Installing and Configuring Memcached with SASL Authentication on RHEL 9 for Distributed Laravel Session Storage

Prerequisites and Initial Setup

This guide assumes you have a RHEL 9 server (or multiple servers for a distributed setup) with root or sudo privileges. We’ll be installing Memcached and configuring SASL for secure authentication. This is crucial for protecting your session data when using Memcached as a distributed session store for Laravel applications.

First, ensure your system is up-to-date:

sudo dnf update -y

Next, install the Memcached server and the SASL development libraries. The `memcached` package provides the server, and `cyrus-sasl-devel` provides the necessary headers and libraries for SASL integration.

sudo dnf install -y memcached cyrus-sasl-devel

Compiling Memcached with SASL Support

The default RHEL 9 `memcached` package might not be compiled with SASL support enabled. To ensure this, we’ll compile Memcached from source. Download the latest stable source code from the official Memcached website.

Find the latest version at https://memcached.org/downloads. As of this writing, version 1.6.22 is current. Adjust the URL if a newer version is available.

wget https://memcached.org/files/memcached-1.6.22.tar.gz
tar -xzf memcached-1.6.22.tar.gz
cd memcached-1.6.22

Now, configure the build with SASL support. The `–enable-sasl` flag is key here. We also need to ensure the SASL libraries are discoverable.

./configure --enable-sasl --prefix=/usr/local/memcached --sysconfdir=/etc/memcached --localstatedir=/var/lib/memcached
make
sudo make install

After installation, we need to create a systemd service file for our custom-compiled Memcached instance. The default service file will point to the system-installed binary, which we are replacing.

sudo nano /etc/systemd/system/memcached.service

Paste the following content into the file, adjusting paths if you chose a different `–prefix` during configuration:

[Unit]
Description=Memcached server with SASL
After=network.target

[Service]
Type=forking
User=memcached
Group=memcached
PIDFile=/var/run/memcached/memcached.pid
ExecStart=/usr/local/memcached/bin/memcached -m 64 -p 11211 -u memcached -l 127.0.0.1 --enable-sasl -P /var/run/memcached/memcached.pid
ExecStop=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

Create the necessary directories and set permissions:

sudo mkdir -p /var/run/memcached
sudo chown memcached:memcached /var/run/memcached
sudo groupadd memcached
sudo useradd -r -s /sbin/nologin -c "Memcached daemon" -d /var/lib/memcached -g memcached memcached

Reload the systemd daemon and start the Memcached service:

sudo systemctl daemon-reload
sudo systemctl enable memcached
sudo systemctl start memcached
sudo systemctl status memcached

Configuring SASL Authentication

SASL configuration involves defining authentication mechanisms and user credentials. We’ll use the `sasldb` mechanism for simplicity, which stores credentials in a database file.

First, create a SASL database. This command creates a new database file and prompts you to set a password for the specified user. Replace `memcached_user` with your desired username.

sudo saslpasswd2 -c -u memcached memcached_user

You will be prompted to enter and confirm a password for `memcached_user`. This password will be used by your Laravel application to connect to Memcached.

Next, configure the SASL library to use the `sasldb` mechanism for the `memcached` service. Create or edit the SASL configuration file:

sudo nano /etc/sasl2/memcached.conf

Add the following lines to the file:

pwcheck_method: sasldb
mech_list: plain login saslauthd

The `pwcheck_method: sasldb` tells SASL to use the `sasldb` backend. `mech_list` specifies the authentication mechanisms that the server will advertise and accept. `plain` and `login` are common mechanisms that work with `sasldb`.

Ensure the SASL database file is readable by the `memcached` user. The default location for the `sasldb` database is `/etc/sasldb2`. We need to ensure the `memcached` user can access it.

sudo chown memcached:memcached /etc/sasldb2
sudo chmod 640 /etc/sasldb2

Restart Memcached to apply the SASL configuration:

sudo systemctl restart memcached

Testing Memcached with SASL

Before configuring Laravel, it’s essential to test the Memcached server with SASL authentication from the command line. The `memcached-tool` utility is useful for this, but it doesn’t directly support SASL. Instead, we’ll use `telnet` or `nc` and manually construct the SASL handshake.

Connect to the Memcached server:

telnet 127.0.0.1 11211

Once connected, you should see `VERSION …` or `DEVELLLL`. If you see `ERROR`, SASL might not be enabled correctly. If you see `VERSION …`, proceed with the SASL handshake. The handshake involves sending an `auth plain` command, followed by the base64-encoded username and password.

