Redis Over Tor Hidden Service

Redis has a history of security issues when exposed to the internet: default configurations had no authentication, SSRF vulnerabilities in other services could reach Redis on localhost, and Redis commands like CONFIG SET can write arbitrary files to disk when accessed by an attacker. The Redis security model assumes deployment in a trusted network - behind a firewall, accessible only from application servers on the same LAN. Tor hidden services recreate this trusted-network assumption over the internet: only clients who possess the .onion address can establish connections to Redis. Combined with Redis AUTH password and TLS (supported since Redis 6.0), a Tor-hosted Redis instance provides defense-in-depth: network-level isolation (only Tor clients can reach it), authentication (password required), and transport encryption (TLS). This is significantly more secure than Redis on a cloud provider's public IP with firewall rules.

Configure Redis to listen only on localhost: in redis.conf, set bind 127.0.0.1 (not 0.0.0.0). Set requirepass strongpassword for authentication. For TLS: generate a self-signed certificate and configure tls-port 6380 with the certificate paths. Configure Tor: HiddenServiceDir /var/lib/tor/redis-service/ and HiddenServicePort 6379 127.0.0.1:6379 (or 6380 for TLS). The .onion address is now the only way to reach Redis from the network. Client applications on other VPS instances connect using torify or torsocks: torsocks redis-cli -h youraddress.onion -p 6379 -a password. Application code using redis-py: configure the connection with SOCKS5 proxy pointing to 127.0.0.1:9050 (the local Tor SOCKS port on the application server).

When multiple application servers need to share a Redis instance, the Tor architecture scales: each application server runs a Tor client, connecting to the same Redis .onion address. Configuration on each application server: install Tor (apt install tor), configure only as a Tor client (no relay configuration needed, the default configuration), set redis connection in application to use SOCKS5 127.0.0.1:9050. Each application server makes an independent Tor circuit to the Redis .onion address. This creates redundancy: if one Tor circuit fails, the application establishes a new circuit automatically. Latency: each Redis command over Tor adds 200-500ms compared to a direct network connection. Design applications to minimize Redis round trips (use pipelines, batch operations) to avoid accumulating latency.

Redis Streams and Redis Lists are commonly used for message queue patterns (producer/consumer, pub/sub). Running a Redis message queue as a Tor hidden service enables distributed applications to exchange messages without any shared clearnet infrastructure. Architecture: producer applications (on separate VPS instances or locations) publish messages to Redis Streams via Tor. Consumer applications subscribe to streams via Tor. The Redis instance (as .onion) is the only shared infrastructure - no MQTT broker, no Kafka cluster, no RabbitMQ - just Redis, accessible only via .onion. For privacy-sensitive message queue use cases (distributed applications where the participants should not expose their network locations to each other or to third parties), this pattern provides strong isolation.

Redis monitoring tools (RedisInsight, redis-cli monitor, custom metrics exporters) work over Tor connections. For Prometheus-based monitoring: run redis_exporter on the Redis server (localhost), expose it as a separate .onion service, and configure Prometheus to scrape the exporter via Tor. RedisInsight (the official GUI): configure SOCKS5 proxy in RedisInsight settings (127.0.0.1:9050) and connect using the .onion address. For routine maintenance: redis-cli via torsocks supports all standard Redis commands. FLUSHDB, BGREWRITEAOF, CONFIG REWRITE, and other maintenance commands work normally over Tor connections. Key concern: avoid running MONITOR (which logs all commands) over Tor due to the performance impact of high-frequency command logging over the latency-added connection.