chore: Improve security redis container

[NicoMolinaOZ]

Summary

• WIP for now

Testing Process

Checklist

• Add a reference to related issues in the PR description.
• Add unit tests if applicable.

Note

If you are using Relayer in your stack, consider adding your team or organization to our list of Relayer Users in the Wild!

Summary by CodeRabbit

• Chores
  • Redis no longer exposed on localhost:6379; port mapping removed across all configurations
  • Redis protected mode now enabled by default on startup
  • Enhanced security hardening in metrics example with read-only filesystem mounts, user access restrictions, and temporary storage allocation

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Port mappings for Redis are removed across 18 docker-compose files, and protected mode is enabled via --protected-mode yes command arguments. Redis is no longer externally accessible via host ports.

Changes

Cohort / File(s)	Summary
Root-level Docker Compose docker-compose.integration.yml, docker-compose.yaml	Removed Redis port mapping; added --protected-mode yes to Redis command arguments
Example Docker Compose Files examples/basic-example*/docker-compose.yaml, examples/channels-plugin-example/docker-compose.yaml, examples/evm-*-signer/docker-compose.yaml, examples/gas-price-caching/docker-compose.yaml, examples/horizontal-scaling/docker-compose.yaml, examples/launchtube-plugin-example/docker-compose.yaml, examples/network-configuration-*/docker-compose.yaml, examples/redis-storage/docker-compose.yaml, examples/solana-*/docker-compose.yaml, examples/stellar-*/docker-compose.yaml, examples/vault-*/docker-compose.yaml	Consistently removed Redis port mapping (6379:6379/tcp) and added --protected-mode yes to Redis startup command across all examples

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~10 minutes

Possibly related PRs

• chore: Compose improvement #593 — Removes Redis host port mapping in docker-compose.yaml, aligning with the same security-focused configuration pattern.

Suggested reviewers

• dylankilkenny

Poem

🐰 A lock upon the Redis door,
No ports exposed forevermore!
Protected mode stands guard with pride,
While secrets safely stay inside! 🔒

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is a work-in-progress (WIP) with minimal detail. It follows the template structure but lacks substantive content in the Summary and Testing Process sections.	Complete the Summary section with specific details about what security improvements were made to the Redis container (e.g., enabled protected mode, removed port exposure). Fill in the Testing Process section describing how these changes were verified.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: Improve security redis container' accurately describes the main change across all modified files: removing Redis port exposure and enabling protected mode.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 11

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docker-compose.yaml (1)

2-2: Update the outdated comment.

The comment references port 6379 for the Redis server, but the Redis port mapping has been removed as part of this security improvement. Redis is now only accessible internally via Docker networks.

🔎 Suggested fix

-# Ports `8080` for relayer server, `6379`for redis server.
+# Port `8080` for relayer server. Redis is only accessible internally via Docker networks.

🧹 Nitpick comments (2)

examples/evm-cdp-signer/docker-compose.yaml (1)

41-42: LGTM: Protected mode improves Redis security.

Enabling --protected-mode yes prevents external connections to Redis when no password is configured, which is appropriate given that the port mappings have been removed and Redis runs on internal Docker networks only.

For production deployments, consider adding Redis authentication:

💡 Suggested enhancement: Add Redis authentication

    command:
      - redis-server
      - --appendonly
      - 'yes'
      - --save
      - '60'
      - '1'
      - --protected-mode
      - 'yes'
+      - --requirepass
+      - ${REDIS_PASSWORD}

Then update the REDIS_URL environment variable in the relayer service to include the password:

-      REDIS_URL: ${REDIS_URL}
+      REDIS_URL: redis://:${REDIS_PASSWORD}@redis:6379

Note: This same pattern applies to all docker-compose files in this PR.

examples/solana-turnkey-signer/docker-compose.yaml (1)

58-59: Consider removing unused vault-data volume.

The vault-data volume is defined but not referenced by any service in this compose file. If it's not needed for this example, consider removing it for clarity.

🔎 Suggested cleanup

volumes:
  redis_data:
    driver: local
-  vault-data:
-    driver: local
secrets:

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2915e69 and 7d3a628.

