mirror of
https://github.com/blakeblackshear/frigate.git
synced 2024-12-14 19:07:56 +01:00
Nginx config tweaks (#12174)
* Change auth port and remove ipv6 * Add docs for nginx bind mount * Consolidate listen statements * Update port in docs * Fix typing
This commit is contained in:
parent
bfbacee7b5
commit
46c3ef8c6b
@ -10,9 +10,9 @@
|
|||||||
"features": {
|
"features": {
|
||||||
"ghcr.io/devcontainers/features/common-utils:1": {}
|
"ghcr.io/devcontainers/features/common-utils:1": {}
|
||||||
},
|
},
|
||||||
"forwardPorts": [8080, 5000, 5001, 5173, 8554, 8555],
|
"forwardPorts": [8971, 5000, 5001, 5173, 8554, 8555],
|
||||||
"portsAttributes": {
|
"portsAttributes": {
|
||||||
"8080": {
|
"8971": {
|
||||||
"label": "External NGINX",
|
"label": "External NGINX",
|
||||||
"onAutoForward": "silent"
|
"onAutoForward": "silent"
|
||||||
},
|
},
|
||||||
|
@ -34,7 +34,7 @@ do
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
liveprint=`echo | openssl s_client -showcerts -connect 127.0.0.1:8080 2>&1 | openssl x509 -fingerprint 2>&1 | grep -i fingerprint || echo 'failed'`
|
liveprint=`echo | openssl s_client -showcerts -connect 127.0.0.1:8971 2>&1 | openssl x509 -fingerprint 2>&1 | grep -i fingerprint || echo 'failed'`
|
||||||
|
|
||||||
case "$liveprint" in
|
case "$liveprint" in
|
||||||
*Fingerprint*)
|
*Fingerprint*)
|
||||||
|
@ -59,9 +59,6 @@ http {
|
|||||||
include go2rtc_upstream.conf;
|
include go2rtc_upstream.conf;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
# intended for internal traffic, not protected by auth
|
|
||||||
listen [::]:5000 ipv6only=off;
|
|
||||||
|
|
||||||
include listen.conf;
|
include listen.conf;
|
||||||
|
|
||||||
# vod settings
|
# vod settings
|
||||||
|
@ -1,9 +1,12 @@
|
|||||||
{{ if not .enabled }}
|
{{ if not .enabled }}
|
||||||
# intended for external traffic, protected by auth
|
# intended for external traffic, protected by auth
|
||||||
listen [::]:8080 ipv6only=off;
|
listen 8971;
|
||||||
{{ else }}
|
{{ else }}
|
||||||
# intended for external traffic, protected by auth
|
# intended for external traffic, protected by auth
|
||||||
listen [::]:8080 ipv6only=off ssl;
|
listen 8971 ssl;
|
||||||
|
|
||||||
|
# intended for internal traffic, not protected by auth
|
||||||
|
listen 5000;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/frigate/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/frigate/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/frigate/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/frigate/privkey.pem;
|
||||||
|
@ -106,7 +106,53 @@ Some labels have special handling and modifications can disable functionality.
|
|||||||
|
|
||||||
:::
|
:::
|
||||||
|
|
||||||
## Custom ffmpeg build
|
## Network Configuration
|
||||||
|
|
||||||
|
Changes to Frigate's internal network configuration can be made by bind mounting nginx.conf into the container. For example:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
frigate:
|
||||||
|
container_name: frigate
|
||||||
|
...
|
||||||
|
volumes:
|
||||||
|
...
|
||||||
|
- /path/to/your/nginx.conf:/usr/local/nginx/conf/nginx.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
### Enabling IPv6
|
||||||
|
|
||||||
|
IPv6 is disabled by default, to enable IPv6 listen.gotmpl needs to be bind mounted with IPv6 enabled. For example:
|
||||||
|
|
||||||
|
```
|
||||||
|
{{ if not .enabled }}
|
||||||
|
# intended for external traffic, protected by auth
|
||||||
|
listen 8971;
|
||||||
|
{{ else }}
|
||||||
|
# intended for external traffic, protected by auth
|
||||||
|
listen 8971 ssl;
|
||||||
|
|
||||||
|
# intended for internal traffic, not protected by auth
|
||||||
|
listen 5000;
|
||||||
|
```
|
||||||
|
|
||||||
|
becomes
|
||||||
|
|
||||||
|
```
|
||||||
|
{{ if not .enabled }}
|
||||||
|
# intended for external traffic, protected by auth
|
||||||
|
listen [::]:8971 ipv6only=off;
|
||||||
|
{{ else }}
|
||||||
|
# intended for external traffic, protected by auth
|
||||||
|
listen [::]:8971 ipv6only=off ssl;
|
||||||
|
|
||||||
|
# intended for internal traffic, not protected by auth
|
||||||
|
listen [::]:5000 ipv6only=off;
|
||||||
|
```
|
||||||
|
|
||||||
|
## Custom Dependencies
|
||||||
|
|
||||||
|
### Custom ffmpeg build
|
||||||
|
|
||||||
Included with Frigate is a build of ffmpeg that works for the vast majority of users. However, there exists some hardware setups which have incompatibilities with the included build. In this case, a docker volume mapping can be used to overwrite the included ffmpeg build with an ffmpeg build that works for your specific hardware setup.
