memcached in not so friendly environment

Milos Prodanovic milos.prodanovic at gmail.com
Thu Feb 8 10:37:13 UTC 2007


Hello,


I'm planning to use memcached in mass hosting environment. In general that
would say that any php user can access data
that is stored in memcached, even if this memcached data is only for hosting
platform use. Common usage of memcached is in friendly
environment, where you hold strings, application, network and other
resources, and there is no user application allowed.
I need to protect access to memcached. Firewall is not an option, hidden
interfaces and private networks can be scanned, and other obscurity ways are
not option.

I've read memcached list discussion on authentication. There are few
possibilities that I can think of:
a) Restrict memcached to accept conections from TCP port that is less than
1024, that would be quite fast solution, and it's based on fact that you are
the only one with root account on client side.
b) crypt and sign data (content) stored on memcache, so even if users get
access to memcached they can't poison data but they can exhaust memory :(
c) implement authenticaiton (exact way should be discussed)
d) secure transport (includes authentication - already suggeste on list and
done)
e) put some kind of tcp wrapper in front of memcached,and let tcp wrapper
handle authentication

Maybe someone has already nice working solution ?

I've understood that authentication was proposed more than once, and it was
rejected protecting memcached performance.
One sent url with encrypted memcached (TLS). It's easy to implement
authentication as private patch, but there is no sense
if it's not accepted as patch in main memcached code.

If using memcached in not so friendly environment  is not so frequent,  then
private patch is the best scenario.
If this is not so rare case of memcached usage, let's discuss authentication
once again.

What do you think ?


Kind Regards

Milos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.danga.com/pipermail/memcached/attachments/20070208/f4947f13/attachment.html


More information about the memcached mailing list