Memcached listen on selected interfaces

I am setting up Memcached on a Debian server that has two interfaces - eth0 (public) and eth1 (private).

I want Memcached to listen on both eth1 and lo (loopback) so that it can be accessed even if the private network goes down but NOT eth0 (public).

From the man page for memcached I understand that the -l option can take only one IP address. I thought of using UNIX sockets for local connections but the man page says

-s
Unix socket path to listen on (disables network support).

The only other method I know is to block connections via eth0 using IPTables. Is there any other solution that does not make use of the firewall?


It's not as convenient as listing an interface and getting all of its bound addresses, and it requires knowing all the addresses bound to an interface, but it can be done. (Note that you cannot just list some interfaces, as you have discovered -- either a single interface, all interfaces, or a list of IPs.)

The -l option can take an interface, INADDR_ANY (which means all addresses on all interfaces), or a comma separated list of IP addresses. An IP address may have an optional port specification. So, for instance

memcached -l 127.0.0.1:11211,127.0.0.1:11212,10.1.2.3

will have memcached listen to lo0 only on 127.0.0.1 on ports 11211 and 11212 and also to the address 10.1.2.3 (on whichever interface it is) on whatever port is set by -p or -U.

You are required to know/have all the addresses you want to bind. This is perhaps a large gap between lo0 and a list of IPs (since memcached's default internal resource limitations will not permit binding to the ~2^24 addresses on that interface)


As pointed out in the accepted answer, newer versions do support it:

memcached -l 127.0.0.1:11211,127.0.0.2:11211  

or

memcached -l 127.0.0.1:11211 -l 127.0.0.2:11211  

Older versions (shipped with CentOS 6.5 or earlier) do not yet support that, they can either listen on all interfaces, a single IP address or a socket.
Not any combination of those.

Your only way to solve this is to bind it to all interfaces and firewall the public interface or bind it to 127.0.0.1 only and forward requests to eth1:11211 to lo0:11211 via iptables.