[Support]: Instructions for adding a nginx reverse proxy with ssl+auth

[nbartos]

Describe the problem you are having

Since the frigate web interface does not support ssl or auth, I am trying to setup a nginx reverse proxy on a sub-url (e.g. https://server/frigate) of an nginx instance I'm already using for other things, however I can't get it to work. I just end up getting an empty page.

Home assistant has direct access to the frigate container on port 5000 and I don't intend on changing that, I just want to add a way for a web browser to access frigate using ssl+auth. Ideally I'd really like to set it up at https://server/frigate instead of having nginx listen on another port and putting it at the root (e.g. https://server:10000/).

I've been looking through all the documentation, but I can't find any reference to trying to do this.

Version

0.10.0-DB1255A

Frigate config file

database:
  path: /db/frigate.db

mqtt:
  host: mosquitto-hostname
  user: mosquitto-user
  password: mosquitto-password

birdseye:
  mode: continuous

ffmpeg:
  output_args:
    record: -f segment -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -c copy -codec:a aac

objects:
  track:
    - person
    - cat

record:
  enabled: true
  retain:
    days: 30
  events:
    max_seconds: 1800
    pre_capture: 15
    post_capture: 15
    retain:
      default: 30

snapshots:
  enabled: true
  timestamp: true
  bounding_box: true
  retain:
    default: 30

cameras:
  Front Door:
    ffmpeg:
      inputs:
        - path: rtsp://rtsp-user:rtsp-password@front-door-camera:554/cam/realmonitor?channel=1&subtype=0
          roles:
            - record
        - path: rtsp://rtsp-user:rtsp-password@front-door-camera:554/cam/realmonitor?channel=1&subtype=2
          roles:
            - detect
            - rtmp
    detect:
      width: 1280
      height: 720
      fps: 5
    objects:
      filters:
        person:
          mask:
            - 806,0,744,370,314,380,330,0
  Garage:
    ffmpeg:
      inputs:
        - path: rtsp://rtsp-user:rtsp-password@garage-camera:554/cam/realmonitor?channel=1&subtype=0
          roles:
            - record
        - path: rtsp://rtsp-user:rtsp-password@garage-camera:554/cam/realmonitor?channel=1&subtype=2
          roles:
            - detect
            - rtmp
    detect:
      width: 1280
      height: 720
      fps: 5
    objects:
      filters:
        person:
          mask:
            - 0,0,1280,0,1176,103,1129,311,900,201,0,529
        car:
          mask:
            - 0,0,1280,0,1176,103,1129,311,900,201,0,529
      track:
        - person
        - cat
        - car

Relevant log output

N/A

FFprobe output from your camera

Metadata:
    title           : Media Server
  Duration: N/A, start: 0.015000, bitrate: N/A
    Stream #0:0: Video: h264 (High), yuv420p(progressive), 3840x2160, 20 fps, 50 tbr, 90k tbn, 40 tbc
    Stream #0:1: Audio: aac (LC), 8000 Hz, mono, fltp

Frigate stats

{"Front Door":{"camera_fps":5.1,"capture_pid":233,"detection_fps":0.0,"pid":230,"process_fps":5.1,"skipped_fps":0.0},"Garage":{"camera_fps":5.1,"capture_pid":236,"detection_fps":0.0,"pid":232,"process_fps":5.1,"skipped_fps":0.0},"detection_fps":0.0,"detectors":{"cpu":{"detection_start":0.0,"inference_speed":38.2,"pid":224}},"service":{"storage":{"/dev/shm":{"free":1070.0,"mount_type":"tmpfs","total":1073.7,"used":3.8},"/media/frigate/clips":{"free":2233567.6,"mount_type":"btrfs","total":6001156.7,"used":3757209.2},"/media/frigate/recordings":{"free":2233567.6,"mount_type":"btrfs","total":6001156.7,"used":3757209.2},"/tmp/cache":{"free":995.5,"mount_type":"tmpfs","total":1000.0,"used":4.5}},"temperatures":{},"uptime":46543,"version":"0.10.0-db1255a"}}

Operating system

Other Linux

Install method

Docker Compose

Coral version

CPU (no coral)

Network connection

Wired

Camera make and model

Amcrest IP8M-T2669EW-AI

Any other information that may be helpful

No response

[NickM-27]

I have this with my setup using Nginx Proxy Manager. Do you have frigate running as a HASS addon or separate?

[nbartos]

Separate

[NickM-27]

Alright, so you have proxy host setup to forward with an access list, when you try to access the page does it show http auth popup or blank screen without that?

