Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using CVAT with https and institutional certificate #4767

Closed
Fawkes83 opened this issue Jul 19, 2022 · 10 comments · Fixed by #7508
Closed

Using CVAT with https and institutional certificate #4767

Fawkes83 opened this issue Jul 19, 2022 · 10 comments · Fixed by #7508
Labels
infra question Further information is requested

Comments

@Fawkes83
Copy link

Fawkes83 commented Jul 19, 2022

Hi everyone, there is a description in the documentation how to use CVAT with certificates from LetsEncrypt under 'Deploy secure CVAT instance with HTTPS'. However, I want to use an own institutional certificate. I found several tutorials for traefik, but at the moment the configuration is not workig. It looks like a lot have changed in the new CVAT version, so I was not able to find any docs how to do that.

My config file 'docker-compose.https-own.yml' looks like this:

version: '3.3'

services:
  cvat:
    labels:
      - traefik.http.routers.cvat.entrypoints=websecure
        #- traefik.http.routers.cvat.tls.certresolver=lets-encrypt

  cvat_ui:
    labels:
      - traefik.http.routers.cvat-ui.entrypoints=websecure
        # - traefik.http.routers.cvat-ui.tls.certresolver=lets-encrypt

  traefik:
    image: traefik:v2.4
    container_name: traefik
    command:
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=cvat"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
      - "--providers.docker=true"
      - "--entryPoints.websecure.address=:443"
      #- "--providers.file.directory=home/xxx/services/cvat2/cvat/configuration"
      #- "--providers.file.watch=true"
      #- "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
      #- "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
      #- "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
      # Uncomment to get Traefik dashboard
      # - "--entryPoints.dashboard.address=:8090"
      # - "--api.dashboard=true"
    ports:
      - 80:80
      - 443:443
    volumes:
            # - cvat_letsencrypt:/letsencrypt
      - `/home/xxx/services/cvat2/cvat/configuration/certs-traefik.yml`
      - /home/xxx/services/cvat2/cvat/tls/
        #volumes:
        #  cvat_letsencrypt

The cert and key files are stored under /home/xxx/services/cvat2/cvat/tls/
Here is the certification file /home/xxx/services/cvat2/cvat/configuration/certs-traefik.yml

  certificates:
    - certFile: /home/xxx/services/cvat2/cvat/tls/xxx.crt
      keyFile: /home/xxx/services/cvat2/cvat/tls/xxx.key

When I am directly on the machine I can open CVAT under http://localhost:443.

Any advice what be helpful.

@AndrewDHill
Copy link

AndrewDHill commented Aug 12, 2022

I think you are really close. You have a different storage location for your certs but I think it all looks good except you are missing:

  1. tls declaration in cvat services
  2. tls declaration in cvat_ui services
  3. file directory for traefik rules (this location is in the docker container) in the traefik command section of services.
  4. file watch is needed, uncomment
  5. take a look at my volumes section for traefik service. I keep my certs in a folder in main cvat folder alongside a traefik.yml file. I link these resources to the docker container with the - ./certs/:/certs/:ro & - ./traefik.yml:/etc/traefik/dynamic_conf/traefik.yml:ro lines.
  6. take a look at traefik.yml structure. You might need to place everything inside of tls:
    working version of dockercompose.https.yml:
version: '3.3'

services:
  cvat:
    labels:
      - traefik.http.routers.cvat.entrypoints=websecure
      - traefik.http.routers.cvat.tls=true
      # - traefik.http.routers.cvat-ui.tls.certresolver=lets-encrypt

  cvat_ui:
    labels:
      - traefik.http.routers.cvat-ui.entrypoints=websecure
      - traefik.http.routers.cvat-ui.tls=true
      # - traefik.http.routers.cvat-ui.tls.certresolver=lets-encrypt

