Enable Data Encryption¶
To ensure data security, it is recommended to enable SSL encryption. Do the following:
Important
We do not recommend to use a self-signed certificate.
Under the nginx configuration directory, create a directory that will be used to hold all of the SSL data:
sudo mkdir /etc/nginx/ssl
Create the SSL key and certificate files:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/my-example-domain.com.key -out /etc/nginx/ssl/my-example-domain.com.crt
You will be asked a few questions about your server in order to embed the information correctly in the certificate. Fill out the prompts appropriately. The most important line is the one that requests the
Common Name
. You need to enter the domain name or public IP address that you want to be associated with your server. Both of the files you created (my-example-domain.com.key
andmy-example-domain.com.crt
) will be placed in the/etc/nginx/ssl
directory.Configure nginx to use SSL. Open the nginx configuration file
/etc/nginx/sites-available/ffsecurity-nginx.conf
. Apply the following modifications to the file:Add the new
server {...}
section that contains the URL replacement rule:server { listen 80; server_name domain.ru www.domain.ru; rewrite ^(.*) https://domain.ru$1 permanent; access_log off; }
Comment out the following lines in the existing
server {...}
section:# listen 80 default_server; # listen [::]:80 default_server;
Add the following lines, including the paths to the certificate and the key, to the existing
server {...}
section:listen 443 ssl; ssl_certificate /etc/NGINX/ssl/domain.crt; ssl_certificate_key /etc/nginx/ssl/domain.key;
In the generic nginx configuration file
/etc/nginx/nginx.conf
, find theSSL Settings
section and append the following lines:
ssl_session_cache shared:SSL:10m; ssl_session_timeout 1h;
The example of the configuration file
/etc/nginx/sites-available/ffsecurity-nginx.conf
with correctly configured SSL settings is shown below:upstream ffsecurity { server 127.0.0.1:8002; } upstream ffsecurity-ws { server 127.0.0.1:8003; } map $http_upgrade $ffsec_upstream { default "http://ffsecurity-ws"; "" "http://ffsecurity"; } server { listen 80; server_name domain.ru www.domain.ru; rewrite ^(.*) https://domain.ru$1 permanent; access_log off; } server { # listen 80 default_server; # listen [::]:80 default_server; listen 443 ssl; ssl_certificate /etc/nginx/ssl/domain.crt; ssl_certificate_key /etc/nginx/ssl/domain.key; root /var/lib/ffsecurity; autoindex off; server_name _; location = / { alias /usr/share/ffsecurity-ui/; try_files /index.html =404; } location /static/ { } location /uploads/ { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET'; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization'; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; add_header 'Access-Control-Max-Age' 2592000; } location /ui-static/ { alias /usr/share/ffsecurity-ui/ui-static/; } location /doc/ { alias /opt/ffsecurity/doc/; } location ~ /videos/(?<video_id>[0-9]+)/upload/(.*)$ { if ($request_method = 'OPTIONS') { add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; } set $auth_request_uri "http://ffsecurity/videos/$video_id/auth-upload/"; auth_request /video-upload-auth/; alias "/var/lib/ffsecurity/uploads/videos/$video_id.bin"; client_max_body_size 15g; dav_access user:rw group:rw all:rw; dav_methods PUT; create_full_put_path on; autoindex off; autoindex_exact_size off; autoindex_localtime on; charset utf-8; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'PUT, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'authorization'; } location = /video-upload-auth/ { internal; client_max_body_size 15g; proxy_set_header Content-Length ""; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_request_body off; proxy_pass $auth_request_uri; } location / { client_max_body_size 300m; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass $ffsec_upstream; proxy_read_timeout 5m; location ~ ^/(cameras|videos)/([0-9]+)/stream/?$ { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://ffsecurity; } location ~ ^/streams/(.*)$ { internal; proxy_pass $1; } } }
Restart nginx.
sudo service nginx restart
Edit the
findface-security
configuration file. In theEXTERNAL_ADDRESS
andROUTER_URL
parameters, substitute thehttp://
prefix withhttps://
.sudo vi /etc/ffsecurity/config.py ... EXTERNAL_ADDRESS="https://my-example-domain.com" ... ROUTER_URL="https://IP_address"
If there are running
findface-video-worker
services in the system, you need to either recreate cameras in the web interface, or change therouter_url
parameter in relevant video processing jobs, substituting thehttp://
prefix withhttps://
. This can be done with the following command:curl -s localhost:18810/jobs | jq -r '.[]["id"]' | xargs -I {} curl -X PATCH -d '{"router_url": "https://domain.ru/video-detector/frame"}' http://localhost:18810/job/{}