuning is rarely needed beyond the maxmemory configuration. Test connectivity: redis-cli -a yourRedisPassword ping should return PONG.

Cache expensive database queries in Redis with appropriate TTLs. Pattern: key = 'query:hash(sql+params)', value = JSON-serialized result, TTL = depends on data freshness requirements. For a Python Flask app: from redis import Redis r = Redis(host='localhost', port=6379, password='yourpass'). Cache a user profile: cache_key = f'user:{user_id}:profile', cached = r.get(cache_key), if not cached: profile = db.query(...), r.setex(cache_key, 300, json.dumps(profile)). For a Node.js Express app: const redis = require('redis'), client = redis.createClient(). Same pattern with client.get/client.setEx. Cache invalidation: when user profile updates, call r.delete(f'user:{user_id}:profile') to force the next request to re-query. For .onion services where Tor circuit latency already adds 300ms-2s, eliminating a 50-200ms database query through caching provides meaningful improvement to total response time.

Storing user sessions in Redis rather than server memory or database provides: (1) Horizontal scaling - multiple application instances share the same session store, enabling load balancing across OnionBalance backends. (2) Session persistence across application restarts without database writes. (3) Fast session lookup (microseconds) compared to database queries. For Flask: install flask-session, configure SESSION_TYPE='redis', SESSION_REDIS=Redis(...). For Express.js: install connect-redis and express-session, configure store = new RedisStore({client}), app.use(session({store})). Configure session TTL to match your expected session length (e.g., 3600 for 1-hour sessions). For .onion services where users tolerate higher login friction (due to Tor latency), longer session TTLs reduce re-authentication frequency - consider 24-hour session TTL for productivity .onion applications.

Rate limiting protects .onion services from abuse while managing resource utilization. Redis's INCR + EXPIRE commands provide atomic rate limiting. Pattern: for IP-based rate limiting (using Tor exit IP, which is shared but useful for burst control): key = 'ratelimit:{exit_ip}:{minute}', count = INCR(key), if count == 1: EXPIRE(key, 60), if count > 100: return 429 Too Many Requests. For user-based rate limiting: key = 'ratelimit:user:{user_id}:{hour}'. Sliding window rate limiting with Redis sorted sets: ZADD rate:{user_id} {timestamp} {uuid}, ZREMRANGEBYSCORE to remove old entries, ZCARD to count current. For .onion services implementing registration or login endpoints vulnerable to credential stuffing: implement progressive delay (INCR attempts:{ip}, delay = min(attempts^2, 30) seconds) which is more user-friendly than hard blocking.

Redis pub/sub enables real-time features in .onion applications without maintaining long-lived WebSocket connections (which are challenging over Tor's latency). Pattern: multiple application instances subscribe to Redis channels; when any instance processes an event, it publishes to Redis; all subscribers receive the event. Use cases for .onion services: (1) Forum/chat - when a user posts, publish to the 'new_messages' channel; all application instances notify connected users. (2) Notifications - publish system events (new order, support ticket reply) to user-specific channels. (3) Cache invalidation broadcast - when one application instance invalidates a cache entry, publish to 'cache_invalidate' channel so all instances clear their local caches too. Server-sent events (SSE) are a simpler alternative to WebSocket for push notifications over Tor's HTTP, and Redis pub/sub integrates naturally with SSE implementations in most web frameworks.