February 16 2011 12:00 CET
Memcached is a great way to store key/value pairs in-memory for fast access.
Since memcached aims for simplicity, it does not feature any authentication mechanism per default. You can, however, compile it with the
--with-sasl option to enable SASL.
IMHO enabling authentication does defeat some of the purpose of using memcached since your client will use time authenticating. Memcached is made for fast-clients and provides a minimum of overhead so you would like to keep it that way.
Another possibility of securing memcached is to run it listening on
127.0.0.1, or using a firewall (or IP tables) to only allow specific IPs access to the memcached daemon.
A third way – which I’ve found the most interesting, is to run memcached on a unix socket instead of using TCP transport. This also would eliminate TCP overhead.
To start memcached listening on a unix socket you simple add the
-s /socket/location.sock to memcached. Consult the man pages for all options.
memcached -d -u someuser -s /tmp/memcached.sock -a 00755 -m 128
This will start a memcached daemon (
-d daemonizes it) with 128MB allocated memory as
someuser. The socket will be located at
/tmp/memcached.sock and have permissions (in octal)