Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using CVAT with https and institutional certificate #4767

Closed
Fawkes83 opened this issue Jul 19, 2022 · 10 comments · May be fixed by #7508
Closed

Using CVAT with https and institutional certificate #4767

Fawkes83 opened this issue Jul 19, 2022 · 10 comments · May be fixed by #7508
Labels
infra question Further information is requested

Comments

@Fawkes83
Copy link

Fawkes83 commented Jul 19, 2022
edited

Hi everyone, there is a description in the documentation how to use CVAT with certificates from LetsEncrypt under 'Deploy secure CVAT instance with HTTPS'. However, I want to use an own institutional certificate. I found several tutorials for traefik, but at the moment the configuration is not workig. It looks like a lot have changed in the new CVAT version, so I was not able to find any docs how to do that.

My config file 'docker-compose.https-own.yml' looks like this:

version: '3.3'

services:
  cvat:
    labels:
      - traefik.http.routers.cvat.entrypoints=websecure
        #- traefik.http.routers.cvat.tls.certresolver=lets-encrypt

  cvat_ui:
    labels:
      - traefik.http.routers.cvat-ui.entrypoints=websecure
        # - traefik.http.routers.cvat-ui.tls.certresolver=lets-encrypt

  traefik:
    image: traefik:v2.4
    container_name: traefik
    command:
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=cvat"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
      - "--providers.docker=true"
      - "--entryPoints.websecure.address=:443"
      #- "--providers.file.directory=home/xxx/services/cvat2/cvat/configuration"
      #- "--providers.file.watch=true"
      #- "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
      #- "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
      #- "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
      # Uncomment to get Traefik dashboard
      # - "--entryPoints.dashboard.address=:8090"
      # - "--api.dashboard=true"
    ports:
      - 80:80
      - 443:443
    volumes:
            # - cvat_letsencrypt:/letsencrypt
      - `/home/xxx/services/cvat2/cvat/configuration/certs-traefik.yml`
      - /home/xxx/services/cvat2/cvat/tls/
        #volumes:
        #  cvat_letsencrypt

The cert and key files are stored under /home/xxx/services/cvat2/cvat/tls/
Here is the certification file /home/xxx/services/cvat2/cvat/configuration/certs-traefik.yml

  certificates:
    - certFile: /home/xxx/services/cvat2/cvat/tls/xxx.crt
      keyFile: /home/xxx/services/cvat2/cvat/tls/xxx.key

When I am directly on the machine I can open CVAT under http://localhost:443.

Any advice what be helpful.
@AndrewDHill
Copy link

AndrewDHill commented Aug 12, 2022
edited

I think you are really close. You have a different storage location for your certs but I think it all looks good except you are missing:

  1. tls declaration in cvat services
  2. tls declaration in cvat_ui services
  3. file directory for traefik rules (this location is in the docker container) in the traefik command section of services.
  4. file watch is needed, uncomment
  5. take a look at my volumes section for traefik service. I keep my certs in a folder in main cvat folder alongside a traefik.yml file. I link these resources to the docker container with the - ./certs/:/certs/:ro & - ./traefik.yml:/etc/traefik/dynamic_conf/traefik.yml:ro lines.
  6. take a look at traefik.yml structure. You might need to place everything inside of tls:
    working version of dockercompose.https.yml:
version: '3.3'

services:
  cvat:
    labels:
      - traefik.http.routers.cvat.entrypoints=websecure
      - traefik.http.routers.cvat.tls=true
      # - traefik.http.routers.cvat-ui.tls.certresolver=lets-encrypt

  cvat_ui:
    labels:
      - traefik.http.routers.cvat-ui.entrypoints=websecure
      - traefik.http.routers.cvat-ui.tls=true
      # - traefik.http.routers.cvat-ui.tls.certresolver=lets-encrypt

