Out of the box gunicorn_config.py doesn't allow cipher suite configuration.

[3BK]

Apache Airflow version

2.10.2

If "Other Airflow 2 version" selected, which one?

No response

What happened?

sslyze localhost:8080

Cipher suites {'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA'} are supported, but should be rejected.

What you think should happen instead?

The webserver() function in airflow/cli/commands/webserver_command.py should either allow the cipher suite to be tailored (or pass an sslyze audit out of the box.

How to reproduce

1. start the web server
2. scan the web server with sslyze.

Operating System

"Debian GNU/Linux 12 (bookworm)

Versions of Apache Airflow Providers

apache-airflow-providers-common-compat==1.2.1
apache-airflow-providers-common-io==1.4.2
apache-airflow-providers-fab==1.4.1
apache-airflow-providers-http==4.13.1

Deployment

Virtualenv installation

Deployment details

nstr

Anything else?

Occurs every time.

PR available upon request.

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg[bot]]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[3BK]

At present, the gunicorn config is hard coded as shown below.

run_args = [
            sys.executable,
            "-m",
            "gunicorn",
            "--workers",
            str(num_workers),
            "--worker-class",
            str(args.workerclass),
            "--timeout",
            str(worker_timeout),
            "--bind",
            args.hostname + ":" + str(args.port),
            "--name",
            "airflow-webserver",
            "--pid",
            pid_file,
            "--config",
            "python:airflow.www.gunicorn_config",
        ]

[3BK]

Here is a potential fix for the webserver() function in airflow/cli/commands/webserver_command.py.

 if cipher_suite:
            run_args += ["--ciphers", cipher_suite]

ref: https://docs.gunicorn.org/en/latest/settings.html#ciphers

[3BK]

The alternative would be to hard code the cipher suites so they pass an OWASP scan.
https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html

[potiuk]

Look at the top of the document you linked to:

Note

 

Settings can be specified by using environment variable GUNICORN_CMD_ARGS. All available command line arguments can be used. For example, to specify the bind address and number of workers:

$ GUNICORN_CMD_ARGS="--bind=127.0.0.1 --worker

[potiuk]

This is how you can set arguments

[potiuk]

Converting to discussion if needed.

[3BK]

@potiuk You are correct.

The following launches a TLSv1.3 webserver.
GUNICORN_CMD_ARGS=--ciphers ECDHE-AESGCM:!ECDSA' airflow standalone`

I had expected GUNICORN_CMD_ARGS to be overridden.

Please be advised that excessive use of environment variables can be an indicator of compromise(IOC).

refs:
https://docs.gunicorn.org/en/latest/configure.html
https://github.com/apache/airflow/blob/main/airflow/cli/commands/webserver_command.py#L324

[potiuk]

Please be advised that excessive use of environment variables can be an indicator of compromise(IOC).

It's the first time I hear it. Could you please elaborate what your assesement of IOC indicator is taken from? What is it based on?

Variables are excessively used to configure various aspects of Airlfow. Most of the configuration of Helm chart is used using multiple 10s of env variables. So if this is threat, I would like to see it explained, because maybe we have a wrong approach. And there are MANY ways you are expected to use env variables to configure various aspects of Airlfow.

So if this is a threat - can you please explain what's the scenario ?

[3BK]

It's a POSIX thing.

1. How much code and data can be stored in "extern char **environ;"?
2. Can the app be connected with an untrusted actor?
3. Does the app audit aka log "**environ"?
4. Can the app be coaxed to change "**environ" at runtime?
5. Can the app be coaxed to restart it's connection with the untrusted actor or restart using the revised "**environ"?

getconf ARG_MAX
2097152

ref: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html

[3BK]

CISA mentions the issue in passing.

[potiuk]

Which of the above points apply to Airflow and why?