search

apache / airflow

Apache Airflow - A platform to programmatically author, schedule, and monitor workflows
https://airflow.apache.org/
Apache License 2.0
36.79k stars 14.23k forks source link

Out of the box gunicorn_config.py doesn't allow cipher suite configuration. #43332

Closed 3BK closed 50 minutes ago

3BK commented 4 hours ago

Apache Airflow version

2.10.2

If "Other Airflow 2 version" selected, which one?

No response

What happened?

sslyze localhost:8080

Cipher suites {'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA'} are supported, but should be rejected.

What you think should happen instead?

The webserver() function in airflow/cli/commands/webserver_command.py should either allow the cipher suite to be tailored (or pass an sslyze audit out of the box.

How to reproduce

  1. start the web server
  2. scan the web server with sslyze.

Operating System

"Debian GNU/Linux 12 (bookworm)

Versions of Apache Airflow Providers

apache-airflow-providers-common-compat==1.2.1 apache-airflow-providers-common-io==1.4.2 apache-airflow-providers-fab==1.4.1 apache-airflow-providers-http==4.13.1

Deployment

Virtualenv installation

Deployment details

nstr

Anything else?

Occurs every time.

PR available upon request.

Are you willing to submit PR?

Code of Conduct

boring-cyborg[bot] commented 4 hours ago

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

3BK commented 4 hours ago

At present, the gunicorn config is hard coded as shown below.

run_args = [
            sys.executable,
            "-m",
            "gunicorn",
            "--workers",
            str(num_workers),
            "--worker-class",
            str(args.workerclass),
            "--timeout",
            str(worker_timeout),
            "--bind",
            args.hostname + ":" + str(args.port),
            "--name",
            "airflow-webserver",
            "--pid",
            pid_file,
            "--config",
            "python:airflow.www.gunicorn_config",
        ]
3BK commented 4 hours ago

Here is a potential fix for the webserver() function in airflow/cli/commands/webserver_command.py. 

 if cipher_suite:
            run_args += ["--ciphers", cipher_suite]

ref: https://docs.gunicorn.org/en/latest/settings.html#ciphers

3BK commented 3 hours ago

The alternative would be to hard code the cipher suites so they pass an OWASP scan. https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html

potiuk commented 2 hours ago

Look at the top of the document you linked to:

Note

 

Settings can be specified by using environment variable GUNICORN_CMD_ARGS. All available command line arguments can be used. For example, to specify the bind address and number of workers:

$ GUNICORN_CMD_ARGS="--bind=127.0.0.1 --worker

potiuk commented 2 hours ago

This is how you can set arguments