Closed 3BK closed 50 minutes ago
Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.
At present, the gunicorn config is hard coded as shown below.
run_args = [
sys.executable,
"-m",
"gunicorn",
"--workers",
str(num_workers),
"--worker-class",
str(args.workerclass),
"--timeout",
str(worker_timeout),
"--bind",
args.hostname + ":" + str(args.port),
"--name",
"airflow-webserver",
"--pid",
pid_file,
"--config",
"python:airflow.www.gunicorn_config",
]
Here is a potential fix for the webserver() function in airflow/cli/commands/webserver_command.py.
if cipher_suite:
run_args += ["--ciphers", cipher_suite]
ref: https://docs.gunicorn.org/en/latest/settings.html#ciphers
The alternative would be to hard code the cipher suites so they pass an OWASP scan. https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
Look at the top of the document you linked to:
Note
Settings can be specified by using environment variable GUNICORN_CMD_ARGS. All available command line arguments can be used. For example, to specify the bind address and number of workers:
$ GUNICORN_CMD_ARGS="--bind=127.0.0.1 --worker
This is how you can set arguments
Apache Airflow version
2.10.2
If "Other Airflow 2 version" selected, which one?
No response
What happened?
sslyze localhost:8080
What you think should happen instead?
The webserver() function in airflow/cli/commands/webserver_command.py should either allow the cipher suite to be tailored (or pass an sslyze audit out of the box.
How to reproduce
Operating System
"Debian GNU/Linux 12 (bookworm)
Versions of Apache Airflow Providers
apache-airflow-providers-common-compat==1.2.1 apache-airflow-providers-common-io==1.4.2 apache-airflow-providers-fab==1.4.1 apache-airflow-providers-http==4.13.1
Deployment
Virtualenv installation
Deployment details
nstr
Anything else?
Occurs every time.
PR available upon request.
Are you willing to submit PR?
Code of Conduct