Celery Flower Security in Production
You can run flower with --auth flag, which will authenticate using a particular google email:
celery flower --auth=your.email@gmail.com
Edit 1:
New version of Flower requires couple more flags and a registered OAuth2 Client with Google Developer Console:
celery flower \ --auth=your.email@gmail.com \ --oauth2_key="client_id" \ --oauth2_secret="client_secret" \ --oauth2_redirect_uri="http://example.com:5555/login"
oauth2_redirect_uri
has to be the actual flower login url, and it also has to be added to authorized redirect url's in Google Development Console.
Unfortunately this feature doesn't work properly in current stable version 0.7.2
, but it is now fixed in development version 0.8.0-dev
with this commit.
Edit 2:
You can configure Flower using basic authentication:
celery flower --basic_auth=user1:password1,user2:password2
Then block 5555 port for all but localhost and configure reverse proxy for nginx or for apache:
ProxyRequests offProxyPreserveHost OnProxyPass / http://localhost:5555
Then make sure proxy mod is on:
sudo a2enmod proxysudo a2enmod proxy_http
In case you can't set it up on a separate subdomain, ex: flower.example.com
(config above), you can set it up for example.com/flower
:
run flower with url_prefix
:
celery flower --url_prefix=flower --basic_auth=user1:password1,user2:password2
in apache config:
ProxyPass /flower http://localhost:5555
Of course, make sure SSL is configured, otherwise there is no point :)
I have figured out it using proxy on Django side https://pypi.org/project/django-revproxy/. So Flower is hidden behind Django auth which is more flexible than basic auth. And you don't need rewrite rule in NGINX.
Flower 0.9.5 and higher
URL prefix must be moved into proxy path: https://github.com/mher/flower/pull/766
urls.py
urlpatterns = [ FlowerProxyView.as_url(), ...]
views.py
class FlowerProxyView(UserPassesTestMixin, ProxyView): # `flower` is Docker container, you can use `localhost` instead upstream = 'http://{}:{}'.format('flower', 5555) url_prefix = 'flower' rewrite = ( (r'^/{}$'.format(url_prefix), r'/{}/'.format(url_prefix)), ) def test_func(self): return self.request.user.is_superuser @classmethod def as_url(cls): return re_path(r'^(?P<path>{}.*)$'.format(cls.url_prefix), cls.as_view())
Flower 0.9.4 and lower
urls.py
urlpatterns = [ re_path(r'^flower/?(?P<path>.*)$', FlowerProxyView.as_view()), ...]
views.py
from django.contrib.auth.mixins import UserPassesTestMixinfrom revproxy.views import ProxyViewclass FlowerProxyView(UserPassesTestMixin, ProxyView): # `flower` is Docker container, you can use `localhost` instead upstream = 'http://flower:5555' def test_func(self): return self.request.user.is_superuser
I wanted flower on a subdirectory of my webserver, so my nginx reverse proxy configuration looked like this:
location /flower/ { proxy_pass http://localhost:5555/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd;}
Now I can get to flower (password-protected) via www.example.com/flower
Most of this is derived from the Flower documentation page about configuring an nginx reverse proxy: