How can I password-protect my /sidekiq route (i.e. require authentication for the Sidekiq::Web tool)?

ruby ruby-on-rails-3 redis rescue sidekiq

22,604

Solution 1

Put the following into your sidekiq initializer

require 'sidekiq'
require 'sidekiq/web'

Sidekiq::Web.use(Rack::Auth::Basic) do |user, password|
  # Protect against timing attacks:
  # - See https://codahale.com/a-lesson-in-timing-attacks/
  # - See https://thisdata.com/blog/timing-attacks-against-string-comparison/
  # - Use & (do not use &&) so that it doesn't short circuit.
  # - Use digests to stop length information leaking
  Rack::Utils.secure_compare(::Digest::SHA256.hexdigest(user), ::Digest::SHA256.hexdigest(ENV["SIDEKIQ_USER"])) &
  Rack::Utils.secure_compare(::Digest::SHA256.hexdigest(password), ::Digest::SHA256.hexdigest(ENV["SIDEKIQ_PASSWORD"]))
end

And in the routes file:

mount Sidekiq::Web => '/sidekiq'

Solution 2

Sorry to late to the party, but Sidekiq's wiki recommends the following for Devise:

To allow any authenticated User:

# config/routes.rb
authenticate :user do
  mount Sidekiq::Web => '/sidekiq'
end

To restrict access to User.admin?

# config/routes.rb
authenticate :user, lambda { |u| u.admin? } do
  mount Sidekiq::Web => '/sidekiq'
end

This wiki post also has many other security schemes.

This was tested using Rails 5.1.3, Devise 4.3 and Sidekiq 5.0

Solution 3

See "Security" under https://github.com/mperham/sidekiq/wiki/Monitoring

Sidekiq::Web uses Rack::Protection to protect your application against typical web attacks (such as CSRF, XSS, etc). Rack::Protection would invalidate your session and raise Forbidden error if it finds that your request doesn't satisfy security requirements. One of the possible situations is having your application working behind a reverse proxy and not passing important headers to it (X-Forwarded-For,X-Forwarded-Proto). Such situation and solution could be found in this article and issue #2560...

Solution 4

If you're using Devise (or other Warden-based authentication), you can do this, supposing you have an AdminUser model in your app.

# config/routes.rb
# This defines the authentication constraint
constraint = lambda do |request|
               request.env['warden'].authenticate!({ scope: :admin_user })
             end

# This mounts the route using the constraint.
# You could use any other path to make it less obvious
constraints constraint do
  mount Sidekiq::Web => '/sidekiq'
end

Solution 5

If you are rolling your own custom authentication, then you can use the below example which is referenced in the docs here.

# lib/admin_constraint.rb
class AdminConstraint
  def matches?(request)
    return false unless request.session[:user_id]
    user = User.find request.session[:user_id]
    user && user.admin?
  end
end

# config/routes.rb
require 'sidekiq/web'
require 'admin_constraint'
mount Sidekiq::Web => '/sidekiq', :constraints => AdminConstraint.new

View more solutions

22,604

Author by

sagar junnarkar

Ruby on rails developer

Updated on October 06, 2021

Comments

sagar junnarkar over 2 years

I am using sidekiq in my rails application. By Default, Sidekiq can be accessed by anybody by appending "/sidekiq" after the url. I want to password protect / authenticate only the sidekiq part. How can i do that?