Enable Data Encryption¶
To ensure data security, it is recommended to enable SSL encryption. Do the following:
Under the nginx configuration directory, create a directory that will be used to hold all of the SSL data:
sudo mkdir /etc/nginx/ssl
Create the SSL key and certificate files:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/my-example-domain.com.key -out /etc/nginx/ssl/my-example-domain.com.crt
You will be asked a few questions about your server in order to embed the information correctly in the certificate. Fill out the prompts appropriately. The most important line is the one that requests the
Common Name
. You need to enter the domain name or public IP address that you want to be associated with your server. Both of the files you created (my-example-domain.com.key
andmy-example-domain.com.crt
) will be placed in the/etc/nginx/ssl
directory.Configure nginx to use SSL. Open the nginx configuration file. Copy the code from the example below into the file.
sudo vi /etc/nginx/nginx.conf upstream ffsecurity { server 127.0.0.1:8002; } # redirect from http to https version of the site server { listen 80; server_name domain.ru www.domain.ru; rewrite ^(.*) https://domain.ru$1 permanent; access_log off; } server { listen 443 ssl; ssl_certificate /etc/nginx/ssl/domain.pem; ssl_certificate_key /etc/nginx/ssl/domain.key; root /var/lib/ffsecurity; autoindex off; server_name domain.ru; location @ffsec { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass http://ffsecurity; } location /static/ { } location /uploads/ { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET'; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization'; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; add_header 'Access-Control-Max-Age' 2592000; } location /ui-static/ { alias /usr/share/ffsecurity-ui/ui-static/; } location /doc/ { alias /opt/ffsecurity/doc/; } location / { try_files $uri $uri/ @ffsec; client_max_body_size 100m; alias /usr/share/ffsecurity-ui/; } }
Restart nginx.
sudo service nginx restart
Edit the
ffsecurity
configuration file. In theEXTERNAL_ADDRESS
parameter, substitute thehttp://
prefix withhttps://
.sudo vi /etc/ffsecurity/config.py EXTERNAL_ADDRESS="https://my-example-domain.com"
If there are running video-worker services in the system, you need to either recreate cameras in the web interface, or change the
router_url
parameter in relevant video processing jobs, substituting thehttp://
prefix withhttps://
. This can be done with the following command:curl -s localhost:18810/jobs | jq -r '.[]["id"]' | xargs -I {} curl -X PATCH -d '{"router_url": "https://domain.ru/video-detector/frame"}' http://localhost:18810/job/{}