From 5f279771c7c245ec3fefea1778662a10580fbc33 Mon Sep 17 00:00:00 2001
From: echowxsy <echowxsy@gmail.com>
Date: Tue, 8 Oct 2024 21:39:45 +0800
Subject: [PATCH] [Documentation] Enable HTTPS use Custom Certificates (#7508)

### Motivation and context
fix #4767
my docker-compose.https.yml:
```yaml
# Copyright (C) 2018-2022 Intel Corporation
#
# SPDX-License-Identifier: MIT

### Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply.
If an item isn't applicable for some reason, then ~~explicitly
strikethrough~~ the whole
line. If you don't do that, GitHub will show incorrect progress for the
pull request.
If you're unsure about any of these, don't hesitate to ask. We're here
to help! -->
- [x] I submit my changes into the `develop` branch
- [x] I have created a changelog fragment <!-- see top comment in
CHANGELOG.md -->
- [x] I have updated the documentation accordingly
- [x] I have added tests to cover my changes
- [x] I have linked related issues (see [GitHub docs](

https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))
- [x] I have increased versions of npm packages if it is necessary

([cvat-canvas](https://github.com/opencv/cvat/tree/develop/cvat-canvas#versioning),

[cvat-core](https://github.com/opencv/cvat/tree/develop/cvat-core#versioning),

[cvat-data](https://github.com/opencv/cvat/tree/develop/cvat-data#versioning)
and

[cvat-ui](https://github.com/opencv/cvat/tree/develop/cvat-ui#versioning))

### License

- [x] I submit _my code changes_ under the same [MIT License](
https://github.com/opencv/cvat/blob/develop/LICENSE) that covers the
project.
  Feel free to contact the maintainers if that's a concern.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Introduced comprehensive documentation for implementing custom SSL
certificates in the CVAT environment.
- Provided step-by-step instructions for setting up and configuring
Traefik to use custom certificates.

- **Documentation**
- Added a new file detailing the process of creating a certificates
directory, modifying Traefik configuration, and starting CVAT with
custom SSL certificates.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Andrey Zhavoronkov <andrey@cvat.ai>
---
 changelog.d/20240919_114257_echowxsy.md       |  4 +
 .../advanced/custom_certificates.md           | 79 +++++++++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 changelog.d/20240919_114257_echowxsy.md
 create mode 100644 site/content/en/docs/administration/advanced/custom_certificates.md

diff --git a/changelog.d/20240919_114257_echowxsy.md b/changelog.d/20240919_114257_echowxsy.md
new file mode 100644
index 000000000000..2e1044c674c0
--- /dev/null
+++ b/changelog.d/20240919_114257_echowxsy.md
@@ -0,0 +1,4 @@
+### Added
+
+- Added custom certificates documentation 
+  (<https://github.com/cvat-ai/cvat/pull/7508>)
diff --git a/site/content/en/docs/administration/advanced/custom_certificates.md b/site/content/en/docs/administration/advanced/custom_certificates.md
new file mode 100644
index 000000000000..3ea9367974f9
--- /dev/null
+++ b/site/content/en/docs/administration/advanced/custom_certificates.md
@@ -0,0 +1,79 @@
+---
+title: 'Custom Certificates'
+linkTitle: 'Custom Certificates'
+description: 'Use Custom Certificates in CVAT'
+weight: 100
+---
+
+CVAT use traefik as a reverse proxy to manage SSL certificates.
+By default, traefik uses Let's Encrypt to generate SSL certificates.
+However, you can use your own certificates instead of Let's Encrypt.
+
+See:
+
+- [Setup Custom Certificates](#setup-custom-certificates)
+- [Create Certificates Directory](#create-certificates-directory)
+- [Change Traefik Configuration](#change-traefik-configuration)
+- [Start CVAT](#start-cvat)
+
+
+## Setup Custom Certificates
+
+### Create Certificates Directory
+
+Create a `certs` directory in the root of the project:
+
+```bash
+mkdir -p ./certs
+
+```
+
+Move your certificates to the `./certs` directory:
+
+```bash
+mv /path/to/cert.pem ./certs/cert.pem
+mv /path/to/key.pem ./certs/key.pem
+```
+
+### Change Traefik Configuration
+
+Create `tls.yml` in the root of the project directory with the following content:
+
+```yaml
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /certs/cert.pem
+        keyFile: /certs/key.pem
+```
+
+Edit the `docker-compose.https.yml` file and change the traefik servise configuration as follows:
+
+```yaml
+  traefik:
+    environment:
+      TRAEFIK_ENTRYPOINTS_web_ADDRESS: :80
+      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+      TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME: https
+      TRAEFIK_ENTRYPOINTS_websecure_ADDRESS: :443
+      # Disable Let's Encrypt
+      # TRAEFIK_CERTIFICATESRESOLVERS_lets-encrypt_ACME_EMAIL: "${ACME_EMAIL:?Please set the ACME_EMAIL env variable}"
+      # TRAEFIK_CERTIFICATESRESOLVERS_lets-encrypt_ACME_TLSCHALLENGE: "true"
+      # TRAEFIK_CERTIFICATESRESOLVERS_lets-encrypt_ACME_STORAGE: /letsencrypt/acme.json
+    ports:
+      - 80:80
+      - 443:443
+    # Add certificates volume and tls.yml rules
+    volumes:
+      - ./certs:/certs
+      - ./tls.yml:/etc/traefik/rules/tls.yml
+```
+
+### Start CVAT
+
+Start CVAT with the following command:
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.https.yml up -d
+```