I recently installed CVAT on a local VM. CVAT uses docker and installs a local Traefik container within the VM. The docs give instructions on how to run it on domain with free SSL by LetsEncrypt, but these docs assume that SSL termination happens on Traefik reverse proxy. However, In an enterprise setup when you already have a reverse proxy in charge of your public facing IP, the SSL termination happens there and it needs to forward all traffic for teh cvat subdomain to the VM.
In a nutshell, how to run the CVAT VM behind NginX reverse proxy
CVAT VM Configuration
Add environment variables in BASH profile
nano ~/.profile
export CVAT_HOST=your.domain.tldSave. Logout from VM. Log Back in
GIT Pull
cd ~
git clone https://github.com/cvat-ai/cvat
cd cvatCode language: PHP (php)CSRF settings
Source: https://github.com/cvat-ai/cvat/pull/6322#issuecomment-2257131513
https://docs.cvat.ai/v2.3.0/docs/administration/advanced/ldap/#the-creation-of-settingspy
nano ~/cvat/local-settings.pyCode language: JavaScript (javascript)Overlaying production
# Overlaying production
from cvat.settings.production import *
CSRF_TRUSTED_ORIGINS = ['https://your.domain.tld']Code language: PHP (php)Next File
nano ~/cvat/docker-compose.settings_overlay.local.ymlCode language: JavaScript (javascript)Contents of file
services:
cvat_server:
environment:
DJANGO_SETTINGS_MODULE: settings
volumes:
- ./local-settings.py:/home/django/settings.py:roCode language: JavaScript (javascript)Create Docker Containers
docker compose -f ~/cvat/docker-compose.yml \
-f ~/cvat/docker-compose.settings_overlay.local.yml \
up -dCode language: JavaScript (javascript)Next Steps: Email
Am looking at how to use steps in the following for email configuration: https://github.com/cvat-ai/cvat/issues/8152#issuecomment-2262198765
https://github.com/cvat-ai/cvat/issues/7436#issuecomment-2254806378
Disable self registration
Delete the path in Django
# nano ~/cvat/cvat/apps/authentication/urls.py
path('register', RegisterView.as_view(), name='rest_register')Code language: PHP (php)Rebuild Docker Image
Disable access to Register Route – can be managed inside reverse proxy – https://github.com/cvat-ai/cvat/issues/1283#issuecomment-1284977632
# Inside Nginx Reverse Proxy Conf File -
location /api/auth/register {
return 301 https://$server_name$request_uri;
}
Code language: PHP (php)UI changes
cvat-ui/src/components/register-page/*
cvat-ui/src/containers/register-page/*
- Remove Register Route
cvat-ui/src/components/cvat-app.tsx- https://www.cvat.ai/post/cvat-open-policy-agent
- https://github.com/cvat-ai/cvat/issues/5150
- https://github.com/cvat-ai/cvat/issues/6479
- https://github.com/cvat-ai/cvat/issues/1283
Enable Email Verification
https://docs.cvat.ai/docs/administration/basics/installation/#email-verification
nano ~/cvat/cvat/settings/base.py
# By default, email backend is django.core.mail.backends.smtp.EmailBackend
# But it won't work without additional configuration, so we set it to None
# to check configuration and throw ImproperlyConfigured if thats a case
# EMAIL_BACKEND = None
# ACCOUNT_EMAIL_VERIFICATION = 'none'
# ACCOUNT_AUTHENTICATION_METHOD = 'username_email'
ACCOUNT_AUTHENTICATION_METHOD = 'username_email'
ACCOUNT_CONFIRM_EMAIL_ON_GET = True
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_EMAIL_VERIFICATION = 'mandatory'
# Email backend settings for Django
EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
host: EMAIL_HOST
port: EMAIL_PORT
username: EMAIL_HOST_USER
password: EMAIL_HOST_PASSWORD
use_tls: EMAIL_USE_TLS
use_ssl: EMAIL_USE_SSL
timeout: EMAIL_TIMEOUT
ssl_keyfile: EMAIL_SSL_KEYFILE
ssl_certfile: EMAIL_SSL_CERTFILECode language: PHP (php)Rebuild comtainers
Building CVAT container after source code changes
cd ~/cvat/
docker compose \
-f docker-compose.yml \
-f docker-compose.dev.yml \
-f docker-compose.settings_overlay.local.yml \
build
docker compose \
-f docker-compose.yml \
-f docker-compose.settings_overlay.local.yml \
up -d
Code language: JavaScript (javascript)Docker Volumes used
cvat_db: PostgreSQL database files, used to store information about users, tasks, projects, annotations, etc. Mounted into cvat_db container by /var/lib/postgresql/data path.
cvat_data: used to store uploaded and prepared media data. Mounted into cvat container by /home/django/data path.
cvat_logs: used to store logs of CVAT backend processes managed by supevisord. Mounted into cvat container by /home/django/logs path.
cvat_keys: used to store user ssh keys needed for synchronization with a remote Git repository. Mounted into cvat container by /home/django/keys path.
cvat_events: this is an optional volume that is used only when Analytics component is enabled and is used to store Elasticsearch database files. Mounted into cvat_elasticsearch container by /usr/share/elasticsearch/data path
