Securing Celery Flower with Django Authentication
By hientd, at: Jan. 13, 2025, 10:04 a.m.
Estimated Reading Time: __READING_TIME__ minutes
Securing Celery Flower with Django Authentication
When managing Celery tasks with Flower, security is an important consideration. By default, Flower does not integrate with Django’s authentication system, leaving it open to unauthorized access.
In this guide, I will demonstrate how to secure Flower using Django authentication by leveraging the django-revproxy package.
Why Secure Flower?
Flower provides a powerful monitoring tool for Celery tasks, but leaving it exposed can lead to potential misuse or unauthorized data access. Securing Flower with Django authentication ensures that only authorized users can access sensitive task-related information.
Tools and Setup
To achieve this, we will use the following tools:
-
django-revproxy: A Django package that allows reverse proxying requests to external services.
-
Custom Django View: A view that checks user permissions and forwards requests to the Flower dashboard.
Installing django-revproxy
First, install the django-revproxy package:
pip install django-revproxy
Refer to the django-revproxy documentation for more details.
Implementation
Create the Proxy View
We will create a custom view class that:
-
Uses
django-revproxyto proxy requests to the Flower dashboard.
-
Checks user permissions to ensure only superusers can access Flower.
Here’s the implementation:
from django.conf import settings
from django.contrib.auth.mixins import UserPassesTestMixin
from django.urls import re_path
from revproxy.views import ProxyView
class FlowerCustomProxyView(UserPassesTestMixin, ProxyView):
upstream = settings.FLOWER_URL
url_prefix = settings.FLOWER_URL_PREFIX
rewrite = ((r"^/{}$".format(url_prefix), r"/{}/".format(url_prefix)),)
def test_func(self):
return self.request.user.is_superuser
@classmethod
def as_url(cls):
return re_path(
r"^(?P<path>{}.*)$".format(cls.url_prefix), cls.as_view()
)</path>Configure URLs
Next, add the FlowerProxyView to your app’s URL configuration:
from django.urls import include, path
from . import viewsapp_name = "misc"
urlpatterns = [
...
views.FlowerCustomProxyView.as_url(),
]Settings Configuration
Ensure the following settings are added to your Django project:
FLOWER_URL = "http://localhost:5555"
FLOWER_URL_PREFIX = "flower"Testing
Start your Django development server:
python manage.py runserver
Start Flower:
celery -A your_project flower
Navigate to http://localhost:5555/flower in your browser. Ensure you are logged in as a superuser to access the dashboard.
Further Thoughts
-
Restrict Access by IP: For additional security, consider restricting access to the Flower dashboard by IP address.
-
SSL/TLS: Use HTTPS to encrypt data in transit when accessing the Flower dashboard.
-
Rate Limiting: Implement rate limiting to prevent abuse.
-
Audit Logs: Log access attempts to monitor usage.
Conclusion
Securing Flower with Django authentication is a straightforward yet effective way to protect your Celery task data. By integrating django-revproxy and a custom permission-based view, you can ensure that only authorized users have access to your Flower dashboard.
Have you implemented similar security measures? Share your thoughts in the comments below!
