{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 不美不萌又怎样 的问题《Celery Flower Security in Production》','https://www.manongdao.com/q-260219.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am looking to use Flower (https://github.com/mher/flower) to monitor my Celery tasks in place of the django-admin as reccomended in their docs (http://docs.celeryproject.org/en/latest/userguide/monitoring.html#flower-real-time-celery-web-monitor). However, because I am new to this I am a little confused about the way Flower's page is only based on HTTP, and not HTTPS. How can I enable security for my Celery tasks such that any old user can't just visit the no-login-needed website http://flowerserver.com:5555 and change something?
I have considered Celery's own documentation on this, but they unfortunately there is no mention of how to secure Flower's api or web ui. All it says: [Need more text here]
Thanks!
Update: My question is in part a duplicate of here: How do I add authentication and endpoint to Django Celery Flower Monitoring?
However, I clarify his question here by asking how to run it using an environment that includes nginx, gunicorn, and celery all on the same remote machine. I too am wondering about how to set up Flower's outside accessible url, but also would prefer something like https instead of http if possible (or some way of securing the webui and accessing it remotely). I also need to know if leaving Flower running is a considerable security risk for anyone who may gain access to Flower's internal API and what the best way for securing this could be, or if it should just be disabled altogether and used just on an as-needed basis.
I wanted flower on a subdirectory of my webserver, so my nginx reverse proxy configuration looked like this:
Now I can get to flower (password-protected) via www.example.com/flower
Most of this is derived from the Flower documentation page about configuring an nginx reverse proxy:
http://flower.readthedocs.org/en/latest/reverse-proxy.html
You can run flower with --auth flag, which will authenticate using a particular google email:
Edit 1:
New version of Flower requires couple more flags and a registered OAuth2 Client with Google Developer Console:
oauth2_redirect_urihas to be the actual flower login url, and it also has to be added to authorized redirect url's in Google Development Console.Unfortunately this feature doesn't work properly in current stable version
0.7.2, but it is now fixed in development version0.8.0-devwith this commit.Edit 2:
You can configure Flower using basic authentication:
Then block 5555 port for all but localhost and configure reverse proxy for nginx or for apache:
Then make sure proxy mod is on:
In case you can't set it up on a separate subdomain, ex:
flower.example.com(config above), you can set it up forexample.com/flower:run flower with
url_prefix:in apache config:
Of course, make sure SSL is configured, otherwise there is no point :)
How would HTTP and HTTPS affect Celery security? What user logins are you referring to?
Flower monitors to a Celery queue by attaching to the workers. When setting up Flower you need to provide connection string [broker]://[user_name]:[password]@[database_address]:[port]/[instance]. User name and password are the credential to log into the database of your choice.
If you're referring to this login, wouldn't simply disable/remove their logins be suffice?
Yep there's not auth on flower, since it's just talking to the broker, but if you run it over SSL then basic auth should be good enough.