[AIRFLOW-91] Add SSL config option for the webserver

SSL can now be enabled by providing certificate and key in the usual ways (config file or CLI options). Providing the cert and key will automatically enable SSL. The web server port will not automatically change. The Security page in the docs now includes an SSL section with basic setup information. Closes apache#1760 from caseyching/master
bohea · Sep 19, 2016 · b28cedb · b28cedb
1 parent 4905a55
commit b28cedb
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 2 deletions.
diff --git a/airflow/bin/cli.py b/airflow/bin/cli.py
@@ -690,12 +690,21 @@ def webserver(args):
     num_workers = args.workers or conf.get('webserver', 'workers')
     worker_timeout = (args.worker_timeout or
                       conf.get('webserver', 'webserver_worker_timeout'))
+    ssl_cert = args.ssl_cert or conf.get('webserver', 'web_server_ssl_cert')
+    ssl_key = args.ssl_key or conf.get('webserver', 'web_server_ssl_key')
+    if ssl_cert is None and ssl_key is not None:
+        raise AirflowException(
+            'An SSL certificate must also be provided for use with ' + ssl_key)
+    if ssl_cert is not None and ssl_key is None:
+        raise AirflowException(
+            'An SSL key must also be provided for use with ' + ssl_cert)
 
     if args.debug:
         print(
             "Starting the web server on port {0} and host {1}.".format(
                 args.port, args.hostname))
-        app.run(debug=True, port=args.port, host=args.hostname)
+        app.run(debug=True, port=args.port, host=args.hostname,
+                ssl_context=(ssl_cert, ssl_key))
     else:
         pid, stdout, stderr, log_file = setup_locations("webserver", pid=args.pid)
         print(
@@ -727,6 +736,8 @@ def webserver(args):
 
         if args.daemon:
             run_args += ["-D"]
+        if ssl_cert:
+            run_args += ['--certfile', ssl_cert, '--keyfile', ssl_key]
 
         run_args += ["airflow.www.app:cached_app()"]
 
@@ -1137,6 +1148,14 @@ class CLIFactory(object):
             default=conf.get('webserver', 'WEB_SERVER_PORT'),
             type=int,
             help="The port on which to run the server"),
+        'ssl_cert': Arg(
+            ("--ssl_cert", ),
+            default=conf.get('webserver', 'WEB_SERVER_SSL_CERT'),
+            help="Path to the SSL certificate for the webserver"),
+        'ssl_key': Arg(
+            ("--ssl_key", ),
+            default=conf.get('webserver', 'WEB_SERVER_SSL_KEY'),
+            help="Path to the key to use with the SSL certificate"),
         'workers': Arg(
             ("-w", "--workers"),
             default=conf.get('webserver', 'WORKERS'),
@@ -1320,7 +1339,7 @@ class CLIFactory(object):
             'help': "Start a Airflow webserver instance",
             'args': ('port', 'workers', 'workerclass', 'worker_timeout', 'hostname',
                      'pid', 'daemon', 'stdout', 'stderr', 'access_logfile',
-                     'error_logfile', 'log_file', 'debug'),
+                     'error_logfile', 'log_file', 'ssl_cert', 'ssl_key', 'debug'),
         }, {
             'func': resetdb,
             'help': "Burn down and rebuild the metadata database",

diff --git a/airflow/configuration.py b/airflow/configuration.py
@@ -197,6 +197,11 @@ def run_command(command):
 # The port on which to run the web server
 web_server_port = 8080
 
+# Paths to the SSL certificate and key for the web server. When both are
+# provided SSL will be enabled. This does not change the web server port.
+web_server_ssl_cert =
+web_server_ssl_key =
+
 # Number of seconds the gunicorn webserver waits before timing out on a worker
 web_server_worker_timeout = 120
 

diff --git a/docs/security.rst b/docs/security.rst
@@ -288,3 +288,25 @@ backend. In order to setup an application:
 5. Fill in the required information (the 'Authorized redirect URIs' must be fully qualifed e.g. http://airflow.example.com/oauth2callback)
 6. Click 'Create'
 7. Copy 'Client ID', 'Client Secret', and your redirect URI to your airflow.cfg according to the above example
+
+SSL
+---
+
+SSL can be enabled by providing a certificate and key. Once enabled, be sure to use
+"https://" in your browser.
+
+.. code-block:: bash
+
+    [webserver]
+    web_server_ssl_cert = <path to cert>
+    web_server_ssl_key = <path to key>
+
+Enabling SSL will not automatically change the web server port. If you want to use the
+standard port 443, you'll need to configure that too. Be aware that super user privileges
+(or cap_net_bind_service on Linux) are required to listen on port 443.
+
+.. code-block:: bash
+
+    # Optionally, set the server to listen on the standard SSL port.
+    web_server_port = 443
+    base_url = http://<hostname or IP>:443