.. _https: Enable Data Encryption ============================================== To ensure data security, we recommend you enabling SSL encryption. Do the following: #. Under the nginx configuration directory, create a directory that will be used to hold all of the SSL data: .. code:: sudo mkdir /etc/nginx/ssl #. Create the SSL key and certificate files: .. code:: sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/my-example-domain.com.key -out /etc/nginx/ssl/my-example-domain.com.crt You will be asked a few questions about your server in order to embed the information correctly in the certificate. Fill out the prompts appropriately. The most important line is the one that requests the ``Common Name``. You need to enter the domain name or public IP address that you want to be associated with your server. Both of the files you created (``my-example-domain.com.key`` and ``my-example-domain.com.crt``) will be placed in the ``/etc/nginx/ssl`` directory. #. Configure nginx to use SSL. Open the nginx configuration file ``/etc/nginx/sites-available/ffsecurity-nginx.conf``. Apply the following modifications to the file: #. Add the new ``server {...}`` section that contains the URL replacement rule: .. code:: server { listen 80; server_name my-example-domain.com www.my-example-domain.com; rewrite ^(.*) https://my-example-domain.com$1 permanent; access_log off; } #. Comment out the following lines in the existing ``server {...}`` section: .. code:: # listen 80 default_server; # listen [::]:80 default_server; #. Add the following lines, including the paths to the certificate and the key, to the existing ``server {...}`` section: .. code:: listen 443 ssl; ssl_certificate /etc/nginx/ssl/my-example-domain.com.crt; ssl_certificate_key /etc/nginx/ssl/my-example-domain.com.key; #. In the generic nginx configuration file ``/etc/nginx/nginx.conf``, find the ``SSL Settings`` section and append the following lines: .. code:: ssl_session_cache shared:SSL:10m; ssl_session_timeout 1h; The example of the configuration file ``/etc/nginx/sites-available/ffsecurity-nginx.conf`` with correctly configured SSL settings is shown below: .. code:: upstream ffsecurity { server 127.0.0.1:8002; } upstream ffsecurity-ws { server 127.0.0.1:8003; } map $http_upgrade $ffsec_upstream { default "http://ffsecurity-ws"; "" "http://ffsecurity"; } server { listen 80; server_name my-example-domain.com www.my-example-domain.com; rewrite ^(.*) https://my-example-domain.com$1 permanent; access_log off; } server { # listen 80 default_server; # listen [::]:80 default_server; listen 443 ssl; ssl_certificate /etc/nginx/ssl/my-example-domain.com.crt; ssl_certificate_key /etc/nginx/ssl/my-example-domain.com.key; root /var/lib/findface-security; autoindex off; server_name _; location = / { alias /usr/share/findface-security-ui/; try_files /index.html =404; } location /static/ { } location /uploads/ { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET'; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization'; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; add_header 'Access-Control-Max-Age' 2592000; } location /ui-static/ { alias /usr/share/findface-security-ui/ui-static/; } location /doc/ { alias /opt/findface-security/doc/; } location ~ /videos/(?[0-9]+)/upload/(.*)$ { if ($request_method = 'OPTIONS') { add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; } set $auth_request_uri "http://ffsecurity/videos/$video_id/auth-upload/"; auth_request /video-upload-auth/; alias "/var/lib/findface-security/uploads/videos/$video_id.bin"; client_max_body_size 15g; dav_access user:rw group:rw all:rw; dav_methods PUT; create_full_put_path on; autoindex off; autoindex_exact_size off; autoindex_localtime on; charset utf-8; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'PUT, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'authorization'; } location = /video-upload-auth/ { internal; client_max_body_size 15g; proxy_set_header Content-Length ""; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_request_body off; proxy_pass $auth_request_uri; } location / { client_max_body_size 300m; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass $ffsec_upstream; proxy_read_timeout 5m; location ~ ^/(cameras|videos)/([0-9]+)/stream/?$ { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://ffsecurity; } location ~ ^/streams/(.*)$ { internal; proxy_pass $1; } } } #. Restart nginx. .. code:: sudo systemctl restart nginx.service #. Edit the ``/etc/findface-security/config.py`` configuration file. In the ``EXTERNAL_ADDRESS`` and ``ROUTER_URL`` parameters, substitute the ``http://`` prefix with ``https://``. .. code:: sudo vi /etc/findface-security/config.py ... EXTERNAL_ADDRESS="https://my-example-domain.com" ... ROUTER_URL="https://IP_address" #. Restart ``findface-security``. .. code:: sudo systemctl restart findface-security #. If there are running ``findface-video-worker`` services in the system, you need to either recreate cameras in the web interface, or change the ``router_url`` parameter in relevant video processing jobs, substituting the ``http://`` prefix with ``https://``. This can be done with the following command: .. code:: curl -s localhost:18810/jobs | jq -r '.[]["id"]' | xargs -I {} curl -X PATCH -d '{"router_url": "https://my-example-domain.com/video-detector/frame"}' http://localhost:18810/job/{}