Security

Faktory provides for two aspects of security.

Encryption

Faktory has native support for TLS sockets, providing end-to-end encrypted network connections to the API and Web UI ports. If Faktory is listening on a non-localhost interface, TLS is required. By default, Faktory binds to localhost and TLS is not required, making local development easy.

Faktory looks for TLS certificates in two locations: /etc/faktory/tls and ~/.faktory/tls. Your certificate should be two files: public.crt and private.key. Faktory supports an optional ca.crt for the CA intermediate certificate chain.

~/.faktory/tls (master=)$ ls -l
-rw-r--r--  1 mikeperham  staff  4103 Oct  9 20:33 ca.crt
-rw-r--r--  1 mikeperham  staff  1704 Oct  9 20:33 private.key
-rw-r--r--  1 mikeperham  staff  1915 Oct  9 20:33 public.crt

Best practice is to store your certs according to the operating system convention (in CentOS, /etc/pki/tls; in Ubuntu, /etc/ssl) and soft link them into the faktory/tls directory:

sudo bash
ln -s /etc/ssl/cert/my.crt /etc/faktory/tls/public.crt
ln -s /etc/ssl/private/secret.key /etc/faktory/tls/private.key
exit

Authentication

Faktory uses a global password to verify client connections. When connecting, all clients must send an AHOY command to Faktory with two attributes: pwdhash and salt.

AHOY {"pwdhash":"d40b8917d7aff72a40a677c55992d2edc1b41331ec3b24641f2affa67b8dba09","salt":"aos,dfis33dkvn"}

The pwdhash attribute is sha256(password+salt). Salt should be a random string generated unique for each AHOY. In Ruby, something like rand.to_s will work fine:

> salt = rand.to_s
=> "0.2868329546581372"
> require 'digest/sha1'
=> true
> Digest::SHA256.hexdigest("password"+salt)
=> "38c10050a3bfc5084f71ed4291f1bcaaf302e014a148530ddb90617136650b6c"