mirror of
https://github.com/blakeblackshear/frigate.git
synced 2025-08-31 13:48:19 +02:00
Enable Optional IPv6 Support for Nginx (#19602)
This commit is contained in:
scyto
GitHub
parent
0309090852
commit
83e9ae616a
@ -10,7 +10,7 @@ echo "[INFO] Starting certsync..."
|
|||||||
|
|
||||||
lefile="/etc/letsencrypt/live/frigate/fullchain.pem"
|
lefile="/etc/letsencrypt/live/frigate/fullchain.pem"
|
||||||
|
|
||||||
tls_enabled=`python3 /usr/local/nginx/get_tls_settings.py | jq -r .enabled`
|
tls_enabled=`python3 /usr/local/nginx/get_listen_settings.py | jq -r .enabled`
|
||||||
|
|
||||||
while true
|
while true
|
||||||
do
|
do
|
||||||
|
|||||||
@ -85,7 +85,7 @@ python3 /usr/local/nginx/get_base_path.py | \
|
|||||||
-out /usr/local/nginx/conf/base_path.conf
|
-out /usr/local/nginx/conf/base_path.conf
|
||||||
|
|
||||||
# build templates for optional TLS support
|
# build templates for optional TLS support
|
||||||
python3 /usr/local/nginx/get_tls_settings.py | \
|
python3 /usr/local/nginx/get_listen_settings.py | \
|
||||||
tempio -template /usr/local/nginx/templates/listen.gotmpl \
|
tempio -template /usr/local/nginx/templates/listen.gotmpl \
|
||||||
-out /usr/local/nginx/conf/listen.conf
|
-out /usr/local/nginx/conf/listen.conf
|
||||||
|
|
||||||
|
|||||||
@ -26,6 +26,10 @@ try:
|
|||||||
except FileNotFoundError:
|
except FileNotFoundError:
|
||||||
config: dict[str, Any] = {}
|
config: dict[str, Any] = {}
|
||||||
|
|
||||||
tls_config: dict[str, Any] = config.get("tls", {"enabled": True})
|
tls_config: dict[str, any] = config.get("tls", {"enabled": True})
|
||||||
|
networking_config = config.get("networking", {})
|
||||||
|
ipv6_config = networking_config.get("ipv6", {"enabled": False})
|
||||||
|
|
||||||
print(json.dumps(tls_config))
|
output = {"tls": tls_config, "ipv6": ipv6_config}
|
||||||
|
|
||||||
|
print(json.dumps(output))
|
||||||
@ -1,33 +1,45 @@
|
|||||||
# intended for internal traffic, not protected by auth
|
|
||||||
|
# Internal (IPv4 always; IPv6 optional)
|
||||||
listen 5000;
|
listen 5000;
|
||||||
|
{{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:5000;{{ end }}{{ end }}
|
||||||
|
|
||||||
|
|
||||||
{{ if not .enabled }}
|
|
||||||
# intended for external traffic, protected by auth
|
# intended for external traffic, protected by auth
|
||||||
listen 8971;
|
{{ if .tls }}
|
||||||
|
{{ if .tls.enabled }}
|
||||||
|
# external HTTPS (IPv4 always; IPv6 optional)
|
||||||
|
listen 8971 ssl;
|
||||||
|
{{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971 ssl;{{ end }}{{ end }}
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/frigate/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/frigate/privkey.pem;
|
||||||
|
|
||||||
|
# generated 2024-06-01, Mozilla Guideline v5.7, nginx 1.25.3, OpenSSL 1.1.1w, modern configuration, no OCSP
|
||||||
|
# https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=1.1.1w&ocsp=false&guideline=5.7
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
# modern configuration
|
||||||
|
ssl_protocols TLSv1.3;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
|
# ACME challenge location
|
||||||
|
location /.well-known/acme-challenge/ {
|
||||||
|
default_type "text/plain";
|
||||||
|
root /etc/letsencrypt/www;
|
||||||
|
}
|
||||||
|
{{ else }}
|
||||||
|
# external HTTP (IPv4 always; IPv6 optional)
|
||||||
|
listen 8971;
|
||||||
|
{{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971;{{ end }}{{ end }}
|
||||||
|
{{ end }}
|
||||||
{{ else }}
|
{{ else }}
|
||||||
# intended for external traffic, protected by auth
|
# (No tls section) default to HTTP (IPv4 always; IPv6 optional)
|
||||||