First, get the base64 encoded string for your username and password. For example, if your username is `memcached_user` and password is `your_secret_password`:

echo -n "memcached_user:memcached_user:your_secret_password" | base64

This will output a string like `bWVtY2FjaGVkX3VzZXI6bWVtY2FjaGVkX3VzZXI6eW91cl9zZWNyZXRfcGFzc3dvcmQ=`. Now, send the authentication command to Memcached:

auth plain bWVtY2FjaGVkX3VzZXI6bWVtY2FjaGVkX3VzZXI6eW91cl9zZWNyZXRfcGFzc3dvcmQ=

If authentication is successful, you should receive `OK`. If it fails, you’ll get an `ERROR` message. If successful, you can now set and get keys:

set mykey 0 60 5
hello
STORED
get mykey
VALUE mykey 0 5
hello
END

Type `quit` to exit telnet.

Configuring Laravel for Memcached Session Storage

Now, let’s configure your Laravel application to use this SASL-authenticated Memcached instance for session storage. Ensure you have the Memcached PECL extension installed in your PHP environment.

sudo dnf install -y php-pecl-memcached

Edit your Laravel application’s session configuration file, typically located at `config/session.php`. Change the `driver` to `memcached`.

// config/session.php

'driver' => env('SESSION_DRIVER', 'memcached'),

Next, configure the Memcached connection details in your `.env` file. You’ll need to specify the host, port, and importantly, the SASL username and password.

# .env file

MEMCACHED_HOST=127.0.0.1
MEMCACHED_PORT=11211
MEMCACHED_USERNAME=memcached_user
MEMCACHED_PASSWORD=your_secret_password

Laravel’s Memcached session driver uses the `cache` configuration for its connection details. Ensure your `config/cache.php` file is set up to use Memcached and references the environment variables correctly. If you’re using multiple Memcached servers, you can define them in the `config/cache.php` file.

// config/cache.php

'stores' => [
    // ... other stores
    'memcached' => [
        'driver' => 'memcached',
        'connection' => 'default', // This refers to the 'default' connection below
        'options' => [
            'sasl' => true, // Enable SASL
            'username' => env('MEMCACHED_USERNAME'),
            'password' => env('MEMCACHED_PASSWORD'),
        ],
    ],
    // ...
],

'default' => env('CACHE_DRIVER', 'file'), // Ensure this is set to 'memcached' or a driver that uses it

'stores' => [
    // ...
    'memcached' => [
        'driver' => 'memcached',
        'servers' => [
            [
                'host' => env('MEMCACHED_HOST', '127.0.0.1'),
                'port' => env('MEMCACHED_PORT', 11211),
                'weight' => 100,
            ],
            // Add more servers here for a distributed setup
            // [
            //     'host' => 'memcached2.example.com',
            //     'port' => 11211,
            //     'weight' => 100,
            // ],
        ],
        'options' => [
            'sasl' => true,
            'username' => env('MEMCACHED_USERNAME'),
            'password' => env('MEMCACHED_PASSWORD'),
        ],
    ],
    // ...
],

'default' => env('CACHE_DRIVER', 'file'), // Set this to 'memcached' to use it for caching
],

After updating the configuration files, clear your Laravel application’s configuration cache:

php artisan config:clear

Distributed Session Storage Considerations

For a distributed setup, you’ll need multiple Memcached servers. Ensure each server is configured with SASL support as described above. Then, update the `servers` array in `config/cache.php` on your Laravel application server(s) to include all Memcached instances.

When configuring multiple Memcached servers, the `weight` parameter in the `servers` array determines how requests are distributed. A higher weight means a server will receive a larger proportion of requests.

It’s also crucial to ensure network connectivity between your Laravel application server(s) and all Memcached servers on the configured port (default 11211). Firewall rules on both the application and Memcached servers must allow this traffic.

For enhanced security in a production environment, consider:

• Binding Memcached to specific network interfaces rather than `0.0.0.0` if it’s not intended to be globally accessible.
• Using TLS/SSL encryption if the Memcached traffic traverses untrusted networks (though Memcached itself does not natively support TLS; this would require a proxy like HAProxy).
• Regularly rotating SASL passwords.

By following these steps, you can establish a secure and robust distributed session storage solution for your Laravel applications using Memcached with SASL authentication on RHEL 9.