Enable Data Encryption

In this chapter:

To ensure data security, we recommend enabling SSL encryption. FindFace Multi version 2.3 supports deployment with HTTPS during Standalone Automated Deployment. We strongly recommend enabling HTTPS when deploying FindFace Multi. If manual HTTPS installation is required, follow these steps:

1. On the host system, create the nginx configuration directory with the subdirectory that will be used to store all the SSL data:

   sudo mkdir -p /opt/findface-multi/configs/ssl/
   

2. Create the SSL key and certificate files. When using a self-signed certificate, execute the following command, replacing external_address with the server’s external IP address:

   sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -addext "subjectAltName = DNS:localhost, DNS:findface-multi-ui, IP:external_address" -keyout /opt/findface-multi/configs/ssl/domain.key -out /opt/findface-multi/configs/ssl/domain.crt
   

   You will be asked a few questions about your server in order to embed the information correctly in the certificate. Fill out the prompts appropriately. The most important line is the one that requests the Common Name. You need to enter the domain name or public IP address that you want to be associated with your server. Both of the files you created (domain.key and domain.crt) will be placed in the /opt/findface-multi/configs/ssl/ directory.

3. Add the certificate path to volumes for the findface-video-worker service. In the service container, add the root certificate store update command to entrypoint.

   1. Open the /opt/findface-multi/docker-compose.yaml file:

      sudo vi /opt/findface-multi/docker-compose.yaml
      

   2. Locate the findface-video-worker section and adjust it to make sure it looks as follows.

      CPU

      findface-video-worker:
        entrypoint: ["sh", "-c", "update-ca-certificates && exec /tini -- /findface-video-worker-cpu --config=/etc/findface-video-worker.yaml"]
        depends_on: [findface-video-manager, findface-ntls, mongodb]
        image: docker.int.ntl/ntech/universe/video-worker-cpu:ffserver-12.241211.2
        logging: {driver: journald}
        networks: [product-network]
        restart: always
        volumes: ['./configs/findface-video-worker/findface-video-worker.yaml:/etc/findface-video-worker.yaml:ro',
          './models:/usr/share/findface-data/models:ro', './cache/findface-video-worker/models:/var/cache/findface/models_cache',
          './cache/findface-video-worker/recorder:/var/cache/findface/video-worker-recorder',
          '/opt/findface-multi/configs/ssl/domain.crt:/usr/local/share/ca-certificates/domain.crt']
      

      GPU

      findface-video-worker:
        entrypoint: ["sh", "-c", "update-ca-certificates && exec /tini -- /findface-video-worker-gpu --config=/etc/findface-video-worker.yaml"]
        depends_on: [findface-video-manager, findface-ntls, mongodb]
        environment: [CUDA_VISIBLE_DEVICES=0]
        image: docker.int.ntl/ntech/universe/video-worker-gpu:ffserver-12.241211.2
        logging: {driver: journald}
        networks: [product-network]
        restart: always
        runtime: nvidia
        volumes: ['./configs/findface-video-worker/findface-video-worker.yaml:/etc/findface-video-worker.yaml:ro',
          './models:/usr/share/findface-data/models:ro', './cache/findface-video-worker/models:/var/cache/findface/models_cache',
          './cache/findface-video-worker/recorder:/var/cache/findface/video-worker-recorder',
          '/opt/findface-multi/configs/ssl/domain.crt:/usr/local/share/ca-certificates/domain.crt']
      

4. Configure nginx to use SSL. Open the nginx configuration file /opt/findface-multi/configs/findface-multi-ui/nginx-site.conf. Apply the following modifications to the file:

   1. Comment out the following lines in the existing server {...} section

      # listen 80 default_server;
      # listen [::]:80 default_server;
      

      and add the following lines:

      listen 443 ssl;
      listen [::]:443 ssl;
      

   2. Uncomment out the following lines in the existing server {...} section:

      ssl_certificate /etc/ssl/domain.crt;
      ssl_certificate_key /etc/ssl/domain.key;
      
      ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
      
      http2 on;
      

      The example of the configuration file /opt/findface-multi/configs/findface-multi-ui/nginx-site.conf with correctly configured SSL settings you can find here.

