Hi Lorna,

Something to remember that is often overlooked and worth pointing out to the security concious is that daemons like beanstalkd run in an insecure fashion. Even though the daemon is bound to 127.0.0.1 in your example, any minor compromise of the host would allow anything to be popped in and out of the queue without any privilege escalation needed.

You should use the owner module in iptables (or similar depending on your environment) to prevent any processes not owned by your application specific php5-fpm user from being able to connect to that port.

In a distributed architecture this is even more important, because you have to configure the firewall of the beanstalkd host and each client that’s allowed to connect to the host.

Apologies if this is too deep and not applicable!

Steve