How to enable SSL on Apache Airflow?

Question

I am using Airflow 1.7.0 with a LocalExecutor and documentation suggests that to enable SSL, we need to pass cert and key path and change the port to 443 as below

[webserver]
web_server_ssl_cert = <path to cert>
web_server_ssl_key = <path to key>

# Optionally, set the server to listen on the standard SSL port.
web_server_port = 443
base_url = http://<hostname or IP>:443

I have created cert and key generated using OpenSSL. The details supplied while creating the cert/key too are right. However, the Airflow UI is still http and not https.

Any pointers would help!

Thank you!

Answer 1

Go to AIRFLOW_HOME -> airflow.cfg. It has section named [webserver], under that there are two config properties like below: web_server_ssl_cert = web_server_ssl_key = if there is no value like above means Airflow webserver is running on http (without certificate).

To enable SSL, use .p12 certificate (one you must have ordered) and use openssl to extract certificate and private key from .p12 file. openssl mostly ships with Linux so you can directly run on linux terminal.

Step1: Extract certificate using below command openssl pkcs12 –in /path/cert.p12 -nokeys -clcerts –out /path/mycert.crt

Step2: Extract key using below command openssl pkcs12 –in /path/cert.p12 -nocerts –out /path/mykey.key

Step3: Once certificate and key is generated, update airflow.cfg for web_server_ssl_cert and web_server_ssl_key. Restart Airflow webserver.. are you are done. Browse Airflow UI with https.

Answer 2

Solved in this question How to enable SSL on Airflow Webserver? and answer https://stackoverflow.com/a/56760375/512111.

In short: generate a key, crt pair with

openssl req \
       -newkey rsa:2048 -nodes -keyout domain.key \
       -x509 -days 365 -out airflow.crt

and set in airflow.cfg like

web_server_ssl_cert = /path/to/airflow.crt
web_server_ssl_key = /path/to/airflow.key

Leave the webserver port unchanged. Restart the airflow webserver, go to https://hostname:port et voilà.

Answer 3

Airflow 1.7.0 doesn't support SSL. I just checked the webserver code of airflow 1.7.0. The code is given below. This function just starts the flask/gunicorn application on HTTP with the host and port. If you provide the certificate and mention the port as 443, it will simply start the application on http://<host>:443. It doesn't accept the SSL key and certificate. The webserver function of Airflow 1.7.0 is given below.

SSL feature is available with the latest version of the Apache Airflow. Please use the latest version for SSL support.

def webserver(args):
    print(settings.HEADER)
    from airflow.www.app import cached_app
    app = cached_app(configuration)
    workers = args.workers or configuration.get('webserver', 'workers')
    if args.debug:
        print(
            "Starting the web server on port {0} and host {1}.".format(
                args.port, args.hostname))
        app.run(debug=True, port=args.port, host=args.hostname)
    else:
        print(
            'Running the Gunicorn server with {workers} {args.workerclass}'
            'workers on host {args.hostname} and port '
            '{args.port}...'.format(**locals()))

        sp = subprocess.Popen([
            'gunicorn', '-w', str(args.workers), '-k', str(args.workerclass),
            '-t', '120', '-b', args.hostname + ':' + str(args.port),
            'airflow.www.app:cached_app()'])
        sp.wait()