improve tls implementation (#11690)

* improve tls implementation * update docs
2025-09-26 19:41:29 +08:00 · 2024-06-02 07:48:28 -05:00
parent beefc51361
commit e431031112
13 changed files with 92 additions and 37 deletions
--- a/docker/main/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/docker/main/rootfs/usr/local/nginx/conf/nginx.conf
@@ -59,20 +59,10 @@ http {
    include go2rtc_upstream.conf;

    server {
-        listen [::]:80 ipv6only=off default_server;
-
-        location / {
-            return 301 https://$host$request_uri;
-        }
-    }
-
-    server {
-        # intended for external traffic, protected by auth
-        listen [::]:8080 ipv6only=off;
        # intended for internal traffic, not protected by auth
        listen [::]:5000 ipv6only=off;

-        include tls.conf;
+        include listen.conf;

        # vod settings
        vod_base_url '';
--- a/docker/main/rootfs/usr/local/nginx/get_tls_settings.py
+++ b/docker/main/rootfs/usr/local/nginx/get_tls_settings.py
@@ -0,0 +1,28 @@
+"""Prints the tls config as json to stdout."""
+
+import json
+import os
+
+import yaml
+
+config_file = os.environ.get("CONFIG_FILE", "/config/config.yml")
+
+# Check if we can use .yaml instead of .yml
+config_file_yaml = config_file.replace(".yml", ".yaml")
+if os.path.isfile(config_file_yaml):
+    config_file = config_file_yaml
+
+try:
+    with open(config_file) as f:
+        raw_config = f.read()
+
+    if config_file.endswith((".yaml", ".yml")):
+        config: dict[str, any] = yaml.safe_load(raw_config)
+    elif config_file.endswith(".json"):
+        config: dict[str, any] = json.loads(raw_config)
+except FileNotFoundError:
+    config: dict[str, any] = {}
+
+tls_config: dict[str, any] = config.get("tls", {})
+
+print(json.dumps(tls_config))
--- a/docker/main/rootfs/usr/local/nginx/templates/listen.gotmpl
+++ b/docker/main/rootfs/usr/local/nginx/templates/listen.gotmpl
@@ -1,5 +1,9 @@
-keepalive_timeout   70;
-listen [::]:443 ipv6only=off default_server ssl;
+{{ if not .enabled }}
+# intended for external traffic, protected by auth
+listen [::]:8080 ipv6only=off;
+{{ else }}
+# intended for external traffic, protected by auth
+listen [::]:8080 ipv6only=off ssl;

 ssl_certificate /etc/letsencrypt/live/frigate/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/frigate/privkey.pem;
@@ -22,3 +26,5 @@ location /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /etc/letsencrypt/www;
 }
+{{ end }}
+