search

allegroai / clearml-server

ClearML - Auto-Magical CI/CD to streamline your AI workload. Experiment Management, Data Management, Pipeline, Orchestration, Scheduling & Serving in one MLOps/LLMOps solution
https://clear.ml/docs
Other
385 stars 133 forks source link

Securing ClearML web portal using SSL with NGINX #78

Open ecm200 opened 3 years ago

ecm200 commented 3 years ago

By default, the clearml-server is served over port 8080 without encryption.

In order to increase the security of the web UI, this process below will secure the web server portal via HTTPS SSL using the open source NGINX server, and Letsencrypt certificates via the Certbot package.

step 1 - install NGINX server

I used Ubuntu 18.04 Linux as my OS, so these details are for that, differences may occur for other versions or operating systems.

To install:


sudo apt update
sudo apt install nginx

For a detailed guide, see: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-18-04

Step 2 - install and run Cerbot

In order to encrypt connections using HTTPS with SSL, we need to make certificates. There are many ways to do this but the easiest is using the LetsEncrypt service, and using the Certbot package to generate them.

First step is to install Cerbot. Instructions can be found here: https://certbot.eff.org/lets-encrypt/ubuntubionic-apache.html

Once installed, run the following command and follow the onscreen prompts:

sudo certbot —nginx

step 3 - create new NGINX defaults file

Replace the following NGINX defaults file with the following, located here /etc/nginx/sites-available

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {

    listen 443;
    server_name your-domain-name;

    ssl_certificate           /etc/letsencrypt/live/your-domain-name/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/your-domain-name/privkey.pem;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/jenkins.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://localhost:8080;
      proxy_read_timeout  90;

      proxy_redirect      http://localhost:8080 https://your-domain-name;
    }
  }

Be sure to replace the path to your LetsEncrypt certificates and the domain of the clearml-server.

pktiuk commented 1 year ago

It would be good to add this tutorial to official docs.
It would be also useful to have a config for dealing with subdomains like in https://github.com/allegroai/clearml-server/issues/34