On Apr 8, 2:16 pm, hoos <[email protected]> wrote: > same machine as memcached. While the SASL authentication meets the > security requirement we believe it would cause a significant > degradation in performance (although I haven't load tested a SASL > enabled memcached and cannot quantify the loss in performance).
Why do you believe that? It'll increase the cost of the initial connection, but if you're initially connecting a lot, you'll gain more by just... not doing that than you will by trying to make it a bit cheaper. > Furthermore not all clients support SASL authentication, most notably > the nginex modules don't support it and that really torpedoes the SASL > option. That's probably not too hard to fix. :) > Instead we are considering the use of IPTABLES using the owner module > to be enable filtering of packets based on UID for example the > following iptables command rejects any packets bound for the memcached > daemon which have not been created by the memclient user: > > iptables -A INPUT -p tcp --dport 11111 -d 127.0.0.1 -m owner ! --uid- > owner memclient -j REJECT > > This approach is simple to implement and provides the minimum level > security we need. > > Another approach is to use UNIX domain sockets instead of TCP and > secure the domain socket however this method also suffers from a lack > of client support. If you're absolutely sure that you'll only need memcached on localhost forever, then this should be OK. You could use this as an opportunity to improve the clients you're using, though. :)
