Security
Infrastructure security
In terms of infrastructure security, we would propose:
- Disable Demo site via FACEAPI_ENABLE_DEMO_WEB_APP="false" Environment Variable to avoid unnecessary worker utilization for serving site content and possible security issues raised by frontend vulnerabilities
- Do not expose service if possible. Access to the backend should be provided only via private tired networking.
- Use HTTPS connection where possible.
- Use firewall and limit incoming connections to apps by Firewalls/SecurtyGroups/Rules for only verified and authorized consumers (VMs/services).
- Use Load Balancer in front. In that case security configuration would be much smoother and more advanced. While it's still possible to terminate ssl connection and configure security specific headers in a faceapi container, let the service do the job it was created for-process request. The rest should be processed by the load balancer.
- Implement authorization, for example via nginx and a plugin.
HTTPS
Below is an example configuration for docker deployment, but it can be easily adapted to all the provided platforms.
Option 1. Recommended. nginx as a reverse-proxy
Run nginx as a frontend container for HTTPS processing and proxy service requests to the backend FACEAPI container. Here you can find the docker-compose.yml file and the nginx default.conf file for a reference.
Enabling authentication
To enable authentication for the Face SDK Web Service, a reverse proxy is utilized, and this guide provides an example of setting up a basic configuration using nginx with Basic authentication.
Before you begin, ensure you have the following files placed in a single directory:
docker-compose.ymlnginx.conf— an nginx configuration filehtpasswd— a file containing created users and passwordsregula.license— a valid license file
1. Create the docker-compose.yml file with the following content:
version: "3.9"
services:
faceapi:
image: regulaforensics/face-api:latest
volumes:
- ./regula.license:/app/extBin/unix/regula.license
nginx:
image: nginx:alpine
ports:
- "8000:80"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./.htpasswd:/etc/nginx/.htpasswd
depends_on:
- faceapi
2. Configure the nginx.conf file with the following content:
events {
}
http {
server {
listen 80;
location / {
proxy_pass http://faceapi:41101;
auth_basic "Faceapi with auth";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
}
3. Create the .htpasswd file by executing the command below:
printf "USER:$(openssl passwd -apr1 PASSWORD)\n" >> .htpasswd
Replace USER with the required username and PASSWORD with the required password. The command can be executed multiple times to create required number of users.
4. Ensure that the regula.license file is valid and active.
5. Run the following command to start the Face SDK Web Service with authentication through the reverse proxy and nginx:
docker compose up -d
Your Face instance is now set up with authentication using a reverse proxy and Basic authentication. Access it through the configured reverse proxy URL, and you'll be prompted to enter the username and password from the .htpasswd file.
Option 2. FaceAPI via HTTPS
To run the FaceAPI service via HTTPS:
- add 644 permissions to certificates so the server is able to read certificates
- pass cert.crt & cert.key files to the container
- pass FACEAPI_CERT_FILE, FACEAPI_KEY_FILE environment variables
- forward container port to 8443 host port
chmod 644 ~/cert.crt ~/cert.key
docker run -it -p 8443:41101 -v ~/regula.license:/app/extBin/unix/regula.license -v ~/cert.crt:/app/cert.crt -v ~/cert.key:/app/cert.key -e FACEAPI_CERT_FILE="/app/cert.crt" -e FACEAPI_KEY_FILE="/app/cert.key" regulaforensics/face-api