-
Notifications
You must be signed in to change notification settings - Fork 227
Security
There are two aspects of security to consider.
As of v1.9.0, Faktory can terminate TLS. To do this you must place private.key.pem and public.cert.pem in Faktory's config directory (these can be soft links to your actual certificate store on disk). If found and all goes well, you'll see TLS in the logs:
I 2024-02-20T16:37:40.066Z **TLS activated with /Users/mperham/.faktory/public.cert.pem**
I 2024-02-20T16:37:40.069Z PID 59451 listening at localhost:7419, press Ctrl-C to stop
I 2024-02-20T16:37:40.069Z Web server now listening **via TLS** at localhost:7420
Both port 7419 and 7420 will now require TLS; plaintext clients trying to connect will get an ECONNRESET error.
As another option you can put haproxy, stunnel or spiped "in front of" Faktory to terminate TLS, even inside the same Docker container. (If anyone has a sample configuration to do this, please open an issue so we can add it to the wiki here)
You can configure the Go and Ruby clients to use TLS by including tls in the URL scheme:
FAKTORY_URL=tcp+tls://myhost.example.com:7419
The Golang and Ruby clients both respect OpenSSL's SSL_CERT_DIR and SSL_CERT_FILE ENV variables if you want to use a self-signed cert or provide your own internal CA certs.
Faktory uses a global password to verify client connections. When connecting, the server immediately sends a HI challenge with a nonce. All clients must send a HELLO command to Faktory with a pwdhash attribute based on that nonce.
The password is passed to the Faktory clients in the URL: tcp://:mypassword@some-hostname.example.com:7419
Faktory looks for a password in the FAKTORY_PASSWORD environment variable or in /etc/faktory/password.
Here's a one-liner to create a random hex password:
$ dd count=1 if=/dev/urandom 2>&1| shasum | tail -1 | cut -c1-32
0bf64d9491ca65b48f9fe07636680b1d
If you're using Docker, you can add the password as a managed secret.
$ echo "0bf64d9491ca65b48f9fe07636680b1d" | docker secret create faktory_password -
and then mount it into your Faktory container:
$ docker service create --name faktory --secret faktory_password --env FAKTORY_PASSWORD=/run/secrets/faktory_password contribsys/faktory:latest
Notice if FAKTORY_PASSWORD starts with a /, Faktory will treat it as a file with the password in it.
If Faktory is configured to use a password, the Web UI also enables HTTP Basic Auth with that same password. The username can be any value.
Home | Installation | Getting Started Ruby | Job Errors | FAQ | Related Projects
This wiki is tracked by git and publicly editable. You are welcome to fix errors and typos. Any defacing or vandalism of content will result in your changes being reverted and you being blocked.