5. In the /opt/findface-multi/docker-compose.yaml file, mount the SSL-encryption data directory /opt/findface-multi/configs/ssl/ into the findface-multi-findface-multi-ui-1 container:

   1. Open the /opt/findface-multi/docker-compose.yaml file:

      sudo vi /opt/findface-multi/docker-compose.yaml
      

   2. Locate the findface-multi-ui section and adjust it to make sure it looks like this:

      • Add '443:443' to the ports section,

      • Add '/opt/findface-multi/configs/ssl:/etc/ssl' to the volumes section.

      findface-multi-ui:
        depends_on: [findface-multi-legacy]
        image: docker.int.ntl/ntech/multi/multi/ui:ffmulti-2.3.0
        logging: {driver: journald}
        networks: [product-network]
        ports: ['80:80','443:443']
        restart: always
        volumes: ['./configs/findface-multi-ui/nginx-site.conf:/etc/nginx/conf.d/default.conf:ro',
          './data/findface-multi-legacy/uploads:/var/lib/findface-security/uploads',
          '/opt/findface-multi/configs/ssl:/etc/ssl']
      

   3. Adjust the service configurations:

      • For the backend_api and service_alarmer services, replace the http:// prefix with https:// in the DSN_IMAGE_EXTERNAL_ADDRESS environment variable.

      • For the backend_api, service_notifier_ws and service_notifier_tg services, replace the http:// prefix with https:// in the DSN_FF_AUTH environment variable.

      • For the backend_api, service_notifier_ws and service_notifier_tg services, add volumes as shown below.

      • For the backend_api, service_notifier_ws and service_notifier_tg services, change the start command to [sh, -c, update-ca-certificates && python -m backend_api], [sh, -c, update-ca-certificates && python -m service_notifier.ws] and [sh, -c, update-ca-certificates && python -m service_notifier.tg] respectively.

      backend_api:
        command: [sh, -c, update-ca-certificates && python -m backend_api]
        depends_on:
          timescaledb: {condition: service_healthy}
        environment: {DSN_FF_AUTH: 'https://findface-multi-ui/', DSN_FF_VIDEO_MANAGER: 'http://findface-video-manager:18810/',
          DSN_FF_VIDEO_STORAGE: 'http://findface-video-storage:18611/', DSN_IMAGE_EXTERNAL_ADDRESS: 'https://<ip_address>',
          DSN_PG: 'postgresql+asyncpg://ntech:<...>@timescaledb:5433/annex',
          SERVER_HOST: 0.0.0.0, SERVER_PORT: '2222'}
        image: docker.int.ntl/presale/annex:2.0.2
        logging: {driver: journald}
        networks: [product-network]
        restart: always
        volumes: &id007 ['/opt/findface-multi/configs/ssl/domain.crt:/usr/local/share/ca-certificates/domain.crt']
      service_alarmer:
        command: [python, -m, service_alarmer]
        depends_on:
          rabbitmq: {condition: service_healthy}
          timescaledb: {condition: service_healthy}
        environment: {DROP_ALL: 'False', DSN_AMQP: 'amqp://ntech:<...>@rabbitmq:5672/',
          DSN_FF_UPLOAD: 'http://findface-upload:3333/', DSN_IMAGE_EXTERNAL_ADDRESS: 'https://<ip_address>',
          DSN_PG: 'postgresql+asyncpg://ntech:<...>@timescaledb:5433/annex'}
        image: docker.int.ntl/presale/annex:2.0.2
        logging: {driver: journald}
        networks: [product-network]
        restart: always
      service_notifier_ws:
        command: [sh, -c, update-ca-certificates && python -m service_notifier.ws]
        depends_on:
          rabbitmq: {condition: service_healthy}
        environment: {CHECK_ACCESS: 'True', DSN_AMQP: 'amqp://ntech:<....>@rabbitmq:5672/',
          DSN_FF_AUTH: 'https://findface-multi-ui/', SERVER_HOST: 0.0.0.0, SERVER_PORT: 3311,
          USER_AUTOFILL: 'True'}
        image: docker.int.ntl/presale/annex:2.0.2
        logging: {driver: journald}
        networks: [product-network]
        ports: ['3311:3311']
        restart: always
        volumes: *id007
      service_notifier_tg:
        command: [sh, -c, update-ca-certificates && python -m service_notifier.tg]
        depends_on:
          rabbitmq: {condition: service_healthy}
        environment: {ALLOWED_SERVICES: null, ALLOWED_STREAMS: null, BOT_TOKEN: '', DSN_AMQP: 'amqp://ntech:<...>@rabbitmq:5672/',
          DSN_FF_AUTH: 'https://findface-multi-ui/', DSN_REDIS: 'redis://@redis:6379/1',
          USER_AUTOFILL: 'True'}
        image: docker.int.ntl/presale/annex:2.0.2
        logging: {driver: journald}
        networks: [product-network]
        volumes: *id007
      

