django - Celery Flower Security in Production

Question

I am looking to use Flower (https://github.com/mher/flower) to monitor my Celery tasks in place of the django-admin as reccomended in their docs (http://docs.celeryproject.org/en/latest/userguide/monitoring.html#flower-real-time-celery-web-monitor). However, because I am new to this I am a little confused about the way Flower's page is only based on HTTP, and not HTTPS. How can I enable security for my Celery tasks such that any old user can't just visit the no-login-needed website http://flowerserver.com:5555 and change something?

I have considered Celery's own documentation on this, but they unfortunately there is no mention of how to secure Flower's api or web ui. All it says: [Need more text here]

Thanks!

Update: My question is in part a duplicate of here: How do I add authentication and endpoint to Django Celery Flower Monitoring?

However, I clarify his question here by asking how to run it using an environment that includes nginx, gunicorn, and celery all on the same remote machine. I too am wondering about how to set up Flower's outside accessible url, but also would prefer something like https instead of http if possible (or some way of securing the webui and accessing it remotely). I also need to know if leaving Flower running is a considerable security risk for anyone who may gain access to Flower's internal API and what the best way for securing this could be, or if it should just be disabled altogether and used just on an as-needed basis.

question from:https://stackoverflow.com/questions/19689510/celery-flower-security-in-production

Answer 1

You can run flower with --auth flag, which will authenticate using a particular google email:

celery flower [email protected]

Edit 1:

New version of Flower requires couple more flags and a registered OAuth2 Client with Google Developer Console:

celery flower [email protected] --oauth2_key="client_id" --oauth2_secret="client_secret" --oauth2_redirect_uri="http://example.com:5555/login"

oauth2_redirect_uri has to be the actual flower login url, and it also has to be added to authorized redirect url's in Google Development Console.

Unfortunately this feature doesn't work properly in current stable version 0.7.2, but it is now fixed in development version 0.8.0-dev with this commit.

Edit 2:

You can configure Flower using basic authentication:

celery flower --basic_auth=user1:password1,user2:password2

Then block 5555 port for all but localhost and configure reverse proxy for nginx or for apache:

ProxyRequests off
ProxyPreserveHost On
ProxyPass / http://localhost:5555

Then make sure proxy mod is on:

sudo a2enmod proxy
sudo a2enmod proxy_http

In case you can't set it up on a separate subdomain, ex: flower.example.com (config above), you can set it up for example.com/flower:

run flower with url_prefix:

celery flower --url_prefix=flower --basic_auth=user1:password1,user2:password2

in apache config:

ProxyPass /flower http://localhost:5555

Of course, make sure SSL is configured, otherwise there is no point :)