frigate: double-proxy auth to inject Remote-Role header
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
818caf88a2
commit
ed71384885
1 changed files with 30 additions and 8 deletions
|
|
@ -2,6 +2,13 @@
|
|||
# Consumes go2rtc streams; no MQTT / Home Assistant dependency.
|
||||
# Authentication delegated to Authelia by hijacking the /auth location
|
||||
# that the upstream Frigate module bakes into every nginx location block.
|
||||
#
|
||||
# The Frigate NixOS module hardcodes `auth_request /auth` + `auth_request_set`
|
||||
# in every nginx location, reading $upstream_http_remote_role from the auth
|
||||
# subrequest response. Authelia doesn't return a Remote-Role header, so we
|
||||
# use a tiny local-only nginx wrapper (port 9092) that proxies to Authelia
|
||||
# and injects `Remote-Role: admin` into the response. The /auth location
|
||||
# then points at the wrapper instead of Authelia directly.
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
||||
|
|
@ -46,15 +53,34 @@
|
|||
};
|
||||
};
|
||||
|
||||
# Local-only auth wrapper: proxies to Authelia and adds Remote-Role header
|
||||
# so that auth_request_set $role $upstream_http_remote_role gets "admin".
|
||||
services.nginx.virtualHosts."frigate-auth-wrapper" = {
|
||||
listen = [{ addr = "127.0.0.1"; port = 9092; }];
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:9091/api/verify";
|
||||
extraConfig = ''
|
||||
proxy_pass_request_body off;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_set_header X-Original-URL $http_x_original_url;
|
||||
proxy_set_header X-Forwarded-Method $http_x_forwarded_method;
|
||||
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
||||
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
|
||||
proxy_set_header X-Forwarded-Uri $http_x_forwarded_uri;
|
||||
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
|
||||
add_header Remote-Role admin always;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."frigate.nordhammer.it" = {
|
||||
useACMEHost = "nordhammer.it";
|
||||
forceSSL = true;
|
||||
|
||||
# The Frigate module puts `auth_request /auth` on every location.
|
||||
# Override that internal /auth location to verify via Authelia
|
||||
# instead of Frigate's built-in auth, so one login covers everything.
|
||||
# Point /auth at the wrapper (9092) instead of Authelia (9091) directly.
|
||||
# The wrapper proxies to Authelia and injects Remote-Role: admin.
|
||||
locations."/auth" = lib.mkForce {
|
||||
proxyPass = "http://127.0.0.1:9091/api/verify";
|
||||
proxyPass = "http://127.0.0.1:9092/";
|
||||
extraConfig = ''
|
||||
internal;
|
||||
proxy_pass_request_body off;
|
||||
|
|
@ -65,10 +91,6 @@
|
|||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-Uri $request_uri;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
|
||||
# Inject admin role into auth response so Frigate's
|
||||
# auth_request_set $role $upstream_http_remote_role picks it up
|
||||
add_header Remote-Role admin;
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue