implement auth via new external port

docker/main/rootfs/usr/local/nginx/conf/auth_location.conf

@@ -15,7 +15,7 @@ location /auth {
     # Pass info about the request
     proxy_set_header X-Original-Method $request_method;
     proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Server-Port $server_port;
     proxy_set_header Content-Length "";
     # Pass along auth related info
     proxy_set_header Authorization $http_authorization;

docker/main/rootfs/usr/local/nginx/conf/nginx.conf

@@ -62,6 +62,9 @@ http {
     }
 
     server {
+        # intended for external traffic, protected by auth
+        listen [::]:8080 ipv6only=off;
+        # intended for internal traffic, not protected by auth
         listen [::]:5000 ipv6only=off;
 
         # vod settings
@@ -268,8 +271,7 @@ http {
             }
 
             location /api/version {
-                # dont auth the healthcheck endpoint
+                include auth_request.conf;
-                auth_request off;
                 access_log off;
                 rewrite ^/api(/.*)$ $1 break;
                 proxy_pass http://frigate_api;

frigate/api/auth.py

@@ -127,6 +127,11 @@ def set_jwt_cookie(response, cookie_name, encoded_jwt, expiration):
 def auth():
     success_response = make_response({}, 202)
 
+    # dont require auth if the request is on the internal port
+    # this header is set by Frigate's nginx proxy, so it cant be spoofed
+    if request.headers.get("x-server-port", 0, type=int) == 5000:
+        return success_response
+
     fail_response = make_response({}, 401)
     fail_response.headers["location"] = "/login"