clarifications for proxy auth mode (#11947)

blakeblackshear · Jun 13, 2024 · 1a0d9e1 · 1a0d9e1
1 parent 9514a3d
commit 1a0d9e1
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 5 deletions.
diff --git a/docs/docs/configuration/authentication.md b/docs/docs/configuration/authentication.md
@@ -9,16 +9,16 @@ title: Authentication
 
 Frigate supports two modes for authentication
 
-| Mode | Description |
-| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `native` | (default) Use this mode if you don't implement authentication with a proxy in front of Frigate. |
-| `proxy` | Use this mode if you have an existing proxy for authentication. Supports passing authenticated user downstream to Frigate for role-based authorization (future implementation). |
+| Mode | Description  |
+| -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `native` | (default) Use this mode if you don't implement authentication with a proxy in front of Frigate.  |
+| `proxy` | Turns off Frigate's authentication. Use this mode if you have an existing proxy for authentication. Supports passing authenticated user downstream via common headers to Frigate for role-based authorization (future implementation). |
 
 The following ports are used to access the Frigate webUI
 
 | Port | Description |
 | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `8080` | Authenticated UI and API access without TLS. Reverse proxies should use this port. |
+| `8080` | Authenticated UI and API. Reverse proxies should use this port.  |
 | `5000` | Internal unauthenticated UI and API access. Access to this port should be limited. Intended to be used within the docker network for services that integrate with Frigate. |
 
 ### Native mode
@@ -84,6 +84,12 @@ Changing the secret will invalidate current tokens.
 
 Proxy mode is designed to complement common upstream authentication proxies such as Authelia, Authentik, oauth2_proxy, or traefik-forward-auth.
 
+:::danger
+
+Note that using proxy mode disables authentication checks in Frigate. This mode will pass headers so Frigate can be aware of the logged in user from the upstream proxy, but it does not validate that the request came from your proxy. If the proxy resides on a different device, you should consider using firewall rules or a VPN between Frigate and the proxy if the network is insecure.
+
+:::
+
 #### Header mapping
 
 If your proxy supports passing a header with the authenticated username, you can use the `header_map` config to specify the header name so it is passed to Frigate. For example, the following will map the `X-Forwarded-User` value. Header names are not case sensitive.

diff --git a/docs/docs/configuration/tls.md b/docs/docs/configuration/tls.md
@@ -9,6 +9,13 @@ Frigate's integrated NGINX server supports TLS certificates. By default Frigate
 
 Frigate is often running behind a reverse proxy that manages TLS certificates for multiple services. You will likely need to set your reverse proxy to allow self signed certificates or you can disable TLS in Frigate's config. However, if you are running on a dedicated device that's separate from your proxy or if you expose Frigate directly to the internet, you may want to configure TLS with valid certificates.
 
+In many deployments, TLS will be unnecessary. It can be disabled in the config with the following yaml:
+
+```yaml
+tls:
+ enabled: False
+```
+
 ## Certificates
 
 TLS certificates can be mounted at `/etc/letsencrypt/live/frigate` using a bind mount or docker volume.