  traefik:
    image: traefik:v2.4
    container_name: traefik
    command:
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=cvat"
      - "--providers.file.directory=/etc/traefik/rules"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.websecure.address=:443"
      - "--providers.file.directory=/etc/traefik/dynamic_conf"
      - "--providers.file.watch=true"
      # https://stackoverflow.com/questions/58584625/how-do-i-reference-a-self-signed-ssl-certificates-for-traefik-v2-in-a-docker-com
      #- "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
      #- "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
      #- "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
      # Uncomment to get Traefik dashboard
      # - "--entryPoints.dashboard.address=:8090"
      # - "--api.dashboard=true"
    ports:
      - 80:80
      - 443:443
      # - 8090:8090
    volumes:
      - cvat_letsencrypt:/letsencrypt
      - ./certs/:/certs/:ro
      - ./traefik.yml:/etc/traefik/dynamic_conf/traefik.yml:ro

volumes:
  cvat_letsencrypt:

working version of traefik.yml:

tls:
  certificates:
    - certFile: /certs/cvat_cert.cer
      keyFile: /certs/cvat_key.pem

At first I didn't get the spaces just right in the traefik.yml file and it prevented tls from functioning. Make sure the keyFile line has the right indent and no "-"

@sizov-kirill sizov-kirill added question Further information is requested infra labels Aug 29, 2022
@sizov-kirill
Copy link
Contributor

Hi, @Fawkes83, thank you for reporting the issue.

Did the answer from @AndrewDHill help you or not?

@bsekachev
Copy link
Member

I will close the issue for now, do not hesitate to reopen if the issue is still relevant

@pkumar219
Copy link

pkumar219 commented Dec 15, 2022
edited

I have the code like below for Custom SSL however it is not updating the Certificate

version: '3.3'

services:
cvat_server:
labels:
- traefik.http.routers.cvat.entrypoints=websecure
- traefik.http.routers.cvat.tls=true

cvat_ui:
labels:
- traefik.http.routers.cvat-ui.entrypoints=websecure
- traefik.http.routers.cvat-ui.tls=true

traefik:
image: traefik:v2.4
container_name: traefik
command:
- "--log.level=DEBUG"
- "--providers.docker.exposedByDefault=false"
- "--providers.docker.network=cvat"
- "--entryPoints.web.address=:80"
- "--entryPoints.web.http.redirections.entryPoint.to=websecure"
- "--entryPoints.web.http.redirections.entryPoint.scheme=https"
- "--entryPoints.websecure.address=:443"
- "--providers.file.directory=/root/cvat_labeling/cvat/dynamic_conf"
- "--providers.file.watch=true"
#- "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
#- "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
#- "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
# Uncomment to get Traefik dashboard
# - "--entryPoints.dashboard.address=:8090"
# - "--api.dashboard=true"
ports:
- 80:80
- 443:443
volumes:
# - cvat_letsencrypt:/letsencrypt
- /root/cvat_labeling/cvat/certs
- /root/cvat_labeling/cvat/dynamic_conf/dynamic.yml
# volumes:
# cvat_letsencrypt:

and also dynamic.yml as below

tls:
stores:
default:
defaultCertificate:
certFile: /root/cvat_labeling/cvat/dynamic_conf/cvat.cer
keyFile: /root/cvat_labeling/cvat/dynamic_conf/cvat.key
certificates:
- certFile: /root/cvat_labeling/cvat/dynamic_conf/cvat.cer
keyFile: /root/cvat_labeling/cvat/dynamic_conf/cvat.key
stores:
- default

But it is not taking the certs ,what is the issue in my logic?

@AndrewDHill
Copy link

Here is what I would try:

  1. your providers.file.directory should be a docker container location - "--providers.file.directory=/etc/traefik/dynamic_conf" You might be able to change it back to the default value I copied here.
  2. In the volumes you need to link the file (and folder): to a location in the docker container: with read only permissions. ie. /root/path/to/file/traefik.yml:/etc/traefik/dynamic_conf/traefik.yml:ro
    I am guessing at your indentation but I'll note that it likely matters.

