From 9fd3aa0cd3ad72618075db3a12173fe849e944fa Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Thu, 21 Sep 2023 22:24:08 -0500 Subject: [PATCH] frigate: Configure nginx reverse proxy Using nginx, we can expose the Frigate web server via HTTPS. Since Frigate has no built-in authentication, we need to use Authelia via the nginx proxy auth feature. --- frigate.nginx | 77 +++++++++++++++++++++++++++++++++++++++++++++++++ frigate.yaml | 4 +++ nginx.container | 1 + 3 files changed, 82 insertions(+) create mode 100644 frigate.nginx diff --git a/frigate.nginx b/frigate.nginx new file mode 100644 index 0000000..3bb6f60 --- /dev/null +++ b/frigate.nginx @@ -0,0 +1,77 @@ +# vim: set sw=4 ts=4 sts=4 et : + +resolver 127.0.0.53; + +set $upstream_authelia https://auth.pyrocufflink.blue/api/verify; + +## Virtual endpoint created by nginx to forward auth requests. +location /authelia { + ## Essential Proxy Configuration + internal; + proxy_pass $upstream_authelia; + + ## Headers + ## The headers starting with X-* are required. + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Forwarded-Method $request_method; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Content-Length ""; + proxy_set_header Connection ""; + + ## Basic Proxy Configuration + proxy_pass_request_body off; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + client_body_buffer_size 128k; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; +} + +location / { + ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. + auth_request /authelia; + + ## Set the $target_url variable based on the original request. + + ## Comment this line if you're using nginx without the http_set_misc module. + set_escape_uri $target_url $scheme://$http_host$request_uri; + + ## Uncomment this line if you're using NGINX without the http_set_misc module. + # set $target_url $scheme://$http_host$request_uri; + + ## Save the upstream response headers from Authelia to variables. + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + + ## Inject the response headers from the variables into the request made to the backend. + proxy_set_header Remote-User $user; + proxy_set_header Remote-Groups $groups; + proxy_set_header Remote-Name $name; + proxy_set_header Remote-Email $email; + + ## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal. + error_page 401 =302 https://auth.pyrocufflink.blue/?rd=$target_url; + + proxy_pass http://127.0.0.1:5000/; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + proxy_http_version 1.1; +} diff --git a/frigate.yaml b/frigate.yaml index 937118e..6132a3a 100644 --- a/frigate.yaml +++ b/frigate.yaml @@ -23,6 +23,10 @@ storage: id: 209 contents: local: frigate.env + - path: /etc/nginx/default.d/frigate.conf + mode: 0644 + contents: + local: frigate.nginx systemd: units: diff --git a/nginx.container b/nginx.container index 88dfbaa..6212f50 100644 --- a/nginx.container +++ b/nginx.container @@ -17,6 +17,7 @@ Network=host [Service] Restart=always +ExecReload=/usr/bin/podman exec -i systemd-%N nginx -s reload [Install] WantedBy=multi-user.target