  traefik:
    image: traefik:v2.4
    container_name: traefik
    command:
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=cvat"
      - "--providers.file.directory=/etc/traefik/rules"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.websecure.address=:443"
      - "--providers.file.directory=/etc/traefik/dynamic_conf"
      - "--providers.file.watch=true"
      # https://stackoverflow.com/questions/58584625/how-do-i-reference-a-self-signed-ssl-certificates-for-traefik-v2-in-a-docker-com
      #- "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
      #- "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
      #- "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
      # Uncomment to get Traefik dashboard
      # - "--entryPoints.dashboard.address=:8090"
      # - "--api.dashboard=true"
    ports:
      - 80:80
      - 443:443
      # - 8090:8090
    volumes:
      - cvat_letsencrypt:/letsencrypt
      - ./certs/:/certs/:ro
      - ./traefik.yml:/etc/traefik/dynamic_conf/traefik.yml:ro

volumes:
  cvat_letsencrypt:
  

working version of traefik.yml:

tls:
  certificates:
    - certFile: /certs/cvat_cert.cer
      keyFile: /certs/cvat_key.pem

At first I didn't get the spaces just right in the traefik.yml file and it prevented tls from functioning. Make sure the keyFile line has the right indent and no "-"

@sizov-kirill sizov-kirill added question Further information is requested infra labels Aug 29, 2022
@sizov-kirill
Copy link
Contributor

Hi, @Fawkes83, thank you for reporting the issue.

Did the answer from @AndrewDHill help you or not?

@bsekachev
Copy link
Member

I will close the issue for now, do not hesitate to reopen if the issue is still relevant

@pkumar219
Copy link

pkumar219 commented Dec 15, 2022

I have the code like below for Custom SSL however it is not updating the Certificate

version: '3.3'

services:
cvat_server:
labels:
- traefik.http.routers.cvat.entrypoints=websecure
- traefik.http.routers.cvat.tls=true

cvat_ui:
labels:
- traefik.http.routers.cvat-ui.entrypoints=websecure
- traefik.http.routers.cvat-ui.tls=true

traefik:
image: traefik:v2.4
container_name: traefik
command:
- "--log.level=DEBUG"
- "--providers.docker.exposedByDefault=false"
- "--providers.docker.network=cvat"
- "--entryPoints.web.address=:80"
- "--entryPoints.web.http.redirections.entryPoint.to=websecure"
- "--entryPoints.web.http.redirections.entryPoint.scheme=https"
- "--entryPoints.websecure.address=:443"
- "--providers.file.directory=/root/cvat_labeling/cvat/dynamic_conf"
- "--providers.file.watch=true"
#- "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
#- "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
#- "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
# Uncomment to get Traefik dashboard
# - "--entryPoints.dashboard.address=:8090"
# - "--api.dashboard=true"
ports:
- 80:80
- 443:443
volumes:
# - cvat_letsencrypt:/letsencrypt
- /root/cvat_labeling/cvat/certs
- /root/cvat_labeling/cvat/dynamic_conf/dynamic.yml
# volumes:
# cvat_letsencrypt:

and also dynamic.yml as below

tls:
stores:
default:
defaultCertificate:
certFile: /root/cvat_labeling/cvat/dynamic_conf/cvat.cer
keyFile: /root/cvat_labeling/cvat/dynamic_conf/cvat.key
certificates:
- certFile: /root/cvat_labeling/cvat/dynamic_conf/cvat.cer
keyFile: /root/cvat_labeling/cvat/dynamic_conf/cvat.key
stores:
- default

But it is not taking the certs ,what is the issue in my logic?

@AndrewDHill
Copy link

Here is what I would try:

  1. your providers.file.directory should be a docker container location - "--providers.file.directory=/etc/traefik/dynamic_conf" You might be able to change it back to the default value I copied here.
  2. In the volumes you need to link the file (and folder): to a location in the docker container: with read only permissions. ie. /root/path/to/file/traefik.yml:/etc/traefik/dynamic_conf/traefik.yml:ro
    I am guessing at your indentation but I'll note that it likely matters.