6. Edit the /opt/findface-multi/configs/findface-multi-legacy/findface-multi-legacy.py configuration file.

   1. In the ROUTER_URL parameter, substitute the http:// prefix with https://.

      sudo vi /opt/findface-multi/configs/findface-multi-legacy/findface-multi-legacy.py
      
      ...
      'ROUTER_URL': 'https://findface-multi-ui',
      ...
      

   2. If you use a CA-certificate, specify in the ROUTER_URL parameter the domain for which the certificate was created:

      'ROUTER_URL': 'https://my-example-domain.com'
      

   3. In the EXTERNAL_ADDRESS parameter, replace the http:// prefix with https://.

      ...
      EXTERNAL_ADDRESS = 'https://<ip_address_server_ffmulti>'
      ...
      

   4. In the ANNEX_URL parameter, replace the http:// prefix with https://.

      ...
      'ANNEX_URL': 'https://findface-multi-ui/service_alarmer/alarms/'
      ...
      

7. In the system where you use a browser to interact with FindFace Multi navigate to the hosts file. Add IP address of the server that hosts FindFace Multi instead of the ip_address_server_ffmulti. Replace my-example-domain.com with your domain address – the same way you did it in the previous steps.

   1. For Linux OS do the following:

      sudo vi /etc/hosts
      
      ...
      ip_address_server_ffmulti my-example-domain.com
      

   2. If you use Windows OS, run C:\Windows\System32\drivers\etc\hosts as an administrator. Add the following line to the hosts file:

      ip_address_server_ffmulti my-example-domain.com
      

8. In the /opt/findface-multi/configs/findface-multi-legacy/findface-multi-legacy.py configuration file, uncomment the following lines:

   USE_X_FORWARDED_HOST = True
   SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
   

9. Restart all FindFace Multi containers.

   cd /opt/findface-multi/
   
   sudo docker-compose down
   sudo docker-compose up -d
   

10. When using a self-signed certificate, you must specify the findface-multi-ui and the server’s IP addresses in the subjectAltName field to ensure correct SSL verification (see step #2). If the subjectAltName field is not specified in the self-signed certificate, you must disable SSL certificate verification for cameras and uploaded video archives.

    1. Navigate to the Video Sources → Cameras or Uploads.

    2. Click to the camera or uploaded video archive.

    3. On the Advanced tab, uncheck Verify the SSL certificate.

       

11. To use WebSocket Secure with Alarm Monitor, ensure that you include wss:// before the connection server address (e.g. wss://ip_address/annex/).

How to Enable Recommended Security Settings

If necessary, enable the recommended nginx security settings.

