GIT – Memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.
Memcached is a great piece of software that was designed with performance in mind. Still, memcached has little (or should I say none?) security features built-in. If we run memcached on a public ip and unprotected, anyone will be able to reach it and make memcached connections. This guide is intended to show some simple steps that can be used to secure your memcached setup.
You might say that you are not saving any private information in memcached and just cache parts of your public pages. Well, even in this case you will want your memcached daemon protected and not open to DOS attacks. Basically, regardless of the data you will cache (even if this is public or backend sql private data), you will probably want to control who can access it and since memcached doesn’t have any built-in authentication and doesnâ€™t require any user or password we will have to use external protection methods like a iptables or other firewall rules for protection.
1. Run the memcached daemon under a non-privileged user.
You should run the memcached daemon under a user with the least privileges needed for its purpose. You can safely run it with a user with minimal privileges like nobody for ex. asmemcached doesn’t require any special privileges. Still, many people will run this as root, because they start it directly from a root shell (rc.local or similar) like:
./memcached -d -m 2048 -p 11211
(as it will start as the running user). Also this happens for ex. in the debian etch memcached package where the default is to run it as root (this is fixed in the lenny package that will run by default as nobody).
To run as a regular unprivileged user just use the -u switch to start memcached:
./memcached -d -m 2048 -p 11211 -u nobody
or if you use a configuration file like in the debian package edit it and add (-u nobody) and comment out the default entry -u root, inside /etc/memcached.conf.
2. Specify which IP address to listen on.
Since memcached has no built-in authentication as it is concerned to be as fast as possible the only way we can protect our memcached daemon is by blocking access to the daemon to anyone else than the hosts that need to have access. By default, memcached will listen on all IP addresses if the -l switch is not used. I recommend to use -l and have memcached listenonly on the ip you need.
– if memcached is used just by the local system then use -l 127.0.0.1 and run it like:
./memcached -d -m 2048 -p 11211 -u nobody -l 127.0.0.1
– if you have a backend private network used by your servers use that to bind it only on the private ip, for ex: -l 192.168.0.1 like:
./memcached -d -m 2048 -p 11211 -u nobody -l 192.168.0.1
– if you really need to run this on a public ip, in this case just bind it on a single ip anyway (to ease maintenance if the box has more ips, etc.) using -l <ip>:
./memcached -d -m 2048 -p 11211 -u nobody -l <ip>
and depending from your setup filter the access to the TCP port 11211 for that IP to only the hosts that need to reach it and block all other access. If you run it on a different port (-p) or use more daemons on the same machine, do this for each one of them.
PHP Sessions in Memcached
The moment a PHP application grows to run on more servers, normally people will see problems caused by PHP sessions. If the application is not persistent you are lucky and don’t care about this, but if not you will quickly see this regardless of how good the load balancer you use is handling stickiness (sending the users to the same real server), this will slowly become a major issue. There are various solutions that can be used to store PHP sessions in ashared location, but I want to present today one solution that is very simple to implement, yet very efficient and on the long term better suited than using a database backend for this: using memcache to store the sessions.
The pecl memcache php extension has supported for a long time the memcache session.save_handler, but with the release 3.0.x (still in beta at this time) this brings in a set of interesting features for us:
– UDP support
– Binary protocol support
– Non-blocking IO using select()
– Key and session redundancy (values are written to N mirrors)
– Improved error reporting and failover handling
Installing the php memcache module is very simple and can be done either by using distribution repositories (the version we want to use 3.0.x will probably not be available) or by using pecl or manual compilation:
pecl install memcache-3.0.4
tar xvfz memcache-3.0.4.tgz
Finally, we need to activate the module in php.ini. I normally prefer to create a new file for thismemcache.ini inside the include directory of the php build (for ex. in debian this is under/etc/php5/conf.d/memcache.ini) like this:
memcache.allow_failover = 1
memcache.redundancy = 1
memcache.session_redundancy = 2
To use memcached to store the php sessions we will have to edit php.ini and replace the default file handler settings with something like:
; Use memcache as a session handler
session.save_handler = memcache
; Use a comma separated list of server urls to use for storage:
or if we don’t want to use this serverwide, we can just define it inside a php block like this:
$session_save_path = "tcp://<memcache_server1>:11211?persistent=1&weight=1&timeout=1&retry_interval=15, tcp://<memcache_server2>:11211"; ini_set('session.save_handler', 'memcache'); ini_set('session.save_path', $session_save_path);
Note: as you can see I used in the above example tcp and udp also. Please be sure that your memcached server has udp support enabled if you want to use that. Also ensure that the web server can connect to the memcache server/port (use proper firewall rules to allow this) in order for this to work.
After restarting apache, it will start using memcache to store the php sessions. If redundancy is needed (why not?) we will probably want to use the internal php memcache support to save the sessions to more servers, or if you prefer you can use an external solution to replicate the memcached server data – repcached.
Thảo luận bài viết tại forum : http://forum.gocit.vn/threads/securing-memcached.667/