📒 Files selected for processing (26)

• docker-compose.integration.yml
• docker-compose.yaml
• examples/basic-example-logging/docker-compose.yaml
• examples/basic-example-metrics/docker-compose.yaml
• examples/basic-example-plugin/docker-compose.yaml
• examples/basic-example/docker-compose.yaml
• examples/channels-plugin-example/docker-compose.yaml
• examples/evm-aws-kms-signer/docker-compose.yaml
• examples/evm-cdp-signer/docker-compose.yaml
• examples/evm-gcp-kms-signer/docker-compose.yaml
• examples/evm-turnkey-signer/docker-compose.yaml
• examples/gas-price-caching/docker-compose.yaml
• examples/horizontal-scaling/docker-compose.yaml
• examples/launchtube-plugin-example/docker-compose.yaml
• examples/network-configuration-config-file/docker-compose.yaml
• examples/network-configuration-json-file/docker-compose.yaml
• examples/redis-storage/docker-compose.yaml
• examples/solana-aws-kms-signer/docker-compose.yaml
• examples/solana-cdp-signer/docker-compose.yaml
• examples/solana-google-cloud-kms-signer/docker-compose.yaml
• examples/solana-turnkey-signer/docker-compose.yaml
• examples/stellar-aws-kms-signer/docker-compose.yaml
• examples/stellar-gcp-kms-signer/docker-compose.yaml
• examples/stellar-turnkey-signer/docker-compose.yaml
• examples/vault-secret-signer/docker-compose.yaml
• examples/vault-transit-signer/docker-compose.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: boostsecurity - boostsecurityio/semgrep-pro
• GitHub Check: Redirect rules - openzeppelin-relayer
• GitHub Check: Header rules - openzeppelin-relayer
• GitHub Check: Pages changed - openzeppelin-relayer
• GitHub Check: Analyze (rust)
• GitHub Check: semgrep/ci

🔇 Additional comments (10)

examples/gas-price-caching/docker-compose.yaml (1)

43-44: Security improvements look good.

The protected mode enablement and port mapping removal (mentioned in summary) follow the same security hardening pattern applied across all examples.

examples/redis-storage/docker-compose.yaml (1)

47-48: Security improvements look good.

The protected mode enablement and port mapping removal follow the established security pattern.

examples/basic-example-logging/docker-compose.yaml (1)

54-55: Security improvements look good.

The protected mode enablement and port mapping removal follow the established security pattern.

examples/basic-example/docker-compose.yaml (1)

45-46: Security improvements look good.

The protected mode enablement and port mapping removal follow the established security pattern.

examples/channels-plugin-example/docker-compose.yaml (1)

58-59: Security improvements look good.

The protected mode enablement and port mapping removal follow the established security pattern.

examples/launchtube-plugin-example/docker-compose.yaml (1)

56-57: Security improvements look good.

The protected mode enablement and port mapping removal follow the established security pattern.

examples/vault-transit-signer/docker-compose.yaml (1)

43-44: Security improvements look good.

The protected mode enablement and port mapping removal follow the established security pattern.

examples/basic-example-metrics/docker-compose.yaml (3)

72-73: Excellent security hardening for Prometheus!

Running as non-root user (65534:65534), with read-only filesystem, read-only config mount, and tmpfs for temporary storage are all security best practices that significantly reduce the attack surface.

Also applies to: 83-86

---

92-93: Excellent security hardening for Grafana!

Running as the standard Grafana user (472:472), with read-only filesystem, read-only configuration mounts, and tmpfs for logs effectively hardens the container following security best practices.

Also applies to: 102-108

---

120-123: Proper volume setup for metrics persistence.

The named volumes for Prometheus and Grafana data ensure metrics and dashboard data persist across container restarts.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Protected mode will break Redis connectivity.

With --protected-mode yes and no password, Redis will reject connections from the relayer container (line 14 shows REDIS_URL: redis://redis:6379). Inter-container connections are blocked by protected mode when authentication is not configured.