@pkumar219
Copy link

pkumar219 commented Dec 15, 2022
edited

Thank you however i am still have the issue as those certs are not loading

version: '3.3'

services:
cvat_server:
labels:
- traefik.http.routers.cvat.entrypoints=websecure
- traefik.http.routers.cvat.tls=true
cvat_ui:
labels:
- traefik.http.routers.cvat-ui.entrypoints=websecure
- traefik.http.routers.cvat-ui.tls=true

traefik:
image: traefik:v2.4
container_name: traefik
command:
- "--log.level=DEBUG"
- "--providers.docker.exposedByDefault=false"
- "--providers.docker.network=cvat"
- "--entryPoints.web.address=:80"
- "--entryPoints.web.http.redirections.entryPoint.to=websecure"
- "--entryPoints.web.http.redirections.entryPoint.scheme=https"
- "--entryPoints.websecure.address=:443"
- "--providers.file.directory=/etc/traefik/dynamic_conf"
- "--providers.file.watch=true"
#- "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
#- "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true"
#- "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
# Uncomment to get Traefik dashboard
# - "--entryPoints.dashboard.address=:8090"
# - "--api.dashboard=true"
ports:
- 80:80
- 443:443
volumes:
# - cvat_letsencrypt:/letsencrypt
- /root/cvat_labeling/cvat/certs:/etc/traefik/certs:ro
- /root/cvat_labeling/cvat/dynamic_conf:/etc/traefik/dynamic_conf:ro
- /root/cvat_labeling/cvat/dynamic_conf/traefik.yml:/etc/traefik/dynamic_conf/traefik.yml:ro
# volumes:

@AndrewDHill
Copy link

In the volumes section, why are you linking your /root/cvat_labeling/cvat/dynamic_conf to the docker container?

@pkumar219
Copy link

Thank you and i am able to resolve the issue by adding the correct cert path

@jenhaoyang jenhaoyang mentioned this issue Aug 9, 2023
Open
@ayalashop
Copy link

Hi, I encountered difficulties configuring the SSL certificate and would appreciate some assistance. I downloaded the latest version, 2.9.1. Here are the configurations I attempted:

docker-compose.override.yml:

services:
  cvat_server:
    labels:
      - traefik.http.routers.cvat.rule=(Host(`cvat.my_domain.co`) || Host(`cvat-internal.my_domain.co`)) &&
          PathPrefix(`/api/`, `/git/`, `/opencv/`, `/analytics/`, `/static/`, `/admin`, `/documentation/`, `/django-rq`)

  cvat_ui:
    labels:
      - traefik.http.routers.cvat-ui.rule=Host(`cvat.my_domain.co`) || Host(`cvat-internal.my_domain.co`)

docker-compose.https.override.yml:

services:
  cvat_server:
    labels:
      - traefik.http.routers.cvat.entrypoints=websecure
      - traefik.http.routers.cvat.tls=true

  cvat_ui:
    labels:
      - traefik.http.routers.cvat-ui.entrypoints=websecure
      - traefik.http.routers.cvat.tls=true

  traefik:
    command:
      - "--log.level=DEBUG"
      - "--entryPoints.web.address=:80"
      - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.websecure.address=:443"
      - "--providers.file.directory=/etc/traefik/dynamic_conf"
      - "--providers.file.watch=true"
    ports:
      - 80:80
      - 443:443
    volumes:
      - /home/admin/cvat/traefik.yml:/etc/traefik/dynamic_conf/traefik.yml:ro
      - /home/admin/cvat/certs:/etc/traefik/certs:ro

traefik.yml:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/cert.crt
        keyFile: /etc/traefik/certs/key.key

  certificates:
    - certFile: /etc/traefik/certs/cert.crt
      keyFile: /etc/traefik/certs/key.key

It seems like the SSL configuration is correct, but I'm encountering a 404 page not found error.

docker logs traefik:

