Enable Optional IPv6 Support for Nginx (#19602)

2025-08-31 13:48:19 +02:00 · 2025-08-18 16:39:12 -07:00 · 2025-08-18 16:39:12 -07:00 · 83e9ae616a
commit 83e9ae616a
parent 0309090852
7 changed files with 70 additions and 31 deletions
--- a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/certsync/run
+++ b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/certsync/run
@ -10,7 +10,7 @@ echo "[INFO] Starting certsync..."

 lefile="/etc/letsencrypt/live/frigate/fullchain.pem"

-tls_enabled=`python3 /usr/local/nginx/get_tls_settings.py | jq -r .enabled`
+tls_enabled=`python3 /usr/local/nginx/get_listen_settings.py | jq -r .enabled`

 while true
 do
--- a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
+++ b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
@ -85,7 +85,7 @@ python3 /usr/local/nginx/get_base_path.py | \
       -out /usr/local/nginx/conf/base_path.conf

 # build templates for optional TLS support
-python3 /usr/local/nginx/get_tls_settings.py | \
+python3 /usr/local/nginx/get_listen_settings.py | \
    tempio  -template /usr/local/nginx/templates/listen.gotmpl \
            -out /usr/local/nginx/conf/listen.conf

--- a/docker/main/rootfs/usr/local/nginx/get_listen_settings.py
+++ b/docker/main/rootfs/usr/local/nginx/get_listen_settings.py
@ -26,6 +26,10 @@ try:
 except FileNotFoundError:
    config: dict[str, Any] = {}

-tls_config: dict[str, Any] = config.get("tls", {"enabled": True})
+tls_config: dict[str, any] = config.get("tls", {"enabled": True})
+networking_config = config.get("networking", {})
+ipv6_config = networking_config.get("ipv6", {"enabled": False})

-print(json.dumps(tls_config))
+output = {"tls": tls_config, "ipv6": ipv6_config}
+
+print(json.dumps(output))
--- a/docker/main/rootfs/usr/local/nginx/templates/listen.gotmpl
+++ b/docker/main/rootfs/usr/local/nginx/templates/listen.gotmpl
@ -1,12 +1,15 @@
-# intended for internal traffic, not protected by auth
-listen 5000;

-{{ if not .enabled }}
-# intended for external traffic, protected by auth
-listen 8971;
-{{ else }}
+# Internal (IPv4 always; IPv6 optional)
+listen 5000;
+{{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:5000;{{ end }}{{ end }}
+
+
 # intended for external traffic, protected by auth
+{{ if .tls }}
+    {{ if .tls.enabled }}
+        # external HTTPS (IPv4 always; IPv6 optional)
        listen 8971 ssl;
+        {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971 ssl;{{ end }}{{ end }}

        ssl_certificate /etc/letsencrypt/live/frigate/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/frigate/privkey.pem;
@ -29,5 +32,14 @@ location /.well-known/acme-challenge/ {
                default_type "text/plain";
                root /etc/letsencrypt/www;
        }
+    {{ else }}
+        # external HTTP (IPv4 always; IPv6 optional)
+        listen 8971;
+        {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971;{{ end }}{{ end }}
+    {{ end }}
+{{ else }}
+    # (No tls section) default to HTTP (IPv4 always; IPv6 optional)
+    listen 8971;
+    {{ if .ipv6 }}{{ if .ipv6.enabled }}listen [::]:8971;{{ end }}{{ end }}
 {{ end }}

--- a/docs/docs/configuration/reference.md
+++ b/docs/docs/configuration/reference.md
@ -73,6 +73,12 @@ tls:
  # Optional: Enable TLS for port 8971 (default: shown below)
  enabled: True

+# Optional: IPv6 configuration
+networking:
+  # Optional: Enable IPv6 on 5000, and 8971 if tls is configured (default: shown below)
+  ipv6:
+    enabled: False
+
 # Optional: Proxy configuration
 proxy:
  # Optional: Mapping for headers from upstream proxies. Only used if Frigate's auth
--- a/frigate/config/config.py
+++ b/frigate/config/config.py
@ -64,6 +64,7 @@ from .database import DatabaseConfig
 from .env import EnvVars
 from .logger import LoggerConfig
 from .mqtt import MqttConfig
+from .network import NetworkingConfig
 from .proxy import ProxyConfig
 from .telemetry import TelemetryConfig
 from .tls import TlsConfig
@ -334,6 +335,9 @@ class FrigateConfig(FrigateBaseModel):
    notifications: NotificationConfig = Field(
        default_factory=NotificationConfig, title="Global notification configuration."
    )
+    networking: NetworkingConfig = Field(
+        default_factory=NetworkingConfig, title="Networking configuration"
+    )
    proxy: ProxyConfig = Field(
        default_factory=ProxyConfig, title="Proxy configuration."
    )
--- a/frigate/config/network.py
+++ b/frigate/config/network.py
@ -0,0 +1,13 @@
+from pydantic import Field
+
+from .base import FrigateBaseModel
+
+__all__ = ["IPv6Config", "NetworkingConfig"]
+
+
+class IPv6Config(FrigateBaseModel):
+    enabled: bool = Field(default=False, title="Enable IPv6 for port 5000 and/or 8971")
+
+
+class NetworkingConfig(FrigateBaseModel):
+    ipv6: IPv6Config = Field(default_factory=IPv6Config, title="Network configuration")