- [1. Make the proxy listen on standard port 80 and prepare nginx for the ACME challenge via webroot method](#1-make-the-proxy-listen-on-standard-port-80-and-prepare-nginx-for-the-acme-challenge-via-webroot-method)
- [2. Setting up HTTPS with `acme.sh` helper](#2-setting-up-https-with-acmesh-helper)
- [1. Make the proxy listen on 80 and 443 ports](#1-make-the-proxy-listen-on-80-and-443-ports)
- [2. Issue a certificate and run HTTPS versions with `acme.sh` helper](#2-issue-a-certificate-and-run-https-versions-with-acmesh-helper)
- [Create certificate files using an ACME challenge on docker host](#create-certificate-files-using-an-acme-challenge-on-docker-host)
# Quick installation guide
Before you can use CVAT, you’ll need to get it installed. The document below
@ -373,45 +372,46 @@ This depends on the email server you are using and is not covered in this tutori
We will add [letsencrypt.org](https://letsencrypt.org/) issued certificate to secure
our server connection.
Certificates (issued by let's encrypt) to cloud instance.
#### Prerequisites
We assume that
We assume that:
- you have a virtual instance (machine) in the cloud provider with docker installed;
- there is no root permissions required if user is in docker group;
- there is no services listen 80 and 443 tcp ports on virtual instance.
- you have sudo access on your server machine,
- you have an IP address to use for remote access, and
- that the local CVAT installation works on your server.
There are multiple approaches. Our approach suggests:
If this is not the case, please complete the steps in the installation manual first.
- easy setup automatic certificate updates;
- leave certificates in safe place on docker host (protect from `docker-compose down` cleanup);
- no unnecessary certificate files copying between container and host.
#### Roadmap
We will go through the following sequence of steps to get CVAT over HTTPS:
- Setup containers on default 80/tcp port. Checkin and then down the containers.
- Configure Nginx to pass one of the [ACME challenges](https://letsencrypt.org/docs/challenge-types/) - webroot.
- Create the certificate files using [acme.sh](https://github.com/acmesh-official/acme.sh).
- Reconfigure Nginx to serve over HTTPS and map CVAT to Docker Compose port 443.
- Install [acme.sh](https://github.com/acmesh-official/acme.sh) on the virtual instance (docker host).
- Configure Nginx site template `HOME/cvat/cvat_proxy/conf.d/cvat.conf.template` used in `cvat_proxy` container.
- Deploy CVAT services in the most common way with docker-compose utilizes default HTTP scheme.
- Create the https certificates with `acme.sh` client.
- Reconfigure Nginx to serve over HTTPS.
- Make sure that certificates will be able to automatically update via cron job.
#### Step-by-step instructions
##### 1. Make the proxy listen on standard port 80 and prepare nginx for the ACME challenge via webroot method
> The configuration assumes that on the docker host there will be only one instance of the CVAT site listens for incoming connections on 80 and 443 port. Also redirecting everything that does not concern renewal of certificates to the site via secure HTTPS protocol.
##### 1. Make the proxy listen on 80 and 443 ports
Let's assume the server will be at `my-cvat-server.org`.
Prepare nginx for the ACME challenge via webroot method
Point you shell in cvat repository directory, usually `cd $HOME/cvat`:
Let's assume the server domain name is `CVAT.example.com`.
Add the following into your `docker-compose.override.yml`, replacing `my-cvat-server.org` with your own IP address. This file lives in the same directory as `docker-compose.yml`.
Clone repo and point you shell in cvat repository directory, usually `cd $HOME/cvat`:
Create the required directories for letsencrypt webroot operation and acme folder passthrough.
Now restart the containers with new configurations updated in `docker-compose.override.yml`
Install and create the required directories for letsencrypt webroot operation and acme folder passthrough.
```bash
# on the docker host
@ -423,29 +423,30 @@ curl https://get.acme.sh | sh
This will enable serving `http://my-cvat-server.org/.well-known/acme-challenge/`
route from `/var/tmp/letsencrypt-webroot` directory on the container's filesystem which is bind mounted from docker host `$HOME/cvat/letsencrypt-webroot`. That volume needed for issue and renewing certificates only.
Update a CVAT site proxy template `$HOME/cvat/cvat_proxy/conf.d/cvat.conf.template` on docker(system) host. Site config updates from this template each time `cvat_proxy` container start.
Add a location to server with `server_name ${CVAT_HOST};` ahead others:
@ -457,81 +458,99 @@ Add a location to server with `server_name ${CVAT_HOST};` ahead others:
}
```
You can use the [Nginx quickstart guide](http://nginx.org/en/docs/beginners_guide.html) for reference.
Make the changes where necessary, e.g. base.py or somewhere else.
Build the containers with new configurations updated in `docker-compose.override.yml`
E.g. including `analytics` module:
```bash
# on the docker host
docker-compose down
docker-compose up -d
```
docker-compose -f docker-compose.yml -f components/analytics/docker-compose.analytics.yml -f docker-compose.override.yml up -d --build
```
Your server should still be visible (and unsecured) at `http://my-cvat-server.org`
but you won't see any behavior changes.
Your server should be available (and unsecured) at `http://CVAT.example.com`
At this point your deployment is up and running, ready for run acme-challenge.
Something went wrong ? The most common cause is a containers and images cache which were builded earlier.
##### 2. Setting up HTTPS with `acme.sh` helper
This will enable serving `http://CVAT.example.com/.well-known/acme-challenge/`
route from `/var/tmp/letsencrypt-webroot` directory on the container's filesystem which is bind mounted from docker host `$HOME/cvat/letsencrypt-webroot`. That volume needed for issue and renewing certificates only.
There are multiple approaches. First one is to use helper on docker host.
Another volume `/etc/ssl/private` should be used within web server according to [acme.sh](https://github.com/acmesh-official/acme.sh#3-install-the-cert-to-apachenginx-etc) documentation
In a our approach
At this point your deployment is up and running, ready for run acme-challenge for issue a new certificate
- it is easier to setup automatic certificate updates and (than it can be done in the container).
- leave certificates in safe place on docker host (protect from `docker-compose down` cleanup)
- no unnecessary certificate files copying between container and host.
##### 2. Issue a certificate and run HTTPS versions with `acme.sh` helper
###### Create certificate files using an ACME challenge on docker host
**Prepare certificates.**
####### Prepare certificates
Point you shell in cvat repository directory, usually `cd $HOME/cvat` on docker host.
> Certificate issue and updates should be on docker host in this approach.
Let’s Encrypt provides rate limits to ensure fair usage by as many people as possible. They recommend utilize their staging environment instead of the production API during testing. So first try to get a test certificate.
Vladimir Skubriev
5 years ago
committed by
GitHub