I don’t know of any security holes in LangFlow, but it’s always safest to assume there are, so act accordingly.
I’ll add I first tried to get this running on Replit and completely gave up during the install process. We assume it’s an issue with NixOS. I’ll note it specifically broke trying to install llama-cpp-python. There is a previous version deployed to Replit, but even forking that and trying to upgrade did not work.
So I spun up an EC2 t3.small to install LangFlow but ran into problems. The first is that the AWS defaults do not offer enough disk space. Worse, no swap disk is configured and for some reason when pip moves files it puts them through memory, so installing a larger package like torch will kill your process due to OOM, and your connection, losing history, etc. It’s not super obvious this is the cause. My first time, I had to restart the whole instance.
Easy mode would be to just run a bigger machine, maybe t3.medium 4GB RAM would do it. But I kept at it, recreating the instance with more disk space (16GB) and a second volume for swap (2GB).
Referring to:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-store-swap-volumes.html
https://stackoverflow.com/questions/74515846/error-could-not-install-packages-due-to-an-oserror-errno-28-no-space-left-on
$ swapon -s
Probably shows nothing, but some instance types are automatically configured with a swap partition or file.
$ lsblk -p NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS /dev/nvme0n1 259:0 0 16G 0 disk /dev/nvme0n1p1 259:2 0 16G 0 part / /dev/nvme0n1p127 259:3 0 1M 0 part /dev/nvme0n1p128 259:4 0 10M 0 part /dev/nvme1n1 259:1 0 2G 0 disk
That last one at 2G is the volume we provisioned or swap. To get the real name, you have to go to the storage tab of your EC2 dashboard, or try:
$ sudo /sbin/ebsnvme-id /dev/nvme1n1 Volume ID: vol-04d10a66ad2521d93sdb
Should match what the EC2 dashboard when you created the partition. Now create and verify the swap:
$ sudo mkswap /dev/sdb Setting up swapspace version 1, size = 2 GiB (2147479552 bytes) no label, UUID=2aff5f50-ff55-431e-a375-d2ea9edde8d9 $ sudo swapon /dev/sdb $ free -h total used free shared buff/cache available Mem: 1.9Gi 189Mi 1.4Gi 0.0Ki 258Mi 1.5Gi Swap: 2.0Gi 0B 2.0Gi
OK, now for the real show. Python 3 is installed, check with:
python3 –version
We can add an alias:
alias python='python3'
PIP is not installed. Followed instructions: https://pip.pypa.io/en/stable/installation/
But don’t use ensurepip because it won’t install a pip command – you’ll have to run
python -m pip …
every time. Yes, it can be aliased, but this solves it:
curl -O https://bootstrap.pypa.io/get-pip.pypython get-pip.py
Check with:
pip –version
Several packages are required, shown here in order of the installation breaking:
$ sudo yum install cmake $ sudo yum install gcc $ sudo yum install gcc-c++ $ sudo yum install python3-devel
$ pip install langflow
LangFlow is now installed and you can run it with the langflow command. However, it will bind to 127.0.0.1, preventing outside access. However, this is OK because we want to lock it down. If you run it like that, nothing is encrypted, including your API keys.
We have a couple choices here. The easy way is to set up an Application Load Balancer in AWS, let it handle certs, etc. I’m pretty sure you can point it to the instance so if it changes, it automatically updates the IP. You get a load balancer in the free tier, too.
But I’m saving that for another project, so let’s got the cheapskate route and make it hard on ourselves. We’ll set up Nginx as a reverse proxy with Let’s Encrypt for certs, but you could use Apache HTTPD or HAProxy if you prefer.
sudo yum install nginx
Now it’s installed, you need to add a block in the config file for Certbox to update for you. I took the extra step to point a (sub)domain I own to the public IP of my EC2 box, which is the server name below. OK, full disclosure, I do not own example.com. But you get the picture.
$ nano /etc/nginx/nginx.conf
Add:
server {
server_name langflow.madeupname.com;
#root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://127.0.0.1:7860;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host:$server_port;
proxy_cache_bypass $http_upgrade;
}
}
Next step is getting a cert from Let’s Encrypt. It recommends installing Certbot via snapd. Snapd could be installed via yum/dnf if you had support for EPEL on AL2023, but they removed EPEL support because they don’t like you.1 So you have to install it via pip, which thankfully you just installed.
Instructions: https://certbot.eff.org/instructions?ws=nginx&os=pip
sudo dnf install augeas-libs yum search certbot # verify you don’t have this installed already sudo /opt/certbot/bin/pip install --upgrade pip sudo /opt/certbot/bin/pip install certbot certbot-nginx sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot sudo certbot --nginx
That last step automatically updates nginx.conf for you and reloads, which is pretty slick.
To be extra safe, I created a langflow user to run this instead of ec2-user, since it won’t even have sudo access.
$ sudo adduser langflow $ sudo cp -pr .local/ logs/ .config/ tmp/ .cache/ .chroma/ /home/langflow $ sudo chown -R langflow:langflow /home/langflow $ sudo su - langflow $ langflow
Finally, go to the EC2 dashboard, Security tab, and add a new inbound rule – or change the existing one for HTTPS – to limit it to “My IP” so it’s only accessible by your box. At this point, you should be able to go to langflow.example.com and it should come up.
Good luck!
- Sorry, it’s possible they don’t like anybody. [↩]