-
Notifications
You must be signed in to change notification settings - Fork 231
Security
There are two aspects of security to consider.
If your use case requires TLS, we recommend putting stunnel or spiped "in front of" Faktory. For instance, here's how to build a Docker container with a stunnel frontend: https://dzone.com/articles/using-honcho-to-create-a-multi-process-docker-cont.
You can configure the Go and Ruby clients to use TLS by including tls in the URL scheme:
tcp+tls://myhost.example.com:7419
Faktory uses a global password to verify client connections. When connecting, the server immediately sends a HI challenge with a nonce. All clients must send a HELLO command to Faktory with a pwdhash attribute based on that nonce.
< HI {"v":"1","s":"2868329546581372"}
> HELLO {"pwdhash":"d40b8917d7aff72a40a677c55992d2edc1b41331ec3b24641f2affa67b8dba09"}
< OK
The pwdhash attribute is hex(sha256(password+nonce)).
> nonce = "2868329546581372"
> require 'digest/sha1'
> Digest::SHA256.hexdigest("myPassw0rd"+nonce)
=> "38c10050a3bfc5084f71ed4291f1bcaaf302e014a148530ddb90617136650b6c"
The password is passed to the Faktory clients in the URL: tcp://:mypassword@some-hostname.example.com:7419
Faktory looks for a password in the FAKTORY_PASSWORD environment variable or in /etc/faktory/password.
If Faktory is configured to use a password, the Web UI also enables HTTP Basic Auth with that same password. The user can be any value.
Home | Installation | Getting Started Ruby | Job Errors | FAQ | Related Projects
This wiki is tracked by git and publicly editable. You are welcome to fix errors and typos. Any defacing or vandalism of content will result in your changes being reverted and you being blocked.