1. To enhance traffic protection, create a dhparam file using the following command:

   sudo openssl dhparam -out /opt/findface-multi/configs/ssl/dhparam.pem 4096
   

2. Open the nginx configuration file /opt/findface-multi/configs/findface-multi-ui/nginx-site.conf. Apply the following modifications to the file:

   1. Add the path to the dhparam file and the string with the header Strict-Transport-Security to the existing section server {...}:

      ssl_dhparam /etc/ssl/dhparam.pem;
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
      

   2. Replace server_name _; with server_name my-example-domain.com;.

   3. Replace set $cors_origin "*"; with set $cors_origin "my-example-domain.com";.

   4. Replace ssl_protocols TLSv1.2 TLSv1.1 TLSv1; with ssl_protocols TLSv1.2 TLSv1.3;.

   5. Copy the generic nginx configuration file nginx.conf from the findface-multi-findface-multi-ui-1 container to the /etc/nginx/ directory:

      sudo docker cp findface-multi-findface-multi-ui-1:/etc/nginx/nginx.conf /etc/nginx/nginx.conf
      

   6. In the /etc/nginx/nginx.conf configuration file, find the SSL Settings section and append the following lines:

      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
      ssl_session_cache builtin:1000 shared:SSL:10m;
      
      ssl_session_tickets off;
      ssl_session_timeout 1d;
      ssl_session_cache shared:SSL:10m;
      ssl_stapling on;
      ssl_stapling_verify on;
      

3. In the /opt/findface-multi/docker-compose.yaml file, mount the configuration file /etc/nginx/nginx.conf of the host system into the findface-multi-findface-multi-ui-1 container:

   1. Open the /opt/findface-multi/docker-compose.yaml file:

      sudo vi /opt/findface-multi/docker-compose.yaml
      

   2. Locate the findface-multi-ui section and adjust it to make sure it looks like this:

      findface-multi-ui:
        depends_on: [findface-multi-legacy]
        image: docker.int.ntl/ntech/multi/multi/ui:ffmulti-2.3.0
         logging: {driver: journald}
         networks: [product-network]
         ports: ['80:80', '443:443']
        restart: always
        volumes: ['./configs/findface-multi-ui/nginx-site.conf:/etc/nginx/conf.d/default.conf:ro',
          './data/findface-multi-legacy/uploads:/var/lib/findface-security/uploads',
          '/opt/findface-multi/configs/ssl:/etc/ssl',
          '/etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro']
      

4. For automatic HTTP-to-HTTPS redirection, add in the configuration file /opt/findface-multi/configs/findface-multi-ui/nginx-site.conf the new server {...} section that contains the URL replacement rule. In the rewrite ^(.*) https://… line, replace ip_address_server_ffmulti with IP address of the server where FindFace Multi is installed.

   sudo vi /opt/findface-multi/configs/findface-multi-ui/nginx-site.conf
   
   ...
   server {
           listen 80;
           server_name my-example-domain.com www.my-example-domain.com;
           rewrite ^(.*) https://ip_address_server_ffmulti$1 permanent;
           access_log off;
   }
   

5. Restart all FindFace Multi containers.

   cd /opt/findface-multi/
   
   sudo docker-compose down
   sudo docker-compose up -d
   

How to Replace a Self-Signed Certificate With a Verified One After Installation

1. When using a verified certificate for SSL configuration in FindFace Multi, ensure that you copy the certificate and key to the /opt/findface-multi/configs/ssl directory on the host.

2. If the file names of the certificate and key differ from domain.key and domain.crt, you must:

   • Rename the existing files to match the default names (domain.key and domain.crt) (preferred),

   • Otherwise, edit the /opt/findface-multi/configs/findface-multi-ui/nginx-site.conf and /opt/findface-multi/docker-compose.yaml configuration files to use your current file names.

3. After replacing the certificate and key files and changing the settings files, restart the FindFace Multi containers.

   cd /opt/findface-multi/
   
   sudo docker-compose down
   sudo docker-compose up -d
   

Note

To avoid errors when using cameras and uploaded video archives, either of the following conditions must be met:

• The domain name in the certificate’s CN (Common Name) is accessible from the findface-video-worker container and is specified in the ROUTER_URL value in the /opt/findface-multi/configs/findface-multi-legacy/findface-multi-legacy.py configuration file.

• Verify the SSL certificate setting is disabled in the camera and video archive settings.