Security - contribsys/faktory GitHub Wiki

There are two aspects of security to consider.

Network Encryption with TLS

Native TLS

As of v1.9.0, Faktory can terminate TLS. To do this you must place private.key.pem and public.cert.pem in Faktory's config directory (these can be soft links to your actual certificate store on disk). If found and all goes well, you'll see TLS in the logs:

I 2024-02-20T16:37:40.066Z **TLS activated with /Users/mperham/.faktory/public.cert.pem**
I 2024-02-20T16:37:40.069Z PID 59451 listening at localhost:7419, press Ctrl-C to stop
I 2024-02-20T16:37:40.069Z Web server now listening **via TLS** at localhost:7420

Both port 7419 and 7420 will now require TLS; plaintext clients trying to connect will get an ECONNRESET error.

Proxy TLS

As another option you can put haproxy, stunnel or spiped "in front of" Faktory to terminate TLS, even inside the same Docker container. (If anyone has a sample configuration to do this, please open an issue so we can add it to the wiki here)

Client Configuration

You can configure the Go and Ruby clients to use TLS by including tls in the URL scheme:

FAKTORY_URL=tcp+tls://myhost.example.com:7419

The Golang and Ruby clients both respect OpenSSL's SSL_CERT_DIR and SSL_CERT_FILE ENV variables if you want to use a self-signed cert or provide your own internal CA certs.

Authentication

Faktory uses a global password to verify client connections. When connecting, the server immediately sends a HI challenge with a nonce. All clients must send a HELLO command to Faktory with a pwdhash attribute based on that nonce.

The password is passed to the Faktory clients in the URL: tcp://:[email protected]:7419

Password Configuration

Faktory looks for a password in the FAKTORY_PASSWORD environment variable or in /etc/faktory/password.

Random Password

Here's a one-liner to create a random hex password:

$ dd count=1 if=/dev/urandom 2>&1| shasum | tail -1 | cut -c1-32
0bf64d9491ca65b48f9fe07636680b1d

If you're using Docker, you can add the password as a managed secret.

$ echo "0bf64d9491ca65b48f9fe07636680b1d" | docker secret create faktory_password -

and then mount it into your Faktory container:

$ docker service create --name faktory --secret faktory_password --env FAKTORY_PASSWORD=/run/secrets/faktory_password contribsys/faktory:latest

Notice if FAKTORY_PASSWORD starts with a /, Faktory will treat it as a file with the password in it.

Web UI

If Faktory is configured to use a password, the Web UI also enables HTTP Basic Auth with that same password. The username can be any value.

If you wish to put the Faktory UI behind a reverse proxy (like nginx), you'll do something like this:

location /faktory {
  proxy_set_header X-Script-Name /faktory;
  proxy_pass   http://127.0.0.1:7420;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Scheme $scheme;
  proxy_set_header X-Real-IP $remote_addr;
}