Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I password-protect my /sidekiq route (i.e. require authentication for the Sidekiq::Web tool)?

Tags:

ruby

ruby-on-rails-3

redis

sidekiq

rescue

I am using sidekiq in my rails application. By Default, Sidekiq can be accessed by anybody by appending "/sidekiq" after the url. I want to password protect / authenticate only the sidekiq part. How can i do that?

like image 778
sagar junnarkar Avatar asked Sep 04 '12 14:09

sagar junnarkar

3 Answers

Put the following into your sidekiq initializer

require 'sidekiq'
require 'sidekiq/web'

Sidekiq::Web.use(Rack::Auth::Basic) do |user, password|
  # Protect against timing attacks:
  # - See https://codahale.com/a-lesson-in-timing-attacks/
  # - See https://thisdata.com/blog/timing-attacks-against-string-comparison/
  # - Use & (do not use &&) so that it doesn't short circuit.
  # - Use digests to stop length information leaking
  Rack::Utils.secure_compare(::Digest::SHA256.hexdigest(user), ::Digest::SHA256.hexdigest(ENV["SIDEKIQ_USER"])) &
  Rack::Utils.secure_compare(::Digest::SHA256.hexdigest(password), ::Digest::SHA256.hexdigest(ENV["SIDEKIQ_PASSWORD"]))
end

And in the routes file:

mount Sidekiq::Web => '/sidekiq'
like image 82
bravenewweb Avatar answered Sep 24 '22 11:09

bravenewweb

Sorry to late to the party, but Sidekiq's wiki recommends the following for Devise:

To allow any authenticated User:

# config/routes.rb
authenticate :user do
  mount Sidekiq::Web => '/sidekiq'
end

To restrict access to User.admin?

# config/routes.rb
authenticate :user, lambda { |u| u.admin? } do
  mount Sidekiq::Web => '/sidekiq'
end

This wiki post also has many other security schemes.

This was tested using Rails 5.1.3, Devise 4.3 and Sidekiq 5.0

like image 30
Tom Aranda Avatar answered Sep 22 '22 11:09

Tom Aranda

See "Security" under https://github.com/mperham/sidekiq/wiki/Monitoring

Sidekiq::Web uses Rack::Protection to protect your application against typical web attacks (such as CSRF, XSS, etc). Rack::Protection would invalidate your session and raise Forbidden error if it finds that your request doesn't satisfy security requirements. One of the possible situations is having your application working behind a reverse proxy and not passing important headers to it (X-Forwarded-For,X-Forwarded-Proto). Such situation and solution could be found in this article and issue #2560...

like image 44
Mark Nadig Avatar answered Sep 24 '22 11:09

Mark Nadig
Sign in to Comment

Related questions

How to make Rails 3.1 use SASS (Over SCSS) as the default?
When to use node.js vs sinatra vs rails? [closed]
How do I remove a node with Nokogiri?
How to undefine class in Ruby?
What does "wrong number of arguments (1 for 0)" mean in Ruby?
Forking a gem for a Rails project
GROUP BY and COUNT using ActiveRecord
Get current ruby process memory usage
What's this &block in Ruby? And how does it get passed in a method here?
Ruby: How do you say not equal to in Ruby?
How to test for (ActiveRecord) object equality
What is the difference between using .exists?, and .present? in Ruby?
Rails 5.2.0 with Ruby 2.5.1 console - `warning:` `already` initialized constant FileUtils::VERSION
Vim Command-T plugin error: could not load the C extension
How to elegantly symbolize_keys for a 'nested' hash
Ruby check if nil before calling method
Mountain Lion rvm install 1.8.7 x11 error
Check if a hash's keys include all of a set of keys
Set the display precision of a float in Ruby
Combine two Arrays into Hash

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!