Add networking options for configuring listening ports (#21779)

2026-03-07 02:18:07 +01:00 · 2026-01-28 06:27:46 -08:00
parent 0a19d95af5
commit 6f7ef2779e
18 changed files with 200 additions and 130 deletions
--- a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/certsync/run
+++ b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/certsync/run
@@ -10,7 +10,8 @@ echo "[INFO] Starting certsync..."

 lefile="/etc/letsencrypt/live/frigate/fullchain.pem"

-tls_enabled=`python3 /usr/local/nginx/get_listen_settings.py | jq -r .tls.enabled`
+tls_enabled=`python3 /usr/local/nginx/get_nginx_settings.py | jq -r .tls.enabled`
+listen_external_port=`python3 /usr/local/nginx/get_nginx_settings.py | jq -r .listen.external_port`

 while true
 do
@@ -34,7 +35,7 @@ do
            ;;
    esac

-    liveprint=`echo | openssl s_client -showcerts -connect 127.0.0.1:8971 2>&1 | openssl x509 -fingerprint 2>&1 | grep -i fingerprint  || echo 'failed'`
+    liveprint=`echo | openssl s_client -showcerts -connect 127.0.0.1:$listen_external_port 2>&1 | openssl x509 -fingerprint 2>&1 | grep -i fingerprint  || echo 'failed'`

    case "$liveprint" in
        *Fingerprint*)
@@ -55,4 +56,4 @@ do

 done

-exit 0
+exit 0
--- a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
+++ b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
@@ -80,14 +80,14 @@ if [ ! \( -f "$letsencrypt_path/privkey.pem" -a -f "$letsencrypt_path/fullchain.
 fi

 # build templates for optional FRIGATE_BASE_PATH environment variable
-python3 /usr/local/nginx/get_base_path.py | \
+python3 /usr/local/nginx/get_nginx_settings.py | \
    tempio -template /usr/local/nginx/templates/base_path.gotmpl \
-       -out /usr/local/nginx/conf/base_path.conf
+           -out /usr/local/nginx/conf/base_path.conf

-# build templates for optional TLS support
-python3 /usr/local/nginx/get_listen_settings.py | \
-    tempio  -template /usr/local/nginx/templates/listen.gotmpl \
-            -out /usr/local/nginx/conf/listen.conf
+# build templates for additional network settings
+python3 /usr/local/nginx/get_nginx_settings.py | \
+    tempio -template /usr/local/nginx/templates/listen.gotmpl \
+           -out /usr/local/nginx/conf/listen.conf

 # Replace the bash process with the NGINX process, redirecting stderr to stdout
 exec 2>&1
--- a/docker/main/rootfs/usr/local/nginx/get_base_path.py
+++ b/docker/main/rootfs/usr/local/nginx/get_base_path.py
@@ -1,11 +0,0 @@
-"""Prints the base path as json to stdout."""
-
-import json
-import os
-from typing import Any
-
-base_path = os.environ.get("FRIGATE_BASE_PATH", "")
-
-result: dict[str, Any] = {"base_path": base_path}
-
-print(json.dumps(result))
--- a/docker/main/rootfs/usr/local/nginx/get_listen_settings.py
+++ b/docker/main/rootfs/usr/local/nginx/get_listen_settings.py
@@ -1,35 +0,0 @@
-"""Prints the tls config as json to stdout."""
-
-import json
-import sys
-from typing import Any
-
-from ruamel.yaml import YAML
-
-sys.path.insert(0, "/opt/frigate")
-from frigate.util.config import find_config_file
-
-sys.path.remove("/opt/frigate")
-
-yaml = YAML()
-
-config_file = find_config_file()
-
-try:
-    with open(config_file) as f:
-        raw_config = f.read()
-
-    if config_file.endswith((".yaml", ".yml")):
-        config: dict[str, Any] = yaml.load(raw_config)
-    elif config_file.endswith(".json"):
-        config: dict[str, Any] = json.loads(raw_config)
-except FileNotFoundError:
-    config: dict[str, Any] = {}
-
-tls_config: dict[str, any] = config.get("tls", {"enabled": True})
-networking_config = config.get("networking", {})
-ipv6_config = networking_config.get("ipv6", {"enabled": False})
-
-output = {"tls": tls_config, "ipv6": ipv6_config}
-
-print(json.dumps(output))
--- a/docker/main/rootfs/usr/local/nginx/get_nginx_settings.py
+++ b/docker/main/rootfs/usr/local/nginx/get_nginx_settings.py
@@ -0,0 +1,62 @@
+"""Prints the nginx settings as json to stdout."""
+
+import json
+import os
+import sys
+from typing import Any
+
+from ruamel.yaml import YAML
+
+sys.path.insert(0, "/opt/frigate")
+from frigate.util.config import find_config_file
+
+sys.path.remove("/opt/frigate")
+
+yaml = YAML()
+
+config_file = find_config_file()
+
+try:
+    with open(config_file) as f:
+        raw_config = f.read()
+
+    if config_file.endswith((".yaml", ".yml")):
+        config: dict[str, Any] = yaml.load(raw_config)
+    elif config_file.endswith(".json"):
+        config: dict[str, Any] = json.loads(raw_config)
+except FileNotFoundError:
+    config: dict[str, Any] = {}
+
+tls_config: dict[str, Any] = config.get("tls", {})
+tls_config.setdefault("enabled", True)
+
+networking_config: dict[str, Any] = config.get("networking", {})
+ipv6_config: dict[str, Any] = networking_config.get("ipv6", {})
+ipv6_config.setdefault("enabled", False)
+
+listen_config: dict[str, Any] = networking_config.get("listen", {})
+listen_config.setdefault("internal", 5000)
+listen_config.setdefault("external", 8971)
+
+# handle case where internal port is a string with ip:port
+internal_port = listen_config["internal"]
+if type(internal_port) is str:
+    internal_port = int(internal_port.split(":")[-1])
+listen_config["internal_port"] = internal_port
+
+# handle case where external port is a string with ip:port
+external_port = listen_config["external"]
+if type(external_port) is str:
+    external_port = int(external_port.split(":")[-1])
+listen_config["external_port"] = external_port
+
+base_path = os.environ.get("FRIGATE_BASE_PATH", "")
+
+result: dict[str, Any] = {
+    "tls": tls_config,
+    "ipv6": ipv6_config,
+    "listen": listen_config,
+    "base_path": base_path,
+}
+
+print(json.dumps(result))
--- a/docker/main/rootfs/usr/local/nginx/templates/base_path.gotmpl
+++ b/docker/main/rootfs/usr/local/nginx/templates/base_path.gotmpl
@@ -7,7 +7,7 @@ location ^~ {{ .base_path }}/ {
    # remove base_url from the path before passing upstream
    rewrite ^{{ .base_path }}/(.*) /$1 break;