[nbartos]

I haven't even added in the auth component yet. I was just trying to get an instance of the reverse proxy working. Really just an example nginx config is what I'm looking for.

[NickM-27]

Okay, perhaps I am confused. You shouldn't have to do anything within frigate itself to get this working. Just setup a proxy host that points to the IP & port that frigate is running on, request an SSL cert, and you are on your way.

[nbartos]

Yes no change should be needed in frigate, however, just doing the basics in nginx doesn't work like it does for all the other unrelated services I am doing reverse proxy for.

  location /frigate {
    include proxy_params;
    proxy_pass http://192.168.1.3:5000;
}

[nbartos]

If you have it working, can you share the relevant sections of your nginx config file?

[NickM-27]

Interesting, I have been doing things via the GUI of Nginx Proxy Manager docker. I will try to parse out my config file and see what I can find.

One thing I can say off the bat is that instead of doing /frigate, I use separate subdomains for HASS and Frigate

frigate.maindomain.abc so that might be part of it as well.

[nbartos]

Ah yea, doing it at / actually ends up working. Trying to get it working under the same domain but /frigate is the problem. Making that work likely would require a frigate change so the embedded html will start at /frigate instead of /, although at this time it seems like frigate doesn't support that. Or at least I can't find anything that seems to be related in the frigate config docs.

[blakeblackshear]

It supports it. You have to insert a header to tell it to rewrite paths. Example

[nbartos]

I cannot get it to work using the example:

location /frigate/ {
  proxy_set_header Host $host;
  proxy_set_header X-Ingress-Path "/frigate";
  proxy_set_header X-Forwarded-Scheme $scheme;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-For $remote_addr;
  proxy_pass http://192.168.1.3:5000/;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
}

I tried using curl to test. This returns the content:

curl http://192.168.1.3:5000/dist/index.BcZG-b2319Xx.js

This returns a 404:

curl -H 'X-Ingress-Path: /frigate' http://192.168.1.3:5000/frigate/dist/index.BcZG-b2319Xx.js

This also returns the content:

curl -H 'X-Ingress-Path: /frigate' http://192.168.1.3:5000/dist/index.BcZG-b2319Xx.js

So it seams that header isn't actually doing anything. Am I missing something, or could there perhaps be a regression in 0.10.0-beta6-amd64?

[blakeblackshear]

It's definitely working. That's how the ingress works for the homeassistant addon. If it wasn't working, there would be dozens of issues about it.

[blakeblackshear]

Am I missing something

You are thinking about it wrong. That header tells nginx in frigate to rewrite the contents in the file returned, not change the path that works. Try hitting the main html page with that header and looking at the returned file. You will see the references to js, css, etc are all now under the path you passed in the header.

[nbartos]

Ah so somehow I was missing the trailing slash on the proxy_pass line. I'm sure I had it there at some point, I guess I was changing too many things. Anyway, it does work now. Thanks!

[nbartos]

I did find one small issue. When this is done, clicking around in the frigate UI results in the URL in the URL bar being changed to something that doesn't actually work, as it doesn't add in the /frigate prefix. There is only a problem if the browser refresh button is hit, which will of course result in a 404 since the URL is wrong. I'm guessing there is some javascript changing that URL that isn't respecting the header.

[kevkid]

I did find one small issue. When this is done, clicking around in the frigate UI results in the URL in the URL bar being changed to something that doesn't actually work, as it doesn't add in the /frigate prefix. There is only a problem if the browser refresh button is hit, which will of course result in a 404 since the URL is wrong. I'm guessing there is some javascript changing that URL that isn't respecting the header.

Could it be due it not rewriting? I know I had a very similar issue with jellyfin, but the solution was to change the base url. I suspect a rewrite may help, but I am no expert an nginx

[rici44]

It's definitely working. That's how the ingress works for the homeassistant addon. If it wasn't working, there would be dozens of issues about it.

Hi @blakeblackshear the code for nginx proxy posted by @nbartos (shown bellow) is working but this will expose internal frigate url to outside world even without logging into Home Assistant. Is there any workaround to this problem? I use your great software inside docker compose container and would like to use it in HA on public address.

location /frigate/ {
  proxy_set_header Host $host;
  proxy_set_header X-Ingress-Path "/frigate";
  proxy_set_header X-Forwarded-Scheme $scheme;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-For $remote_addr;
  proxy_pass http://192.168.1.3:5000/;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
}

[blakeblackshear]

You can setup basic auth in nginx: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/