@pkumar219
Copy link

pkumar219 commented Dec 15, 2022

Thank you however i am still have the issue as those certs are not loading

version: '3.3'

services:
cvat_server:
labels:
- traefik.http.routers.cvat.entrypoints=websecure
- traefik.http.routers.cvat.tls=true
cvat_ui:
labels:
- traefik.http.routers.cvat-ui.entrypoints=websecure
- traefik.http.routers.cvat-ui.tls=true

traefik:
image: traefik:v2.4
container_name: traefik
command:
- "--log.level=DEBUG"
- "--providers.docker.exposedByDefault=false"
- "--providers.docker.network=cvat"
- "--entryPoints.web.address=:80"
- "--entryPoints.web.http.redirections.entryPoint.to=websecure"
- "--entryPoints.web.http.redirections.entryPoint.scheme=https"
- "--entryPoints.websecure.address=:443"
- "--providers.file.directory=/etc/traefik/dynamic_conf"
- "--providers.file.watch=true"
#- "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
#- "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
#- "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
# Uncomment to get Traefik dashboard
# - "--entryPoints.dashboard.address=:8090"
# - "--api.dashboard=true"
ports:
- 80:80
- 443:443
volumes:
# - cvat_letsencrypt:/letsencrypt
- /root/cvat_labeling/cvat/certs:/etc/traefik/certs:ro
- /root/cvat_labeling/cvat/dynamic_conf:/etc/traefik/dynamic_conf:ro
- /root/cvat_labeling/cvat/dynamic_conf/traefik.yml:/etc/traefik/dynamic_conf/traefik.yml:ro
# volumes:

@AndrewDHill
Copy link

In the volumes section, why are you linking your /root/cvat_labeling/cvat/dynamic_conf to the docker container?

@pkumar219
Copy link

Thank you and i am able to resolve the issue by adding the correct cert path

@ayalashop
Copy link

Hi, I encountered difficulties configuring the SSL certificate and would appreciate some assistance. I downloaded the latest version, 2.9.1. Here are the configurations I attempted:

docker-compose.override.yml:

services:
  cvat_server:
    labels:
      - traefik.http.routers.cvat.rule=(Host(`cvat.my_domain.co`) || Host(`cvat-internal.my_domain.co`)) &&
          PathPrefix(`/api/`, `/git/`, `/opencv/`, `/analytics/`, `/static/`, `/admin`, `/documentation/`, `/django-rq`)

  cvat_ui:
    labels:
      - traefik.http.routers.cvat-ui.rule=Host(`cvat.my_domain.co`) || Host(`cvat-internal.my_domain.co`)

docker-compose.https.override.yml:

services:
  cvat_server:
    labels:
      - traefik.http.routers.cvat.entrypoints=websecure
      - traefik.http.routers.cvat.tls=true

  cvat_ui:
    labels:
      - traefik.http.routers.cvat-ui.entrypoints=websecure
      - traefik.http.routers.cvat.tls=true

  traefik:
    command:
      - "--log.level=DEBUG"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.websecure.address=:443"
      - "--providers.file.directory=/etc/traefik/dynamic_conf"
      - "--providers.file.watch=true"
    ports:
      - 80:80
      - 443:443
    volumes:
      - /home/admin/cvat/traefik.yml:/etc/traefik/dynamic_conf/traefik.yml:ro
      - /home/admin/cvat/certs:/etc/traefik/certs:ro

traefik.yml:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/cert.crt
        keyFile: /etc/traefik/certs/key.key

  certificates:
    - certFile: /etc/traefik/certs/cert.crt
      keyFile: /etc/traefik/certs/key.key

It seems like the SSL configuration is correct, but I'm encountering a 404 page not found error.

docker logs traefik:

time="2023-12-11T16:15:35Z" level=info msg="Configuration loaded from flags."
time="2023-12-11T16:15:35Z" level=info msg="Traefik version 2.10.7 built on 2023-12-06T15:54:59Z"
time="2023-12-11T16:15:35Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"websecure\",\"scheme\":\"https\",\"permanent\":true,\"priority\":2147483646}}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"file\":{\"directory\":\"/etc/traefik/dynamic_conf\",\"watch\":true}},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"}}"
time="2023-12-11T16:15:35Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2023-12-11T16:15:35Z" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2023-12-11T16:15:35Z" level=debug msg="Starting TCP Server" entryPointName=web
time="2023-12-11T16:15:35Z" level=debug msg="Starting TCP Server" entryPointName=websecure
time="2023-12-11T16:15:35Z" level=info msg="Starting provider *file.Provider"
time="2023-12-11T16:15:35Z" level=debug msg="*file.Provider provider configuration: {\"directory\":\"/etc/traefik/dynamic_conf\",\"watch\":true}"
time="2023-12-11T16:15:35Z" level=info msg="Starting provider *traefik.Provider"
time="2023-12-11T16:15:35Z" level=debug msg="*traefik.Provider provider configuration: {}"
time="2023-12-11T16:15:35Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2023-12-11T16:15:35Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2023-12-11T16:15:35Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{\"stores\":{\"default\":{}}}}" providerName=file
time="2023-12-11T16:15:35Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"web-to-websecure\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"redirect-web-to-websecure\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":2147483646}},\"services\":{\"noop\":{}},\"middlewares\":{\"redirect-web-to-websecure\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2023-12-11T16:15:35Z" level=debug msg="No store is defined to add the certificate MIIGhzCCBW+gAwIBAgIJANZ0auwvfeZHMA0GCSqGSIb3DQEBCw, it will be added to the default store."
time="2023-12-11T16:15:35Z" level=debug msg="Adding certificate for domain(s) *.my_domain..co,my_domain..co"
time="2023-12-11T16:15:35Z" level=debug msg="Added outgoing tracing middleware noop@internal" routerName=web-to-websecure@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=web
time="2023-12-11T16:15:35Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
time="2023-12-11T16:15:35Z" level=debug msg="Setting up redirection to https 443" routerName=web-to-websecure@internal entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme
time="2023-12-11T16:15:35Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery

If you can provide further assistance or guidance, it would be greatly appreciated.

@HypotakorasPvision
Copy link

HypotakorasPvision commented Jan 12, 2024

I have a workaround here. It going over an apache Proxy. Unfortunately it cant Upload more Pictures and the admin settings wont work. The Domain http://yourdomain.de:8080 is still work for these settings and uploads.
You can connect your file server with cvat. See in the Steps. So you have a "workaround" here.

Steps:

  1. Shutdown the Docker: docker compose down

  2. Install apache2
    sudo apt-get install apache2

  3. Mod youre Apache for Proxy:
    sudo a2enmod proxy
    sudo a2enmod proxy_http

  4. Make a cvat.conf in /etc/apache2/sites-available/cvat.conf

<VirtualHost *:80>
    ServerName yourdomain.de
    ProxyPreserveHost On
    ProxyPass / https://localhost:8080/
    ProxyPassReverse / https://localhost:8080/
</VirtualHost>
# Use here your own certs
  1. Enable your Site:
    sudo a2ensite cvat.conf

  2. Reload Apache2:
    sudo systemctl reload apache2

  3. Set enviroment variable:
    export CVAT_HOST=YOURDOMAIN.de

  4. For your login, you need some Security settings here:
    nano ~/cvat/settings/development.py
    Edit this line:
    CSRF_TRUSTED_ORIGINS = [UI_URL,'https://yourdomain.de','https://*.yourdomain.de','https://127.0.0.1']

  5. Connect your Fileserver with Cvat and skip data upload
    https://opencv.github.io/cvat/docs/administration/basics/installation/#share-path

  6. Start docker
    docker compose -f docker-compose.yml -f docker-compose.https.yml -f docker-compose.override.yml up -d

  7. Done

azhavoro added a commit that referenced this issue Oct 8, 2024
### Motivation and context
fix #4767 
my docker-compose.https.yml:
```yaml
# Copyright (C) 2018-2022 Intel Corporation
#
# SPDX-License-Identifier: MIT

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [x] I have updated the documentation accordingly
- [x] I have added tests to cover my changes
- [x] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [x] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/opencv/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/opencv/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/opencv/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/opencv/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/opencv/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Introduced comprehensive documentation for implementing custom SSL
certificates in the CVAT environment.
- Provided step-by-step instructions for setting up and configuring
Traefik to use custom certificates.

- **Documentation**
- Added a new file detailing the process of creating a certificates
directory, modifying Traefik configuration, and starting CVAT with
custom SSL certificates.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Andrey Zhavoronkov <andrey@cvat.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
infra question Further information is requested
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants