-
Notifications
You must be signed in to change notification settings - Fork 231
Security
Faktory provides for two aspects of security.
Faktory has native support for TLS sockets, providing end-to-end encrypted network connections to the API and Web UI ports. If Faktory is listening on a non-localhost interface, TLS is required. By default, Faktory binds to localhost and TLS is not required, making local development easy.
Faktory looks for TLS certificates in two locations: /etc/faktory/tls and ~/.faktory/tls. Your certificate should be two files: public.crt and private.key.
~/.faktory/tls (master=)$ ls -l
-rw-r--r-- 1 mikeperham staff 1704 Oct 9 20:33 private.key
-rw-r--r-- 1 mikeperham staff 1915 Oct 9 20:33 public.crt
Best practice is to store your certs according to the operating system convention (in CentOS, /etc/pki/tls; in Ubuntu, /etc/ssl) and soft link them into the faktory/tls directory:
sudo bash
ln -s /etc/ssl/cert/my.crt /etc/faktory/tls/public.crt
ln -s /etc/ssl/private/secret.key /etc/faktory/tls/private.key
exit
If your cert requires an intermediate chain, it's suggested you concatenate it with your public cert to get something which clients can verify:
cat my.crt bundle.crt > public.crt
You can test your cert setup with openssl s_client -connect hostname:7420. I get this for the last three lines of output when successful:
Verify return code: 0 (ok)
---
closed
Note: OSX Sierra uses an ancient version of OpenSSL so you must add -tls1 to that command above.
You can disable TLS in Faktory with the -no-tls command line option. This is strongly discouraged but can be useful if you already have stunnel/spiped set up or are using a private network.
Faktory uses a global password to verify client connections. When connecting, the server immediately sends a HI challenge with a nonce. All clients must send a HELLO command to Faktory with a pwdhash attribute based on that nonce.
< HI {"v":"1","s":"2868329546581372"}
> HELLO {"pwdhash":"d40b8917d7aff72a40a677c55992d2edc1b41331ec3b24641f2affa67b8dba09"}
< OK
The pwdhash attribute is hex(sha256(password+nonce)).
> nonce = "2868329546581372"
> require 'digest/sha1'
> Digest::SHA256.hexdigest("myPassw0rd"+nonce)
=> "38c10050a3bfc5084f71ed4291f1bcaaf302e014a148530ddb90617136650b6c"
The password is passed to the Faktory clients in the URL: tcp://:mypassword@some-hostname.example.com:7419
Faktory looks for a password in the FAKTORY_PASSWORD environment variable or in /etc/faktory/password.
If Faktory is configured to use a password, the Web UI also enables HTTP Basic Auth with that same password. The user can be any value.
Home | Installation | Getting Started Ruby | Job Errors | FAQ | Related Projects
This wiki is tracked by git and publicly editable. You are welcome to fix errors and typos. Any defacing or vandalism of content will result in your changes being reverted and you being blocked.