From 6d6a54c5ae4935c5519fe3a2b70968369afff5f5 Mon Sep 17 00:00:00 2001
From: Blake Blackshear <blakeb@blakeshome.com>
Date: Wed, 15 May 2024 06:04:14 -0500
Subject: [PATCH] implement auth via new external port

---
 docker/main/rootfs/usr/local/nginx/conf/auth_location.conf | 2 +-
 docker/main/rootfs/usr/local/nginx/conf/nginx.conf         | 6 ++++--
 frigate/api/auth.py                                        | 5 +++++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/docker/main/rootfs/usr/local/nginx/conf/auth_location.conf b/docker/main/rootfs/usr/local/nginx/conf/auth_location.conf
index f6e291de1..75cd6a620 100644
--- a/docker/main/rootfs/usr/local/nginx/conf/auth_location.conf
+++ b/docker/main/rootfs/usr/local/nginx/conf/auth_location.conf
@@ -15,7 +15,7 @@ location /auth {
     # Pass info about the request
     proxy_set_header X-Original-Method $request_method;
     proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Server-Port $server_port;
     proxy_set_header Content-Length "";
     # Pass along auth related info
     proxy_set_header Authorization $http_authorization;
diff --git a/docker/main/rootfs/usr/local/nginx/conf/nginx.conf b/docker/main/rootfs/usr/local/nginx/conf/nginx.conf
index e1289c458..546040fc5 100644
--- a/docker/main/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/docker/main/rootfs/usr/local/nginx/conf/nginx.conf
@@ -62,6 +62,9 @@ http {
     }
 
     server {
+        # intended for external traffic, protected by auth
+        listen [::]:8080 ipv6only=off;
+        # intended for internal traffic, not protected by auth
         listen [::]:5000 ipv6only=off;
 
         # vod settings
@@ -268,8 +271,7 @@ http {
             }
 
             location /api/version {
-                # dont auth the healthcheck endpoint
-                auth_request off;
+                include auth_request.conf;
                 access_log off;
                 rewrite ^/api(/.*)$ $1 break;
                 proxy_pass http://frigate_api;
diff --git a/frigate/api/auth.py b/frigate/api/auth.py
index 3635eb4d0..3f11a66b0 100644
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -127,6 +127,11 @@ def set_jwt_cookie(response, cookie_name, encoded_jwt, expiration):
 def auth():
     success_response = make_response({}, 202)
 
+    # dont require auth if the request is on the internal port
+    # this header is set by Frigate's nginx proxy, so it cant be spoofed
+    if request.headers.get("x-server-port", 0, type=int) == 5000:
+        return success_response
+
     fail_response = make_response({}, 401)
     fail_response.headers["location"] = "/login"