|
Included with Frigate is a build of ffmpeg that works for the vast majority of users. However, there exists some hardware setups which have incompatibilities with the included build. In this case, a docker volume mapping can be used to overwrite the included ffmpeg build with an ffmpeg build that works for your specific hardware setup.
|
||||||
|
|
||||||
@ -118,7 +164,7 @@ To do this:
|
|||||||
|
|
||||||
NOTE: The folder that is mapped from the host needs to be the folder that contains `/bin`. So if the full structure is `/home/appdata/frigate/custom-ffmpeg/bin/ffmpeg` then `/home/appdata/frigate/custom-ffmpeg` needs to be mapped to `/usr/lib/btbn-ffmpeg`.
|
NOTE: The folder that is mapped from the host needs to be the folder that contains `/bin`. So if the full structure is `/home/appdata/frigate/custom-ffmpeg/bin/ffmpeg` then `/home/appdata/frigate/custom-ffmpeg` needs to be mapped to `/usr/lib/btbn-ffmpeg`.
|
||||||
|
|
||||||
## Custom go2rtc version
|
### Custom go2rtc version
|
||||||
|
|
||||||
Frigate currently includes go2rtc v1.9.4, there may be certain cases where you want to run a different version of go2rtc.
|
Frigate currently includes go2rtc v1.9.4, there may be certain cases where you want to run a different version of go2rtc.
|
||||||
|
|
||||||
|
@ -13,7 +13,7 @@ The following ports are available to access the Frigate web UI.
|
|||||||
|
|
||||||
| Port | Description |
|
| Port | Description |
|
||||||
| ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
| ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||||
| `8080` | Authenticated UI and API. Reverse proxies should use this port. |
|
| `8971` | Authenticated UI and API. Reverse proxies should use this port. |
|
||||||
| `5000` | Internal unauthenticated UI and API access. Access to this port should be limited. Intended to be used within the docker network for services that integrate with Frigate and do not support authentication. |
|
| `5000` | Internal unauthenticated UI and API access. Access to this port should be limited. Intended to be used within the docker network for services that integrate with Frigate and do not support authentication. |
|
||||||
|
|
||||||
## Onboarding
|
## Onboarding
|
||||||
|
@ -65,7 +65,7 @@ database:
|
|||||||
|
|
||||||
# Optional: TLS configuration
|
# Optional: TLS configuration
|
||||||
tls:
|
tls:
|
||||||
# Optional: Enable TLS for port 8080 (default: shown below)
|
# Optional: Enable TLS for port 8971 (default: shown below)
|
||||||
enabled: True
|
enabled: True
|
||||||
|
|
||||||
# Optional: Proxy configuration
|
# Optional: Proxy configuration
|
||||||
|
@ -5,7 +5,7 @@ title: TLS
|
|||||||
|
|
||||||
# TLS
|
# TLS
|
||||||
|
|
||||||
Frigate's integrated NGINX server supports TLS certificates. By default Frigate will generate a self signed certificate that will be used for port 8080. Frigate is designed to make it easy to use whatever tool you prefer to manage certificates.
|
Frigate's integrated NGINX server supports TLS certificates. By default Frigate will generate a self signed certificate that will be used for port 8971. Frigate is designed to make it easy to use whatever tool you prefer to manage certificates.
|
||||||
|
|
||||||
Frigate is often running behind a reverse proxy that manages TLS certificates for multiple services. You will likely need to set your reverse proxy to allow self signed certificates or you can disable TLS in Frigate's config. However, if you are running on a dedicated device that's separate from your proxy or if you expose Frigate directly to the internet, you may want to configure TLS with valid certificates.
|
Frigate is often running behind a reverse proxy that manages TLS certificates for multiple services. You will likely need to set your reverse proxy to allow self signed certificates or you can disable TLS in Frigate's config. However, if you are running on a dedicated device that's separate from your proxy or if you expose Frigate directly to the internet, you may want to configure TLS with valid certificates.