Recommended fix - remove protected mode:

-      - --protected-mode
-      - 'yes'

Network isolation (no host port exposure) already secures Redis for this deployment.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- --protected-mode
	- 'yes'

🤖 Prompt for AI Agents

In examples/basic-example-plugin/docker-compose.yaml around lines 45-46, the
Redis service is started with "--protected-mode 'yes'", which will block
inter-container connections without authentication; remove the
"--protected-mode" and "'yes'" entries (or set protected-mode to "no") so the
relayer container can connect using REDIS_URL=redis://redis:6379, ensuring the
deployment relies on Docker network isolation rather than protected-mode for
security.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Protected mode will break Redis connectivity.

Enabling --protected-mode yes without a password will cause Redis to reject connections from the relayer container (defined on line 16: REDIS_URL: redis://redis:6379).

Remove protected mode since network-level security is already in place:

-      - --protected-mode
-      - 'yes'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- --protected-mode
	- 'yes'

🤖 Prompt for AI Agents

In examples/evm-aws-kms-signer/docker-compose.yaml around lines 48-49, the Redis
service enables "--protected-mode 'yes'" which will block incoming connections
from other containers (like the relayer using REDIS_URL redis://redis:6379);
remove the "--protected-mode" (and its value) entries so Redis accepts container
network connections, ensuring network-level security via docker-compose network
isolation instead of Redis protected mode.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Protected mode will break Redis connectivity.

Enabling protected mode without authentication will prevent the relayer from connecting to Redis. Remove these lines since Redis is already secured via network isolation:

-      - --protected-mode
-      - 'yes'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- --protected-mode
	- 'yes'

🤖 Prompt for AI Agents

In examples/evm-turnkey-signer/docker-compose.yaml around lines 44-45, protected
mode is enabled for the Redis service which will block external clients (like
the relayer) when no authentication is configured; remove the two lines
(--protected-mode and 'yes') from the Redis command stanza so Redis runs without
protected mode (network isolation already secures it).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

fd -name "docker-compose.yaml" examples/horizontal-scaling/ --type f

Repository: OpenZeppelin/openzeppelin-relayer

Length of output: 307

---

🏁 Script executed:

cat examples/horizontal-scaling/docker-compose.yaml | head -300

Repository: OpenZeppelin/openzeppelin-relayer

Length of output: 7106

---

Fix Redis connectivity: protected mode enabled without authentication.

Enabling --protected-mode yes without authentication blocks non-localhost connections. The relayers connect via the Docker network hostname (redis://redis:6379), which Redis treats as non-loopback and rejects with a DENIED error.

Resolve by either:

1. Setting a password with --requirepass and updating relayer REDIS_URL to include credentials, or
2. Disabling protected mode with --protected-mode no (ensure firewall/network isolation is in place)

🤖 Prompt for AI Agents

In examples/horizontal-scaling/docker-compose.yaml around lines 251-252, Redis
is started with protected mode enabled ('--protected-mode yes') which blocks
non-localhost connections from the Docker network; to fix, either (A) enable
authentication by adding a Redis password via '--requirepass <PASSWORD>' and
update the relayer REDIS_URL to include credentials
(redis://:<PASSWORD>@redis:6379) or (B) disable protected mode by changing to
'--protected-mode no' (only if you ensure network/firewall isolation); apply one
of these changes and update any environment variables or secrets accordingly.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

find . -path "*examples/solana-cdp-signer*" -name "docker-compose.yaml" -type f

Repository: OpenZeppelin/openzeppelin-relayer

Length of output: 125

---

🏁 Script executed:

sed -n '1,60p' ./examples/solana-cdp-signer/docker-compose.yaml | cat -n

Repository: OpenZeppelin/openzeppelin-relayer

Length of output: 1607

---

Critical: Protected mode will break Redis connectivity without authentication.

Enabling --protected-mode yes without configuring a password via --requirepass will prevent the relayer service from connecting to Redis. When protected mode is enabled and no password is set, Redis returns "DENIED Redis is running in protected mode", blocking inter-container connections.

