Table of Contents

Encrypted Connections (TLS)

We generally don’t recommend using TLS to secure your connection. Why? Memcache is normally only used when performance is important and so low latency is critical. This means we expect your MemCachier cache and your application that accesses it runs in the same datacenter, for example the Amazon EC2 us-east-1 datacenter. All your traffic are running over, and only over, the internal datacenter network. This is a highly secure network that can’t be sniffed on or tampered with. For example, your web application is probably speaking HTTPS, but the HTTPS connection is very likely terminated at a load balancer, and then unsecured HTTP used to talk between the load balancer and your application.

It is possible to connect to MemCachier using TLS encrypted sockets. While no existing clients support TLS connections natively, we provide a buildpack for Heroku customers that proxies the connection to MemCachier and wraps it in a TLS connection. This can be useful for the extra paranoid among us, or to securely access your cache from outside the datacenter.

The buildpack installs and sets up stunnel on localhost listening on port 11211. It configures stunnel to connect to the MemCachier servers specified in your environment variable and to verify certificates as signed by the MemCachier Root CA.

Use the buildpack in conjunction with another buildpack that actually runs your app, using Heroku’s multiple buildpack feature:

$ heroku buildpacks:add https://github.com/memcachier/memcachier-tls-buildpack.git

Finally, configure your app to connect to localhost:11211 instead of using the MEMCACHIER_SERVERS environment variable, but, leave your MEMCACHIER_SERVERS environment variable unchanged as the TLS buildpack uses it to connect to MemCachier.