time="2023-12-11T16:15:35Z" level=info msg="Configuration loaded from flags."
time="2023-12-11T16:15:35Z" level=info msg="Traefik version 2.10.7 built on 2023-12-06T15:54:59Z"
time="2023-12-11T16:15:35Z" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{\"redirections\":{\"entryPoint\":{\"to\":\"websecure\",\"scheme\":\"https\",\"permanent\":true,\"priority\":2147483646}}},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"file\":{\"directory\":\"/etc/traefik/dynamic_conf\",\"watch\":true}},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"}}"
time="2023-12-11T16:15:35Z" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
time="2023-12-11T16:15:35Z" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
time="2023-12-11T16:15:35Z" level=debug msg="Starting TCP Server" entryPointName=web
time="2023-12-11T16:15:35Z" level=debug msg="Starting TCP Server" entryPointName=websecure
time="2023-12-11T16:15:35Z" level=info msg="Starting provider *file.Provider"
time="2023-12-11T16:15:35Z" level=debug msg="*file.Provider provider configuration: {\"directory\":\"/etc/traefik/dynamic_conf\",\"watch\":true}"
time="2023-12-11T16:15:35Z" level=info msg="Starting provider *traefik.Provider"
time="2023-12-11T16:15:35Z" level=debug msg="*traefik.Provider provider configuration: {}"
time="2023-12-11T16:15:35Z" level=info msg="Starting provider *acme.ChallengeTLSALPN"
time="2023-12-11T16:15:35Z" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
time="2023-12-11T16:15:35Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{\"stores\":{\"default\":{}}}}" providerName=file
time="2023-12-11T16:15:35Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"web-to-websecure\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"redirect-web-to-websecure\"],\"service\":\"noop@internal\",\"rule\":\"HostRegexp(`{host:.+}`)\",\"priority\":2147483646}},\"services\":{\"noop\":{}},\"middlewares\":{\"redirect-web-to-websecure\":{\"redirectScheme\":{\"scheme\":\"https\",\"port\":\"443\",\"permanent\":true}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
time="2023-12-11T16:15:35Z" level=debug msg="No store is defined to add the certificate MIIGhzCCBW+gAwIBAgIJANZ0auwvfeZHMA0GCSqGSIb3DQEBCw, it will be added to the default store."
time="2023-12-11T16:15:35Z" level=debug msg="Adding certificate for domain(s) *.my_domain..co,my_domain..co"
time="2023-12-11T16:15:35Z" level=debug msg="Added outgoing tracing middleware noop@internal" routerName=web-to-websecure@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=web
time="2023-12-11T16:15:35Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme routerName=web-to-websecure@internal
time="2023-12-11T16:15:35Z" level=debug msg="Setting up redirection to https 443" routerName=web-to-websecure@internal entryPointName=web middlewareName=redirect-web-to-websecure@internal middlewareType=RedirectScheme
time="2023-12-11T16:15:35Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery

If you can provide further assistance or guidance, it would be greatly appreciated.

@HypotakorasPvision
Copy link

HypotakorasPvision commented Jan 12, 2024
edited

I have a workaround here. It going over an apache Proxy. Unfortunately it cant Upload more Pictures and the admin settings wont work. The Domain http://yourdomain.de:8080 is still work for these settings and uploads.
You can connect your file server with cvat. See in the Steps. So you have a "workaround" here.

Steps:

  1. Shutdown the Docker: docker compose down

  2. Install apache2
    sudo apt-get install apache2

  3. Mod youre Apache for Proxy:
    sudo a2enmod proxy
    sudo a2enmod proxy_http

  4. Make a cvat.conf in /etc/apache2/sites-available/cvat.conf

<VirtualHost *:80>
    ServerName yourdomain.de
    ProxyPreserveHost On
    ProxyPass / https://localhost:8080/
    ProxyPassReverse / https://localhost:8080/
</VirtualHost>
# Use here your own certs

  1. Enable your Site:
    sudo a2ensite cvat.conf

  2. Reload Apache2:
    sudo systemctl reload apache2

  3. Set enviroment variable:
    export CVAT_HOST=YOURDOMAIN.de

  4. For your login, you need some Security settings here:
    nano ~/cvat/settings/development.py
    Edit this line:
    CSRF_TRUSTED_ORIGINS = [UI_URL,'https://yourdomain.de','https://*.yourdomain.de','https://127.0.0.1']

  5. Connect your Fileserver with Cvat and skip data upload
    https://opencv.github.io/cvat/docs/administration/basics/installation/#share-path

  6. Start docker
    docker compose -f docker-compose.yml -f docker-compose.https.yml -f docker-compose.override.yml up -d

  7. Done

@echowxsy echowxsy mentioned this issue Feb 22, 2024
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
infra question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable HTTPS use Custom Certificates echowxsy/cvat
7 participants
@AndrewDHill @bsekachev @sizov-kirill @Fawkes83 @pkumar219 @ayalashop @HypotakorasPvision