Geek asks and answers

Memcached remote connection authentication

Suppose server 1 is located at 5: 5: 5: 5: 11211, and server 2 is located at 25.25.25.25:11211. You add them to the server pool, and everything is fine. Until someone connects to this port and starts messing with your data.

So, we are changing the port to 38295. It is harder to find, but not impossible, so this is still not enough.

My questions:

1) Can you set authentication (username / password) for memcached servers to verify the connection? Can you whitelist specific hosts / IPs (maybe a bad idea)?

2) Can and should you protect data transmitted over the Internet? The data is in raw format, and your Internet service provider and anyone who sniffs the line can see all the data sent. But is data encryption likely to affect performance?

What solutions exist for setting up a memcached server cluster and how do you protect and authenticate them?

+5
source share
3 answers

A solution that met my needs was to create iptables records as suggested by sumoandan. Here is what I got.

Launch memcached using something like this:

/usr/bin/memcached -p 11211 -l 0.0.0.0 -d -u www-data -m 12288

, -l 0.0.0.0, . 127.0.0.1, .

iptables. memcached , .

, 192.168.1.100 , :

iptables -A INPUT -p tcp -s 192.168.1.100 --dport 11211 -j ACCEPT

, , , 25.62.25.62, :

iptables -A INPUT -p tcp -s 25.62.25.62 --dport 11211 -j ACCEPT

IP-, , , .

iptables -A INPUT -p tcp --dport 11211 -j REJECT

IPtables , , , REJECT ALL - ACCEPT, ( ).

, , , . , memcached ( , -), raw.

+8

, , .

, - (web1, web2, web3) memcache (mem1 mem2) 11211, , IP- - 172.221...

ip- mem1 mem2, 172.221.. 11211.

, .

+2

Memcached now supports SASL. This will allow you to perform strong authentication for your memchaced service. Here is a good article on how to configure SASL with memcached.

http://blog.couchbase.com/sasl-memcached-now-available

+1
source

More articles:


All Articles