Securing Memcached
February 16 2011 12:00 CET
Memcached is a great way to store key/value pairs in-memory for fast access.
Since memcached aims for simplicity, it does not feature any authentication mechanism per default. You can, however, compile it with the --with-sasl option to enable SASL.
IMHO enabling authentication does defeat some of the purpose of using memcached since your client will use time authenticating. Memcached is made for fast-clients and provides a minimum of overhead so you would like to keep it that way.
Another possibility of securing memcached is to run it listening on 127.0.0.1, or using a firewall (or IP tables) to only allow specific IPs access to the memcached daemon.
A third way – which I’ve found the most interesting, is to run memcached on a unix socket instead of using TCP transport. This also would eliminate TCP overhead.
To start memcached listening on a unix socket you simple add the -s /socket/location.sock to memcached. Consult the man pages for all options.
For example:
memcached -d -u someuser -s /tmp/memcached.sock -a 00755 -m 128
This will start a memcached daemon (-d daemonizes it) with 128MB allocated memory as someuser. The socket will be located at /tmp/memcached.sock and have permissions (in octal) 00755.