On Oct 27, 8:04 pm, Toru Maesaka <[email protected]> wrote:
> Makes sense considering the growing popularity of shared networks. > However, here's my humble comment on this use-case... can't people > just use iptables for protecting their memcached host/port in a shared > network? or is this feature intended for people that has very limited > freedom over the infrastructure? In some cases, the infrastructure can be configured to keep unwanted users away from memcached. That's pretty much the classic deployment. The scary case I had alluded to above was at a hosting provider that offered a kind of mass user web service for simple PHP sites. I believe they claimed a given web server could service up to 100,000 individual users. They didn't offer memcached at the time, so users who needed it would use the provider's VPS offerings to bring up a server pretty much for the sole purpose of running memcached. In a situation like this, a network filter wouldn't do you much good because this service is pretty much wide-open to everybody. The only thing you can do to protect your instance is ensure people who aren't you can't connect to it and issue commands. By providing a way in the application to make these kinds of deployments safer, we're at least allowing users who want to do this a way to protect themselves. This is just one example case. I'm sure any number of people can come up with others. :)