-    proxy_pass $scheme://127.0.0.1:8971;
+    proxy_pass $scheme://127.0.0.1:{{ .listen.external_port }};
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
--- a/docker/main/rootfs/usr/local/nginx/templates/listen.gotmpl
+++ b/docker/main/rootfs/usr/local/nginx/templates/listen.gotmpl
@@ -1,45 +1,36 @@
-
 # Internal (IPv4 always; IPv6 optional)
-listen 5000;
-{{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:5000;{{ end }}{{ end }}
-
+listen {{ .listen.internal }};
+{{ if .ipv6.enabled }}listen [::]:{{ .listen.internal_port }};{{ end }}

 # intended for external traffic, protected by auth
-{{ if .tls }}
-    {{ if .tls.enabled }}
-        # external HTTPS (IPv4 always; IPv6 optional)
-        listen 8971 ssl;
-        {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971 ssl;{{ end }}{{ end }}
+{{ if .tls.enabled }}
+    # external HTTPS (IPv4 always; IPv6 optional)
+    listen {{ .listen.external }} ssl;
+    {{ if .ipv6.enabled }}listen [::]:{{ .listen.external_port }} ssl;{{ end }}

-        ssl_certificate /etc/letsencrypt/live/frigate/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/frigate/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/frigate/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/frigate/privkey.pem;

-        # generated 2024-06-01, Mozilla Guideline v5.7, nginx 1.25.3, OpenSSL 1.1.1w, modern configuration, no OCSP
-        # https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=1.1.1w&ocsp=false&guideline=5.7
-        ssl_session_timeout 1d;
-        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
-        ssl_session_tickets off;
+    # generated 2024-06-01, Mozilla Guideline v5.7, nginx 1.25.3, OpenSSL 1.1.1w, modern configuration, no OCSP
+    # https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=1.1.1w&ocsp=false&guideline=5.7
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;

-        # modern configuration
-        ssl_protocols TLSv1.3;
-        ssl_prefer_server_ciphers off;
+    # modern configuration
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;

-        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
-        add_header Strict-Transport-Security "max-age=63072000" always;
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;

-        # ACME challenge location
-        location /.well-known/acme-challenge/ {
-                default_type "text/plain";
-                root /etc/letsencrypt/www;
-        }
-    {{ else }}
-        # external HTTP (IPv4 always; IPv6 optional)
-        listen 8971;
-        {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971;{{ end }}{{ end }}
-    {{ end }}
+    # ACME challenge location
+    location /.well-known/acme-challenge/ {
+            default_type "text/plain";
+            root /etc/letsencrypt/www;
+    }
 {{ else }}
-    # (No tls section) default to HTTP (IPv4 always; IPv6 optional)
-    listen 8971;
-    {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971;{{ end }}{{ end }}
+    # (No tls) default to HTTP (IPv4 always; IPv6 optional)
+    listen {{ .listen.external }};
+    {{ if .ipv6.enabled }}listen [::]:{{ .listen.external_port }};{{ end }}
 {{ end }}
-