listen 8971 ssl;
|
listen 8971;
|
||||||
|
{{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971;{{ end }}{{ end }}
|
||||||
ssl_certificate /etc/letsencrypt/live/frigate/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/frigate/privkey.pem;
|
|
||||||
|
|
||||||
# generated 2024-06-01, Mozilla Guideline v5.7, nginx 1.25.3, OpenSSL 1.1.1w, modern configuration, no OCSP
|
|
||||||
# https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=1.1.1w&ocsp=false&guideline=5.7
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
# modern configuration
|
|
||||||
ssl_protocols TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
|
|
||||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
||||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
||||||
|
|
||||||
# ACME challenge location
|
|
||||||
location /.well-known/acme-challenge/ {
|
|
||||||
default_type "text/plain";
|
|
||||||
root /etc/letsencrypt/www;
|
|
||||||
}
|
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
|
|||||||
@ -73,6 +73,12 @@ tls:
|
|||||||
# Optional: Enable TLS for port 8971 (default: shown below)
|
# Optional: Enable TLS for port 8971 (default: shown below)
|
||||||
enabled: True
|
enabled: True
|
||||||
|
|
||||||
|
# Optional: IPv6 configuration
|
||||||
|
networking:
|
||||||
|
# Optional: Enable IPv6 on 5000, and 8971 if tls is configured (default: shown below)
|
||||||
|
ipv6:
|
||||||
|
enabled: False
|
||||||
|
|
||||||
# Optional: Proxy configuration
|
# Optional: Proxy configuration
|
||||||
proxy:
|
proxy:
|
||||||
# Optional: Mapping for headers from upstream proxies. Only used if Frigate's auth
|
# Optional: Mapping for headers from upstream proxies. Only used if Frigate's auth
|
||||||
|
|||||||
@ -64,6 +64,7 @@ from .database import DatabaseConfig
|
|||||||
from .env import EnvVars
|
from .env import EnvVars
|
||||||
from .logger import LoggerConfig
|
from .logger import LoggerConfig
|
||||||
from .mqtt import MqttConfig
|
from .mqtt import MqttConfig
|
||||||
|
from .network import NetworkingConfig
|
||||||
from .proxy import ProxyConfig
|
from .proxy import ProxyConfig
|
||||||
from .telemetry import TelemetryConfig
|
from .telemetry import TelemetryConfig
|
||||||
from .tls import TlsConfig
|
from .tls import TlsConfig
|
||||||
@ -334,6 +335,9 @@ class FrigateConfig(FrigateBaseModel):
|
|||||||
notifications: NotificationConfig = Field(
|
notifications: NotificationConfig = Field(
|
||||||
default_factory=NotificationConfig, title="Global notification configuration."
|
default_factory=NotificationConfig, title="Global notification configuration."
|
||||||
)
|
)
|
||||||
|
networking: NetworkingConfig = Field(
|
||||||
|
default_factory=NetworkingConfig, title="Networking configuration"
|
||||||
|
)
|
||||||
proxy: ProxyConfig = Field(
|
proxy: ProxyConfig = Field(
|
||||||
default_factory=ProxyConfig, title="Proxy configuration."
|
default_factory=ProxyConfig, title="Proxy configuration."
|
||||||
)
|
)
|
||||||
|
|||||||
13
frigate/config/network.py
Normal file
13
frigate/config/network.py
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
from pydantic import Field
|
||||||
|
|
||||||
|
from .base import FrigateBaseModel
|
||||||
|
|
||||||
|
__all__ = ["IPv6Config", "NetworkingConfig"]
|
||||||
|
|
||||||
|
|
||||||
|
class IPv6Config(FrigateBaseModel):
|
||||||
|
enabled: bool = Field(default=False, title="Enable IPv6 for port 5000 and/or 8971")
|
||||||
|
|
||||||
|
|
||||||
|
class NetworkingConfig(FrigateBaseModel):
|
||||||
|
ipv6: IPv6Config = Field(default_factory=IPv6Config, title="Network configuration")
|
||||||
Loading…
Reference in New Issue
Block a user