|
||||||
|
|
||||||
@ -44,13 +44,13 @@ frigate:
|
|||||||
|
|
||||||
Frigate automatically compares the fingerprint of the certificate at `/etc/letsencrypt/live/frigate/fullchain.pem` against the fingerprint of the TLS cert in NGINX every minute. If these differ, the NGINX config is reloaded to pick up the updated certificate.
|
Frigate automatically compares the fingerprint of the certificate at `/etc/letsencrypt/live/frigate/fullchain.pem` against the fingerprint of the TLS cert in NGINX every minute. If these differ, the NGINX config is reloaded to pick up the updated certificate.
|
||||||
|
|
||||||
If you issue Frigate valid certificates you will likely want to configure it to run on port 443 so you can access it without a port number like `https://your-frigate-domain.com` by mapping 8080 to 443.
|
If you issue Frigate valid certificates you will likely want to configure it to run on port 443 so you can access it without a port number like `https://your-frigate-domain.com` by mapping 8971 to 443.
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
frigate:
|
frigate:
|
||||||
...
|
...
|
||||||
ports:
|
ports:
|
||||||
- "443:8080"
|
- "443:8971"
|
||||||
...
|
...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -34,7 +34,7 @@ The following ports are used by Frigate and can be mapped via docker as required
|
|||||||
|
|
||||||
| Port | Description |
|
| Port | Description |
|
||||||
| ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
| ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||||
| `8080` | Authenticated UI and API access without TLS. Reverse proxies should use this port. |
|
| `8971` | Authenticated UI and API access without TLS. Reverse proxies should use this port. |
|
||||||
| `5000` | Internal unauthenticated UI and API access. Access to this port should be limited. Intended to be used within the docker network for services that integrate with Frigate. |
|
| `5000` | Internal unauthenticated UI and API access. Access to this port should be limited. Intended to be used within the docker network for services that integrate with Frigate. |
|
||||||
| `8554` | RTSP restreaming. By default, these streams are unauthenticated. Authentication can be configured in go2rtc section of config. |
|
| `8554` | RTSP restreaming. By default, these streams are unauthenticated. Authentication can be configured in go2rtc section of config. |
|
||||||
| `8555` | WebRTC connections for low latency live views. |
|
| `8555` | WebRTC connections for low latency live views. |
|
||||||
@ -171,7 +171,7 @@ services:
|
|||||||
tmpfs:
|
tmpfs:
|
||||||
size: 1000000000
|
size: 1000000000
|
||||||
ports:
|
ports:
|
||||||
- "8080:8080"
|
- "8971:8971"
|
||||||
# - "5000:5000" # Internal unauthenticated access. Expose carefully.
|
# - "5000:5000" # Internal unauthenticated access. Expose carefully.
|
||||||
- "8554:8554" # RTSP feeds
|
- "8554:8554" # RTSP feeds
|
||||||
- "8555:8555/tcp" # WebRTC over tcp
|
- "8555:8555/tcp" # WebRTC over tcp
|
||||||
@ -194,7 +194,7 @@ docker run -d \
|
|||||||
-v /path/to/your/config:/config \
|
-v /path/to/your/config:/config \
|
||||||
-v /etc/localtime:/etc/localtime:ro \
|
-v /etc/localtime:/etc/localtime:ro \
|
||||||
-e FRIGATE_RTSP_PASSWORD='password' \
|
-e FRIGATE_RTSP_PASSWORD='password' \
|
||||||
-p 8080:8080 \
|
-p 8971:8971 \
|
||||||
-p 8554:8554 \
|
-p 8554:8554 \
|
||||||
-p 8555:8555/tcp \
|
-p 8555:8555/tcp \
|
||||||
-p 8555:8555/udp \
|
-p 8555:8555/udp \
|
||||||
@ -370,7 +370,7 @@ docker run \
|
|||||||
--network=bridge \
|
--network=bridge \
|
||||||
--privileged \
|
--privileged \
|
||||||
--workdir=/opt/frigate \
|
--workdir=/opt/frigate \
|
||||||
-p 8080:8080 \
|
-p 8971:8971 \
|
||||||
-p 8554:8554 \
|
-p 8554:8554 \
|
||||||
-p 8555:8555 \
|
-p 8555:8555 \
|
||||||
-p 8555:8555/udp \
|
-p 8555:8555/udp \
|
||||||
|
@ -117,7 +117,7 @@ services:
|
|||||||
tmpfs:
|
tmpfs:
|
||||||
size: 1000000000
|
size: 1000000000
|
||||||
ports:
|
ports:
|
||||||
- "8080:8080"
|
- "8971:8971"
|
||||||
- "8554:8554" # RTSP feeds
|
- "8554:8554" # RTSP feeds
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -137,7 +137,7 @@ cameras:
|
|||||||
- detect
|
- detect
|
||||||
```
|
```
|
||||||
|
|
||||||
Now you should be able to start Frigate by running `docker compose up -d` from within the folder containing `docker-compose.yml`. On startup, an admin user and password will be created and outputted in the logs. You can see this by running `docker logs frigate`. Frigate should now be accessible at `https://server_ip:8080` where you can login with the `admin` user and finish the configuration using the built-in configuration editor.
