Comments on: Patch for memcached on public network http://adrianotto.com/2009/08/patch-for-memcached-on-public-network/ For those who care about technical details Fri, 03 Feb 2012 14:21:48 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Adrian Otto http://adrianotto.com/2009/08/patch-for-memcached-on-public-network/comment-page-1/#comment-278 Adrian Otto Thu, 10 Feb 2011 19:43:35 +0000 http://adrianotto.com/?p=104#comment-278 oobx, Yes, it can be modified that way. In fact this article pre-dates the sasl auth feature in memcached. For a key prefix, you will need something that's guaranteed to be unique, so be careful taking an approach like using a hash of the username. Also, you don't want your key prefix to be too long, and at the same time you don't want it to be too short, or it could be vulnerable to brute force attacks. The happy medium is probably in the 10 character range. Keep in mind that having a little bit of cache is generally a LOT better than having no cache at all. I suggest having a separate memcached instance per application/developer, each running on a separate port on whatever server(s) you plan to run memcached on, and control each with sasl auth. Most web applications can see a significant benefit from having a cache in the 64 MB or smaller size range. Keep in mind that if you use SASL on memcached, you are limited to using clients that support SASL (which means they must only use the binary protocol). The last time I looked there were only a small number of clients that implemented this support, so you will need to be sure that whatever client you plan to use supports these features. oobx,

Yes, it can be modified that way. In fact this article pre-dates the sasl auth feature in memcached. For a key prefix, you will need something that’s guaranteed to be unique, so be careful taking an approach like using a hash of the username. Also, you don’t want your key prefix to be too long, and at the same time you don’t want it to be too short, or it could be vulnerable to brute force attacks. The happy medium is probably in the 10 character range.

Keep in mind that having a little bit of cache is generally a LOT better than having no cache at all. I suggest having a separate memcached instance per application/developer, each running on a separate port on whatever server(s) you plan to run memcached on, and control each with sasl auth. Most web applications can see a significant benefit from having a cache in the 64 MB or smaller size range.

Keep in mind that if you use SASL on memcached, you are limited to using clients that support SASL (which means they must only use the binary protocol). The last time I looked there were only a small number of clients that implemented this support, so you will need to be sure that whatever client you plan to use supports these features.

]]> By: oobx http://adrianotto.com/2009/08/patch-for-memcached-on-public-network/comment-page-1/#comment-277 oobx Thu, 10 Feb 2011 18:24:06 +0000 http://adrianotto.com/?p=104#comment-277 Warning: I'm new to memcached I have hundreds of sites in a shared hosting configuration at a university. It's a pretty decent setup, with several application front-ends. Most developers here are trustworthy. But, exploited code could endanger the memcache or expose the data it holds. I'd love to offer memcache to these developers. It's just the security that holds me back. Couldn't the server be modified to append some string to each key (store and retrieve request) in order to isolate user data, while allowing all of campus to access a vast bucket of memory? It would be nice if memcached be provided with this identification prefix at startup. Here are a few values that might be offered as prefix options: sasl user name first octect of the client's IP first two octets, and so on Of course, the flush and stats commands could be modified accordingly, also prepending these prefixes. Warning: I’m new to memcached

I have hundreds of sites in a shared hosting configuration at a university. It’s a pretty decent setup, with several application front-ends. Most developers here are trustworthy. But, exploited code could endanger the memcache or expose the data it holds. I’d love to offer memcache to these developers. It’s just the security that holds me back.

Couldn’t the server be modified to append some string to each key (store and retrieve request) in order to isolate user data, while allowing all of campus to access a vast bucket of memory? It would be nice if memcached be provided with this identification prefix at startup. Here are a few values that might be offered as prefix options:

sasl user name
first octect of the client’s IP
first two octets, and so on

Of course, the flush and stats commands could be modified accordingly, also prepending these prefixes.

]]> By: gabriele http://adrianotto.com/2009/08/patch-for-memcached-on-public-network/comment-page-1/#comment-91 gabriele Wed, 31 Mar 2010 14:50:43 +0000 http://adrianotto.com/?p=104#comment-91 Thanks, I submitted a feature request on PECL http://pecl.php.net/bugs/bug.php?id=17149 Thanks, I submitted a feature request on PECL
http://pecl.php.net/bugs/bug.php?id=17149

]]> By: Adrian Otto http://adrianotto.com/2009/08/patch-for-memcached-on-public-network/comment-page-1/#comment-90 Adrian Otto Wed, 31 Mar 2010 14:12:07 +0000 http://adrianotto.com/?p=104#comment-90 Gabriele, Thanks for your great question/request. You're right that using the SASL support is the ideal way to solve the problem I had initially found when I produced this patch. There is more than one client library for PHP. The <a href="http://pecl.php.net/package/memcache" rel="nofollow">Memcache</a> library is not based on libmemcached but the <a href="http://pecl.php.net/package/memcached" rel="nofollow">Memcached</a> library is. As you noticed, neither implements the SASL features yet according to the <a href="http://pecl.php.net/package-changelog.php?package=memcached&release=1.0.1" rel="nofollow">v1.0.1 change log</a>. It might be worth asking the <a href="mailto:andrei@php.net" rel="nofollow">author</a> if he has plans to add that. Cheers, Adrian Gabriele,

Thanks for your great question/request. You’re right that using the SASL support is the ideal way to solve the problem I had initially found when I produced this patch. There is more than one client library for PHP. The Memcache library is not based on libmemcached but the Memcached library is. As you noticed, neither implements the SASL features yet according to the v1.0.1 change log. It might be worth asking the author if he has plans to add that.

Cheers,

Adrian

]]> By: gabriele http://adrianotto.com/2009/08/patch-for-memcached-on-public-network/comment-page-1/#comment-89 gabriele Wed, 31 Mar 2010 09:09:46 +0000 http://adrianotto.com/?p=104#comment-89 Adrian, I'm a Rackspace Cloud Sites customer. I read your posts on using memcached in the cloud. As you might be aware of, fairly recently memcached added support for SASL (Simple Authentication and Security Layer). That seems like a big of a deal for cloud environments like Rackspace Cloud, Amazon EC2 and the likes. Unfortunately, although the libmemcache C library was updated to support SASL, it doesn't seems that support has been extended to higher level languages wrappers such as PHP PECL memcache. It would be greatly appreciated if you could provide more details on using memcached with SASL inside the Rackspace Cloud environment either on the blog or by email. SASL Authentication for Memcached: http://bit.ly/btQZef Adrian, I’m a Rackspace Cloud Sites customer. I read your posts on using memcached in the cloud. As you might be aware of, fairly recently memcached added support for SASL (Simple Authentication and Security Layer). That seems like a big of a deal for cloud environments like Rackspace Cloud, Amazon EC2 and the likes. Unfortunately, although the libmemcache C library was updated to support SASL, it doesn’t seems that support has been extended to higher level languages wrappers such as PHP PECL memcache. It would be greatly appreciated if you could provide more details on using memcached with SASL inside the Rackspace Cloud environment either on the blog or by email.

SASL Authentication for Memcached: http://bit.ly/btQZef

]]>