[Bug]: Redis password exposed in plain text, documented settings unused

[gregbrowndev]

crawl4ai version

0.8.0

Expected Behavior

We expect to be able to point Crawl4AI's FastAPI server to a Redis instance for rate-limiting and caching.

Current Behavior

Currently:

• None of the documented Redis settings in config.yaml seem to be used.
• The code only reads an undocumented option, redis.uri. See

  crawl4ai/deploy/docker/server.py

  Line 207 in aa7b050

  redis = aioredis.from_url(config["redis"].get("uri", "redis://localhost"))

• Setting the redis.uri option in config.yaml in text could expose the Redis password

There have been some recent discussions and efforts to externalise Redis, e.g. #1729, which I appreciate caused too large a change to the existing Dockerfile and tooling.

As mentioned for the reason that PR was closed, it is pretty easy to handle this ourselves, e.g. by overriding the Docker command to avoid supervisord and run FastAPI directly, with a separate Redis deployment elsewhere. E.g.

command: ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "11235", "--log-level", "info", "--timeout-keep-alive", "300"]

However, allowing Redis to be configured more securely would make the image more production-ready. A much smaller change would be to allow redis.uri and rate_limiting.storage_uri to be set optionally via environment variables, REDIS_URI and RATE_LIMITIING_STORAGE_URI, respectively. The mentioned PR did this, so those smaller changes could be accepted without too much disruption elsewhere?

Is this reproducible?

Yes

OS

macOS

Python version

3.12

[hafezparast]

Hi @gregbrowndev — thanks for reporting this! A fix has been submitted in PR #1827.

What was wrong: server.py used config["redis"].get("uri", "redis://localhost") — but the uri field doesn't exist in config.yml. The actual fields (host, port, password, db, ssl) were defined in config but completely ignored.

How it was fixed: Replaced the hardcoded URI lookup with _build_redis_url() that constructs the Redis URL from config fields. It also supports environment variable overrides:

• REDIS_HOST — overrides redis.host from config
• REDIS_PORT — overrides redis.port from config
• REDIS_PASSWORD — overrides redis.password from config
• redis.ssl: true in config switches to rediss:// scheme

How to test before it's merged

pip install git+https://github.com/unclecode/crawl4ai.git@fix/maysam-llm-provider-redis-config-1611-1817

Set your Redis password via environment variable or config.yml:

redis:
  host: "localhost"
  port: 6379
  password: "your-secret-password"

Or via env vars: REDIS_PASSWORD=your-secret-password

Let us know if it resolves your issue!

[ntohidi]

This has been fixed and is now on the develop branch. It will be in the release and main branch soon.
I will close the issue, but feel free to continue the conversation or reopen it if the issue remains.