Auth! (#11347)

* reload the window on 401 * backend apis for auth * add login page * re-enable web linter * fix login page routing * bypass csrf for internal auth endpoint * disable healthcheck in devcontainer target * include login page in vite build * redirect to login page on 401 * implement config for users and settings * implement JWT actual secret * add brute force protection on login * add support for redirecting from auth failures on api calls * return location for redirect * default cookie name should pass regex test * set hash iterations to current OWASP recommendation * move users to database instead of config * config option to reset admin password on startup * user management UI * check for deleted user on refresh * validate username and fixes * remove password constraint * cleanup * fix user check on refresh * web fixes * implement auth via new external port * use x-forwarded-for to rate limit login attempts by ip * implement logout and profile * fixes * lint fixes * add support for user passthru from upstream proxies * add support for specifying a logout url * add documentation * Update docs/docs/configuration/authentication.md Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com> * Update docs/docs/configuration/authentication.md Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com> --------- Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
2025-09-26 19:41:29 +08:00 · 2024-05-18 11:36:13 -05:00
parent a70dd02788
commit 1133202cbd
48 changed files with 2541 additions and 833 deletions
--- a/docker/main/Dockerfile
+++ b/docker/main/Dockerfile
@@ -233,6 +233,8 @@ RUN apt-get update \
 RUN --mount=type=bind,source=./docker/main/requirements-dev.txt,target=/workspace/frigate/requirements-dev.txt \
    pip3 install -r requirements-dev.txt

+HEALTHCHECK NONE
+
 CMD ["sleep", "infinity"]


--- a/docker/main/build_nginx.sh
+++ b/docker/main/build_nginx.sh
@@ -5,6 +5,8 @@ set -euxo pipefail
 NGINX_VERSION="1.25.3"
 VOD_MODULE_VERSION="1.31"
 SECURE_TOKEN_MODULE_VERSION="1.5"
+SET_MISC_MODULE_VERSION="v0.33"
+NGX_DEVEL_KIT_VERSION="v0.3.3"

 cp /etc/apt/sources.list /etc/apt/sources.list.d/sources-src.list
 sed -i 's|deb http|deb-src http|g' /etc/apt/sources.list.d/sources-src.list
@@ -49,13 +51,27 @@ wget https://github.com/kaltura/nginx-secure-token-module/archive/refs/tags/${SE
 tar -zxf ${SECURE_TOKEN_MODULE_VERSION}.tar.gz -C /tmp/nginx-secure-token-module --strip-components=1
 rm ${SECURE_TOKEN_MODULE_VERSION}.tar.gz

+mkdir /tmp/ngx_devel_kit
+wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/${NGX_DEVEL_KIT_VERSION}.tar.gz
+tar -zxf ${NGX_DEVEL_KIT_VERSION}.tar.gz -C /tmp/ngx_devel_kit --strip-components=1
+rm ${NGX_DEVEL_KIT_VERSION}.tar.gz
+
+mkdir /tmp/nginx-set-misc-module
+wget https://github.com/openresty/set-misc-nginx-module/archive/refs/tags/${SET_MISC_MODULE_VERSION}.tar.gz
+tar -zxf ${SET_MISC_MODULE_VERSION}.tar.gz -C /tmp/nginx-set-misc-module --strip-components=1
+rm ${SET_MISC_MODULE_VERSION}.tar.gz
+
 cd /tmp/nginx