Since Redis is already secured by network isolation (no host port exposure), you should either:

1. Remove protected mode (recommended):

   -      - --protected-mode
   -      - 'yes'

2. Or add authentication with --requirepass and update the REDIS_URL environment variable accordingly.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- --protected-mode
	- 'yes'

🤖 Prompt for AI Agents

In examples/solana-cdp-signer/docker-compose.yaml around lines 41-42, the Redis
service sets "--protected-mode 'yes'" which will block inter-container
connections when no password is configured; remove the "--protected-mode" entry
(recommended) so Redis relies on Docker network isolation, or alternatively add
a "--requirepass <strong-password>" argument and update the relayer service
REDIS_URL environment variable to include the password
(redis://:<password>@redis:6379/0) so clients can authenticate.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n examples/solana-google-cloud-kms-signer/docker-compose.yaml

Repository: OpenZeppelin/openzeppelin-relayer

Length of output: 2416

---

Critical: Redis protected mode requires either authentication or to be disabled.

The configuration enables --protected-mode yes without setting an authentication password via --requirepass. When protected mode is enabled without authentication, connections are only accepted from the loopback interface. This will block the relayer service from connecting via the Docker network.

Either:

1. Disable protected mode: --protected-mode no (acceptable for internal networks without port mappings), or
2. Add authentication: --requirepass '${REDIS_PASSWORD}' and update REDIS_URL to include credentials

🤖 Prompt for AI Agents

In examples/solana-google-cloud-kms-signer/docker-compose.yaml around lines
48-49, protected mode is enabled without authentication which will prevent other
Docker services from connecting; either set protected mode to no or add Redis
authentication and update service URLs: change the flag to --protected-mode no
for internal-only networks, or add --requirepass '${REDIS_PASSWORD}', ensure
REDIS_PASSWORD is defined in the environment, and update REDIS_URL(s) used by
other services to include the credential
(redis://:${REDIS_PASSWORD}@hostname:port) so the relayer can connect.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Protected mode will break Redis connectivity.

Protected mode without authentication blocks inter-container connections. The relayer will fail to connect to Redis.

Remove protected mode:

-      - --protected-mode
-      - 'yes'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- --protected-mode
	- 'yes'

🤖 Prompt for AI Agents

In examples/stellar-aws-kms-signer/docker-compose.yaml around lines 48-49, the
Redis service is configured with protected mode enabled ("--protected-mode" and
"yes"), which prevents inter-container connections; remove these two lines (or
explicitly set protected-mode to "no") so Redis accepts connections from other
containers in the compose network, then re-run compose to confirm the relayer
can connect.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Protected mode will break Redis connectivity.

Protected mode requires authentication for non-localhost connections. Remove these lines to maintain inter-container connectivity:

-      - --protected-mode
-      - 'yes'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- --protected-mode
	- 'yes'

🤖 Prompt for AI Agents

In examples/stellar-turnkey-signer/docker-compose.yaml around lines 44-45, the
Redis service sets --protected-mode 'yes', which prevents other containers from
connecting; remove those two lines (the --protected-mode flag and its 'yes'
value) from the Redis command arguments in the compose file so inter-container
connectivity works, or alternatively set protected-mode no if you must keep the
flag.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Protected mode will break Redis connectivity.

Enabling --protected-mode yes without authentication prevents inter-container connections. The relayer service on line 3 will be unable to connect to Redis.

Remove protected mode since network isolation already provides security:

-      - --protected-mode
-      - 'yes'

Or add --requirepass with a password and update REDIS_URL to include authentication credentials.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- --protected-mode
	- 'yes'

🤖 Prompt for AI Agents

In examples/vault-secret-signer/docker-compose.yaml around lines 43-44 the Redis
service is started with "--protected-mode 'yes'" which blocks inter-container
connections; remove the "--protected-mode" (or set it to "no") so the relayer
can connect, or alternatively configure authentication by replacing
"--protected-mode" with "--requirepass <strong-password>" and update the
relayer's REDIS_URL to include the password (redis://:<password>@host:port) so
authenticated connections succeed.