Use a domain with HTTPS
This tutorial will cover how to use a domain instead of localhost to access Tator. We will use DuckDNS to obtain a free domain, but any domain that you control can be used. It is assumed that you have already gone through the basic install tutorial and know the IP address of your node where Tator is installed. It also assumes that your IP address is exposed to the internet so that HTTP01 challenges can be used for TLS certificates.
Get a domain from DuckDNS
Go to DuckDNS and sign in using a supported account, such as GitHub or Google. Type in a desired subdomain and click add domain.
The domain will appear under domains. Edit the IP address of the domain to match the IP address you use to access Tator, then click update ip.
Install packages and open ports
- First install required packages (use
dnfinstead ofaptwhere appropriate):
sudo apt install nginx certbot python3-certbot-nginx
Now, open ports 80 and 443 in your node's firewall for external users. This step will depend on your network configuration and is not covered in this tutorial.
Start the nginx service
sudo systemctl enable nginx
sudo systemctl start nginx
If you visit the node in the browser using just the IP address, it should show a NGINX welcome page.
Configure a domain
- Edit
/etc/nginx/sites-available/defaultand changeserver_nameto the DuckDNS domain, like:
server_name example.duckdns.org;
Restart the server
sudo systemctl restart nginxVisit the domain in the browser and verify it still shows the NGINX welcome page.
Create a certificate
- Create the initial certificate
sudo certbot --nginx -d example.duckdns.org
Follow the prompts.
- Visit your domain in the browser again, you should get redirected to https.
Add proxy settings
- In
/etc/nginx/sites-available/default, change thelocationblock to the following:
location / {
client_max_body_size 0;
resolver 8.8.8.8;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_hide_header Access-Control-Allow-Origin;
proxy_pass http://localhost:8080;
add_header Access-Control-Allow-Origin * always;
add_header Access-Control-Allow-Methods * always;
add_header Access-Control-Allow-Headers "Authorization,Content-Type" always;
add_header Access-Control-Allow-Credentials true always;
if ($request_method = OPTIONS)
{
add_header Access-Control-Allow-Origin * always;
add_header Access-Control-Allow-Methods * always;
add_header Access-Control-Allow-Headers "Authorization,Content-Type" always;
add_header Access-Control-Allow-Credentials true always;
add_header Content-Length 0;
add_header Content-Type text/plain;
return 200;
}
}
Note that this configuration allows cross-origin resource sharing on your Tator deployment, and assumes your Tator deployment is at localhost:8080. Feel free to modify this configuration for your needs.
- Restart the server
sudo systemctl restart nginx
Modify object storage external host
- In the
.envfile, edit the variableDEFAULT_LIVE_EXTERNAL_HOSTto use https and the domain, for example change:
DEFAULT_LIVE_EXTERNAL_HOST=http://${MAIN_HOST}:${PORT}/objects
to
DEFAULT_LIVE_EXTERNAL_HOST=https://example.duckdns.org/objects
- Restart the services that use this setting.
make cluster-update
Bypassing SELinux
You may get errors relating to permission denied connecting to upstream. To see if SELinux is blocking you, use:
sudo grep nginx /var/log/audit/audit.log | audit2allow
If you see something there, create a policy allowing NGINX to do its thing
sudo grep nginx /var/log/audit/audit.log | audit2allow -M nginx
sudo semodule -i nginx.pp
Enable autorenew
- First test the autorenew with
sudo certbot renew --dry-run - If all goes well, edit crontab with
sudo crontab -eand add the following line:
0 0 * * 0 certbot renew