问题描述
我正在寻找使用花()监控我的芹菜任务代替他们的文档中的django-admin()。但是,因为我是新的,我有点困惑,花的页面只是基于HTTP,而不是HTTPS。如何为我的Celery任务启用安全性,以便任何旧用户不能访问无登录需要的网站并改变某些内容?
I am looking to use Flower (https://github.com/mher/flower) to monitor my Celery tasks in place of the django-admin as reccomended in their docs (http://docs.celeryproject.org/en/latest/userguide/monitoring.html#flower-real-time-celery-web-monitor). However, because I am new to this I am a little confused about the way Flower's page is only based on HTTP, and not HTTPS. How can I enable security for my Celery tasks such that any old user can't just visit the no-login-needed website http://flowerserver.com:5555 and change something?
我已经考虑过Celery的,但是不幸的是没有提到如何保护Flower的api或web ui。所有它说: [需要更多的文字在这里]
I have considered Celery's own documentation on this, but they unfortunately there is no mention of how to secure Flower's api or web ui. All it says: [Need more text here]
谢谢!
更新:我的问题在此部分重复:
Update: My question is in part a duplicate of here: How do I add authentication and endpoint to Django Celery Flower Monitoring?
但是,我通过询问如何运行来澄清他的问题在同一台远程机器上使用包含nginx,gunicorn和芹菜的环境。我也想知道如何设置Flower的外部可访问的url,但是如果可能,还可以使用https,而不是http(或者某种方式来保护webui并远程访问它)。我还需要知道,如果离开花运行是任何可能访问Flower的内部API的人的相当安全的风险,什么最好的方法来确保这可能是,或者如果它只是被完全禁用,需要的基础。
However, I clarify his question here by asking how to run it using an environment that includes nginx, gunicorn, and celery all on the same remote machine. I too am wondering about how to set up Flower's outside accessible url, but also would prefer something like https instead of http if possible (or some way of securing the webui and accessing it remotely). I also need to know if leaving Flower running is a considerable security risk for anyone who may gain access to Flower's internal API and what the best way for securing this could be, or if it should just be disabled altogether and used just on an as-needed basis.
推荐答案
您可以使用--auth标志运行花,该标志将使用特定的Google电子邮件进行身份验证:
You can run flower with --auth flag, which will authenticate using a particular google email:
celery flower [email protected]
编辑1 :
新版本的Flower需要更多标志和注册的OAuth2客户端, a href =https://console.developers.google.com> Google开发者控制台:
New version of Flower requires couple more flags and a registered OAuth2 Client with Google Developer Console:
celery flower [email protected] --oauth2_key="client_id" --oauth2_secret="client_secret" --oauth2_redirect_uri="http://example.com:5555/login"
oauth2_redirect_uri 必须是实际的花登录URL,而且还必须添加到Google开发控制台中的授权重定向网址。
oauth2_redirect_uri has to be the actual flower login url, and it also has to be added to authorized redirect url's in Google Development Console.
不幸的是,此功能在当前稳定版本 0.7.2 ,但它现在在开发版本 0.8中已修复。 0-dev 与此。
Unfortunately this feature doesn't work properly in current stable version 0.7.2, but it is now fixed in development version 0.8.0-dev with this commit.
编辑2 :
您可以使用:
celery flower --basic_auth=user1:password1,user2:password2
然后阻止5555端口,并为或apache配置反向代理:
Then block 5555 port for all but localhost and configure reverse proxy for nginx or for apache:
ProxyRequests off
ProxyPreserveHost On
ProxyPass / http://localhost:5555
然后确保代理模块开启:
Then make sure proxy mod is on:
sudo a2enmod proxy
sudo a2enmod proxy_http
如果您无法在单独的bdomain,ex: flower.example.com (上面的配置),您可以将其设置为 example.com/flower :
In case you can't set it up on a separate subdomain, ex: flower.example.com (config above), you can set it up for example.com/flower:
运行花与 url_prefix :
celery flower --url_prefix=flower --basic_auth=user1:password1,user2:password2
$ apache中的b $ b
配置:
in apache config:
ProxyPass /flower http://localhost:5555
当然,请确保已配置SSL,否则没有任何意义:)
Of course, make sure SSL is configured, otherwise there is no point :)
这篇关于芹菜花安全生产的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!