memcached in not so friendly environment

Brian Moon brianm at dealnews.com
Thu Feb 8 21:05:33 UTC 2007 

Hmm, a nice feature of the PECL client might to be allow for a host(s) 
and port to be configured in php.ini/apache conf.  That way, you could 
set the host(s) and port per VirtualHost in the Apache conf.  You can do 
this with mysql user/pass/server etc.  But, I think that just sets the 
default and the user could override it.  This would be useful for 
locking a VirtualHost into a given memcached pool.

Reinis Rozitis wrote:
> Use sockets (only limitation is that memcache must reside on the same
> host/box as the php).
> Launch multiple memcaches processes and give each user read/write acces to
> only one particular socket, that way they can't connect to another MC
> instance. By doing this you can also limit how much memory each user can
> use.
> 
> If you add some auth layer inbetween in my opinion the whole idea of
> ultra-fast data reading probably will be lost..
> 
> rr
> 
> 
> ----- Original Message ----- From: Milos Prodanovic
> To: memcached at lists.danga.com
> Sent: Thursday, February 08, 2007 12:37 PM
> Subject: memcached in not so friendly environment
> 
> 
> Hello,
> 
> 
> I'm planning to use memcached in mass hosting environment. In general that
> would say that any php user can access data
> that is stored in memcached, even if this memcached data is only for 
> hosting
> platform use. Common usage of memcached is in friendly
> environment, where you hold strings, application, network and other
> resources, and there is no user application allowed.
> I need to protect access to memcached. Firewall is not an option, hidden
> interfaces and private networks can be scanned, and other obscurity ways 
> are
> not option.
> 
> I've read memcached list discussion on authentication. There are few
> possibilities that I can think of:
> a) Restrict memcached to accept conections from TCP port that is less than
> 1024, that would be quite fast solution, and it's based on fact that you 
> are
> the only one with root account on client side.
> b) crypt and sign data (content) stored on memcache, so even if users get
> access to memcached they can't poison data but they can exhaust memory :(
> c) implement authenticaiton (exact way should be discussed)
> d) secure transport (includes authentication - already suggeste on list and
> done)
> e) put some kind of tcp wrapper in front of memcached,and let tcp wrapper
> handle authentication
> 
> Maybe someone has already nice working solution ?
> 
> I've understood that authentication was proposed more than once, and it was
> rejected protecting memcached performance.
> One sent url with encrypted memcached (TLS). It's easy to implement
> authentication as private patch, but there is no sense
> if it's not accepted as patch in main memcached code.
> 
> If using memcached in not so friendly environment  is not so frequent,  
> then
> private patch is the best scenario.
> If this is not so rare case of memcached usage, let's discuss 
> authentication
> once again.
> 
> What do you think ?
> 
> 
> Kind Regards
> 
> Milos
> 
> 

-- 

Brian Moon
-------------
http://dealnews.com/
It's good to be cheap =)

More information about the memcached mailing list