|
Now you should be able to start Frigate by running `docker compose up -d` from within the folder containing `docker-compose.yml`. On startup, an admin user and password will be created and outputted in the logs. You can see this by running `docker logs frigate`. Frigate should now be accessible at `https://server_ip:8971` where you can login with the `admin` user and finish the configuration using the built-in configuration editor.
|
||||||
|
|
||||||
## Configuring Frigate
|
## Configuring Frigate
|
||||||
|
|
||||||
|
@ -38,20 +38,20 @@ Here we access Frigate via https://cctv.mydomain.co.uk
|
|||||||
ServerName cctv.mydomain.co.uk
|
ServerName cctv.mydomain.co.uk
|
||||||
|
|
||||||
ProxyPreserveHost On
|
ProxyPreserveHost On
|
||||||
ProxyPass "/" "http://frigatepi.local:8080/"
|
ProxyPass "/" "http://frigatepi.local:8971/"
|
||||||
ProxyPassReverse "/" "http://frigatepi.local:8080/"
|
ProxyPassReverse "/" "http://frigatepi.local:8971/"
|
||||||
|
|
||||||
ProxyPass /ws ws://frigatepi.local:8080/ws
|
ProxyPass /ws ws://frigatepi.local:8971/ws
|
||||||
ProxyPassReverse /ws ws://frigatepi.local:8080/ws
|
ProxyPassReverse /ws ws://frigatepi.local:8971/ws
|
||||||
|
|
||||||
ProxyPass /live/ ws://frigatepi.local:8080/live/
|
ProxyPass /live/ ws://frigatepi.local:8971/live/
|
||||||
ProxyPassReverse /live/ ws://frigatepi.local:8080/live/
|
ProxyPassReverse /live/ ws://frigatepi.local:8971/live/
|
||||||
|
|
||||||
RewriteEngine on
|
RewriteEngine on
|
||||||
RewriteCond %{HTTP:Upgrade} =websocket [NC]
|
RewriteCond %{HTTP:Upgrade} =websocket [NC]
|
||||||
RewriteRule /(.*) ws://frigatepi.local:8080/$1 [P,L]
|
RewriteRule /(.*) ws://frigatepi.local:8971/$1 [P,L]
|
||||||
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
|
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
|
||||||
RewriteRule /(.*) http://frigatepi.local:8080/$1 [P,L]
|
RewriteRule /(.*) http://frigatepi.local:8971/$1 [P,L]
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -101,7 +101,7 @@ This is set in `$server` and `$port` this should match your ports you have expos
|
|||||||
server {
|
server {
|
||||||
set $forward_scheme http;
|
set $forward_scheme http;
|
||||||
set $server "192.168.100.2"; # FRIGATE SERVER LOCATION
|
set $server "192.168.100.2"; # FRIGATE SERVER LOCATION
|
||||||
set $port 8080;
|
set $port 8971;
|
||||||
|
|
||||||
listen 80;
|
listen 80;
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
|
@ -637,7 +637,7 @@ def vod_event(id):
|
|||||||
# If the recordings are not found and the event started more than 5 minutes ago, set has_clip to false
|
# If the recordings are not found and the event started more than 5 minutes ago, set has_clip to false
|
||||||
if (
|
if (
|
||||||
event.start_time < datetime.now().timestamp() - 300
|
event.start_time < datetime.now().timestamp() - 300
|
||||||
and type(vod_response) == tuple
|
and type(vod_response) is tuple
|
||||||
and len(vod_response) == 2
|
and len(vod_response) == 2
|
||||||
and vod_response[1] == 404
|
and vod_response[1] == 404
|
||||||
):
|
):
|
||||||
|
@ -116,7 +116,7 @@ class UIConfig(FrigateBaseModel):
|
|||||||
|
|
||||||
|
|
||||||
class TlsConfig(FrigateBaseModel):
|
class TlsConfig(FrigateBaseModel):
|
||||||
enabled: bool = Field(default=True, title="Enable TLS for port 8080")
|
enabled: bool = Field(default=True, title="Enable TLS for port 8971")
|
||||||
|
|
||||||
|
|
||||||
class HeaderMappingConfig(FrigateBaseModel):
|
class HeaderMappingConfig(FrigateBaseModel):
|
||||||
|
Loading…
Reference in New Issue
Block a user