 ./configure --prefix=/usr/local/nginx \
    --with-file-aio \
    --with-http_sub_module \
    --with-http_ssl_module \
+    --with-http_auth_request_module \
+    --with-http_realip_module \
    --with-threads \
+    --add-module=../ngx_devel_kit \
+    --add-module=../nginx-set-misc-module \
    --add-module=../nginx-vod-module \
    --add-module=../nginx-secure-token-module \
    --with-cc-opt="-O3 -Wno-error=implicit-fallthrough"
--- a/docker/main/requirements-wheels.txt
+++ b/docker/main/requirements-wheels.txt
@@ -1,6 +1,8 @@
 click == 8.1.*
 Flask == 3.0.*
+Flask_Limiter == 3.6.*
 imutils == 0.5.*
+joserfc == 0.9.*
 markupsafe == 2.1.*
 matplotlib == 3.8.*
 mypy == 1.6.1
--- a/docker/main/rootfs/usr/local/nginx/conf/auth_location.conf
+++ b/docker/main/rootfs/usr/local/nginx/conf/auth_location.conf
@@ -0,0 +1,43 @@
+set $upstream_auth http://127.0.0.1:5001/auth;
+
+## Virtual endpoint created by nginx to forward auth requests.
+location /auth {
+    ## Essential Proxy Configuration
+    internal;
+    proxy_pass $upstream_auth;
+
+    ## Headers
+
+    # First strip out all the request headers
+    # Note: This is important to ensure that upgrade requests for secure
+    #       websockets dont cause the backend to fail
+    proxy_pass_request_headers off;
+    # Pass info about the request
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Server-Port $server_port;
+    proxy_set_header Content-Length "";
+    # Pass along auth related info
+    proxy_set_header Authorization $http_authorization;
+    proxy_set_header Cookie $http_cookie;
+    proxy_set_header X-CSRF-TOKEN "1";
+
+    # include headers from common auth proxies
+    include proxy_trusted_headers.conf;
+
+    ## Basic Proxy Configuration
+    proxy_pass_request_body off;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
+    proxy_redirect http:// $scheme://;
+    proxy_http_version 1.1;
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+    client_body_buffer_size 128k;
+
+    ## Advanced Proxy Configuration
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+}
--- a/docker/main/rootfs/usr/local/nginx/conf/auth_request.conf
+++ b/docker/main/rootfs/usr/local/nginx/conf/auth_request.conf
@@ -0,0 +1,22 @@
+## Send a subrequest to verify if the user is authenticated and has permission to access the resource.
+auth_request /auth;
+
+## Save the upstream metadata response headers from Authelia to variables.
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $groups $upstream_http_remote_groups;
+auth_request_set $name $upstream_http_remote_name;
+auth_request_set $email $upstream_http_remote_email;
+
+## Inject the metadata response headers from the variables into the request made to the backend.
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Groups $groups;
+proxy_set_header Remote-Email $email;
+proxy_set_header Remote-Name $name;
+
+## Refresh the cookie as needed
+auth_request_set $auth_cookie $upstream_http_set_cookie;
+add_header Set-Cookie $auth_cookie;
+
+## Pass the location header back up if it exists
+auth_request_set $redirection_url $upstream_http_location;
+add_header Location $redirection_url;
--- a/docker/main/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/docker/main/rootfs/usr/local/nginx/conf/nginx.conf
@@ -62,6 +62,9 @@ http {
    }

    server {
+        # intended for external traffic, protected by auth
+        listen [::]:8080 ipv6only=off;
+        # intended for internal traffic, not protected by auth
        listen [::]:5000 ipv6only=off;

        # vod settings
@@ -95,7 +98,10 @@ http {
        gzip on;
        gzip_types application/vnd.apple.mpegurl;

+        include auth_location.conf;
+
        location /vod/ {
+            include auth_request.conf;
            aio threads;
            vod hls;

@@ -107,6 +113,7 @@ http {
        }

        location /stream/ {
+            include auth_request.conf;
            add_header Cache-Control "no-store";
            expires off;

@@ -121,7 +128,7 @@ http {
        }

        location /clips/ {
-
+            include auth_request.conf;
            types {
                video/mp4 mp4;
                image/jpeg jpg;
@@ -137,6 +144,7 @@ http {
        }

        location /recordings/ {
+            include auth_request.conf;
            types {
                video/mp4 mp4;
            }
@@ -147,6 +155,7 @@ http {
        }

        location /exports/ {
+            include auth_request.conf;
            types {
                video/mp4 mp4;
            }
@@ -157,17 +166,20 @@ http {
        }

        location /ws {
+            include auth_request.conf;
            proxy_pass http://mqtt_ws/;
            include proxy.conf;
        }

        location /live/jsmpeg/ {
+            include auth_request.conf;
            proxy_pass http://jsmpeg/;
            include proxy.conf;
        }

        # frigate lovelace card uses this path
        location /live/mse/api/ws {
+            include auth_request.conf;
            limit_except GET {
                deny  all;
            }
@@ -176,6 +188,7 @@ http {
        }

        location /live/webrtc/api/ws {
+            include auth_request.conf;
            limit_except GET {
                deny  all;
            }
@@ -185,6 +198,7 @@ http {

        # pass through go2rtc player
        location /live/webrtc/webrtc.html {
+            include auth_request.conf;
            limit_except GET {
                deny  all;
            }
@@ -194,6 +208,7 @@ http {

