mirror of
https://github.com/blakeblackshear/frigate.git
synced 2025-10-22 11:15:54 +02:00
clarifications for proxy auth mode (#11947)
This commit is contained in:
parent
9514a3d089
commit
1a0d9e10d7
@ -9,16 +9,16 @@ title: Authentication
|
|||||||
|
|
||||||
Frigate supports two modes for authentication
|
Frigate supports two modes for authentication
|
||||||
|
|
||||||
| Mode | Description |
|
| Mode | Description |
|
||||||
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
| -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||||
| `native` | (default) Use this mode if you don't implement authentication with a proxy in front of Frigate. |
|
| `native` | (default) Use this mode if you don't implement authentication with a proxy in front of Frigate. |
|
||||||
| `proxy` | Use this mode if you have an existing proxy for authentication. Supports passing authenticated user downstream to Frigate for role-based authorization (future implementation). |
|
| `proxy` | Turns off Frigate's authentication. Use this mode if you have an existing proxy for authentication. Supports passing authenticated user downstream via common headers to Frigate for role-based authorization (future implementation). |
|
||||||
|
|
||||||
The following ports are used to access the Frigate webUI
|
The following ports are used to access the Frigate webUI
|
||||||
|
|
||||||
| Port | Description |
|
| Port | Description |
|
||||||
| ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
| ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||||
| `8080` | Authenticated UI and API access without TLS. Reverse proxies should use this port. |
|
| `8080` | Authenticated UI and API. Reverse proxies should use this port. |
|
||||||
| `5000` | Internal unauthenticated UI and API access. Access to this port should be limited. Intended to be used within the docker network for services that integrate with Frigate. |
|
| `5000` | Internal unauthenticated UI and API access. Access to this port should be limited. Intended to be used within the docker network for services that integrate with Frigate. |
|
||||||
|
|
||||||
### Native mode
|
### Native mode
|
||||||
@ -84,6 +84,12 @@ Changing the secret will invalidate current tokens.
|
|||||||
|
|
||||||
Proxy mode is designed to complement common upstream authentication proxies such as Authelia, Authentik, oauth2_proxy, or traefik-forward-auth.
|
Proxy mode is designed to complement common upstream authentication proxies such as Authelia, Authentik, oauth2_proxy, or traefik-forward-auth.
|
||||||
|
|
||||||
|
:::danger
|
||||||
|
|
||||||
|
Note that using proxy mode disables authentication checks in Frigate. This mode will pass headers so Frigate can be aware of the logged in user from the upstream proxy, but it does not validate that the request came from your proxy. If the proxy resides on a different device, you should consider using firewall rules or a VPN between Frigate and the proxy if the network is insecure.
|
||||||
|
|
||||||
|
:::
|
||||||
|
|
||||||
#### Header mapping
|
#### Header mapping
|
||||||
|
|
||||||
If your proxy supports passing a header with the authenticated username, you can use the `header_map` config to specify the header name so it is passed to Frigate. For example, the following will map the `X-Forwarded-User` value. Header names are not case sensitive.
|
If your proxy supports passing a header with the authenticated username, you can use the `header_map` config to specify the header name so it is passed to Frigate. For example, the following will map the `X-Forwarded-User` value. Header names are not case sensitive.
|
||||||
|
@ -9,6 +9,13 @@ Frigate's integrated NGINX server supports TLS certificates. By default Frigate
|
|||||||
|
|
||||||
Frigate is often running behind a reverse proxy that manages TLS certificates for multiple services. You will likely need to set your reverse proxy to allow self signed certificates or you can disable TLS in Frigate's config. However, if you are running on a dedicated device that's separate from your proxy or if you expose Frigate directly to the internet, you may want to configure TLS with valid certificates.
|
Frigate is often running behind a reverse proxy that manages TLS certificates for multiple services. You will likely need to set your reverse proxy to allow self signed certificates or you can disable TLS in Frigate's config. However, if you are running on a dedicated device that's separate from your proxy or if you expose Frigate directly to the internet, you may want to configure TLS with valid certificates.
|
||||||
|
|
||||||
|
In many deployments, TLS will be unnecessary. It can be disabled in the config with the following yaml:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
tls:
|
||||||
|
enabled: False
|
||||||
|
```
|
||||||
|
|
||||||
## Certificates
|
## Certificates
|
||||||
|
|
||||||
TLS certificates can be mounted at `/etc/letsencrypt/live/frigate` using a bind mount or docker volume.
|
TLS certificates can be mounted at `/etc/letsencrypt/live/frigate` using a bind mount or docker volume.
|
||||||
|
Loading…
Reference in New Issue
Block a user