Security settings
Contents
Security settings¶
Here we present a few common security fields you’ll likely want to configure in a production deployment.
Enabling TLS¶
As a web application, any production deployment of Dask-Gateway should be run with TLS encryption (HTTPS) enabled. There are a few common options for enabling this.
Using your own TLS certificate¶
If you have your own TLS certificate/key pair, you can specify the file
locations in your dask_gateway_config.py file. The relevant configuration
fields are:
c.Proxy.tls_certc.Proxy.tls_key
c.Proxy.tls_cert = "/path/to/my.cert"
c.Proxy.tls_key = "/path/to/my.key"
Note that the certificate and key must be stored in a secure location where they are readable only by admin users.
Using letsencrypt¶
It is also possible to use letsencrypt to automatically obtain TLS
certificates. If you have letsencrypt running using the default options, you
can configure this by adding the following to your dask_gateway_config.py
file:
c.Proxy.tls_cert = "/etc/letsencrypt/live/{FQDN}/fullchain.pem"
c.Proxy.tls_key = "/etc/letsencrpyt/live/{FQDN}/privkey.pem"
where FQDN is the fully qualified domain name for your server.
Proxy authentication tokens¶
To secure communication between the proxy and the gateway server, a secret
token is used. By default this token is generated automatically. It’s necessary
for an admin to configure this explicitly if the proxies are being externally
managed (i.e. c.Proxy.externally_managed is set to true). To do this
you have two options:
Configure
c.Proxy.api_tokenin yourdask_gateway_config.pyfile. Since the token should be kept secret, the config file must be readable only by admin users.Set the
DASK_GATEWAY_PROXY_TOKENenvironment variable. For security reasons, this environment variable should only be visible by the gateway server and proxy.
In either case both options take 32 byte random strings, encoded as hex. One way
to create these is through the openssl CLI:
$ openssl rand -hex 32