        # frontend uses this to fetch the version
        location /api/go2rtc/api {
+            include auth_request.conf;
            limit_except GET {
                deny  all;
            }
@@ -203,6 +218,7 @@ http {

        # integration uses this to add webrtc candidate
        location /api/go2rtc/webrtc {
+            include auth_request.conf;
            limit_except POST {
                deny  all;
            }
@@ -211,12 +227,14 @@ http {
        }

        location ~* /api/.*\.(jpg|jpeg|png|webp|gif)$ {
+            include auth_request.conf;
            rewrite ^/api/(.*)$ $1 break;
            proxy_pass http://frigate_api;
            include proxy.conf;
        }

        location /api/ {
+            include auth_request.conf;
            add_header Cache-Control "no-store";
            expires off;
            proxy_pass http://frigate_api/;
@@ -231,12 +249,21 @@ http {
            add_header X-Cache-Status $upstream_cache_status;

            location /api/vod/ {
+                include auth_request.conf;
                proxy_pass http://frigate_api/vod/;
                include proxy.conf;
                proxy_cache off;
            }

+            location /api/login {
+                auth_request off;
+                rewrite ^/api(/.*)$ $1 break;
+                proxy_pass http://frigate_api;
+                include proxy.conf;
+            }
+
            location /api/stats {
+                include auth_request.conf;
                access_log off;
                rewrite ^/api(/.*)$ $1 break;
                proxy_pass http://frigate_api;
@@ -244,6 +271,7 @@ http {
            }

            location /api/version {
+                include auth_request.conf;
                access_log off;
                rewrite ^/api(/.*)$ $1 break;
                proxy_pass http://frigate_api;
@@ -252,6 +280,7 @@ http {
        }

        location / {
+            # do not require auth for static assets
            add_header Cache-Control "no-store";
            expires off;

@@ -273,7 +302,7 @@ http {
            sub_filter_once off;

            root /opt/frigate/web;
-            try_files $uri $uri/ /index.html;
+            try_files $uri $uri.html $uri/ /index.html;
        }
    }
 }
--- a/docker/main/rootfs/usr/local/nginx/conf/proxy.conf
+++ b/docker/main/rootfs/usr/local/nginx/conf/proxy.conf
@@ -1,4 +1,26 @@
-proxy_http_version 1.1;
+## Headers
+proxy_set_header Host $host;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "Upgrade";
-proxy_set_header Host $host;
+proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $http_host;
+proxy_set_header X-Forwarded-URI $request_uri;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Real-IP $remote_addr;
+
+## Basic Proxy Configuration
+client_body_buffer_size 128k;
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
+proxy_redirect  http://  $scheme://;
+proxy_http_version 1.1;
+proxy_cache_bypass $cookie_session;
+proxy_no_cache $cookie_session;
+proxy_buffers 64 256k;
+
+## Advanced Proxy Configuration
+send_timeout 5m;
+proxy_read_timeout 360;
+proxy_send_timeout 360;
+proxy_connect_timeout 360;
--- a/docker/main/rootfs/usr/local/nginx/conf/proxy_trusted_headers.conf
+++ b/docker/main/rootfs/usr/local/nginx/conf/proxy_trusted_headers.conf
@@ -0,0 +1,22 @@
+# these headers will be copied to the /auth request and are available
+# to be mapped in the config to Frigate's remote-user header
+
+# List of headers sent by common authentication proxies:
+# - Authelia
+# - Traefik forward auth
+# - oauth2_proxy
+# - Authentik
+
+proxy_set_header Remote-User $http_remote_user;
+proxy_set_header Remote-Groups $http_remote_groups;
+proxy_set_header Remote-Email $http_remote_email;
+proxy_set_header Remote-Name $http_remote_name;
+proxy_set_header X-Forwarded-User $http_x_forwarded_user;
+proxy_set_header X-Forwarded-Groups $http_x_forwarded_groups;
+proxy_set_header X-Forwarded-Email $http_x_forwarded_email;
+proxy_set_header X-Forwarded-Preferred-Username $http_x_forwarded_preferred_username;
+proxy_set_header X-authentik-username $http_x_authentik_username;
+proxy_set_header X-authentik-groups $http_x_authentik_groups;
+proxy_set_header X-authentik-email $http_x_authentik_email;
+proxy_set_header X-authentik-name $http_x_authentik_name;
+proxy_set_header X-authentik-uid $http_x_authentik_uid;