add TLS docs

2026-02-11 13:45:25 +03:00 · 2024-06-01 10:17:52 -05:00 · 2024-06-01 10:17:52 -05:00 · bc708efa35
commit bc708efa35
parent ed743fb0e8
5 changed files with 447 additions and 267 deletions
--- a/docs/docs/configuration/tls.md
+++ b/docs/docs/configuration/tls.md
@ -0,0 +1,34 @@
+---
+id: tls
+title: TLS
+---
+
+# TLS
+
+Frigate's integrated NGINX server supports TLS certificates. By default Frigate will generate a self signed certificate that will be used for port 443. Frigate is designed to make it easy to use whatever tool you prefer to manage certificates.
+
+Frigate is often running behind a reverse proxy that manages TLS certificates for multiple services. However, if you are running on a device that's separate from your proxy or if you expose Frigate directly to the internet, you may want to configure TLS.
+
+## Certificates
+
+TLS certificates can be mounted at `/etc/letsencrypt/live/frigate` using a bind mount or docker volume.
+
+```yaml
+frigate:
+  ...
+  volumes:
+    - /path/to/your/certificate_folder:/etc/letsencrypt/live/frigate
+  ...
+```
+
+Within the folder, the private key is expected to be named `privkey.pem` and the certificate is expected to be named `fullchain.pem`.
+
+Frigate automatically compares the fingerprint of the certificate at `/etc/letsencrypt/live/frigate/fullchain.pem` against the fingerprint of the TLS cert in NGINX every minute. If these differ, the NGINX config is reloaded to pick up the updated certificate.
+
+## ACME Challenge
+
+Frigate also supports hosting the acme challenge files for the HTTP challenge method if needed. The challenge files should be mounted at `/etc/letsencrypt/www`.
+
+## Advanced customization
+
+If you would like to customize the TLS configuration, you can do so by using a bind mount to override `/usr/local/nginx/conf/tls.conf`. Check the source code for the default configuration and modify from there.
--- a/docs/docs/frigate/installation.md
+++ b/docs/docs/frigate/installation.md
@ -34,7 +34,8 @@ The following ports are used by Frigate and can be mapped via docker as required

 | Port   | Description                                                                                                                                                                |
 | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `8080` | Authenticated UI and API access. Reverse proxies should use this port.                                                                                                     |
+| `8080` | Authenticated UI and API access without TLS. Reverse proxies should use this port.                                                                                         |
+| `443`  | Authenticated UI and API access with TLS. See the [TLS configuration](/configuration/tls) for more details.                                                                |
 | `5000` | Internal unauthenticated UI and API access. Access to this port should be limited. Intended to be used within the docker network for services that integrate with Frigate. |
 | `8554` | RTSP restreaming. By default, these streams are unauthenticated. Authentication can be configured in go2rtc section of config.                                             |
 | `8555` | WebRTC connections for low latency live views.                                                                                                                             |
@ -44,7 +45,6 @@ The following ports are used by Frigate and can be mapped via docker as required
 Writing to a local disk or external USB drive:

 ```yaml
-version: "3.9"
 services:
  frigate:
    ...
--- a/docs/package-lock.json
+++ b/docs/package-lock.json
--- a/docs/package.json
+++ b/docs/package.json
@ -14,9 +14,9 @@
    "write-heading-ids": "docusaurus write-heading-ids"
  },
  "dependencies": {
-    "@docusaurus/core": "^3.3.2",
-    "@docusaurus/preset-classic": "^3.3.2",
-    "@docusaurus/theme-mermaid": "^3.3.2",
+    "@docusaurus/core": "^3.4.0",
+    "@docusaurus/preset-classic": "^3.4.0",
+    "@docusaurus/theme-mermaid": "^3.4.0",
    "@mdx-js/react": "^3.0.0",
    "clsx": "^2.0.0",
    "prism-react-renderer": "^2.1.0",
@ -37,8 +37,8 @@
    ]
  },
  "devDependencies": {
-    "@docusaurus/module-type-aliases": "^3.3.2",
-    "@docusaurus/types": "^3.3.2",
+    "@docusaurus/module-type-aliases": "^3.4.0",
+    "@docusaurus/types": "^3.4.0",
    "@types/react": "^18.2.79"
  },
  "engines": {
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@ -52,6 +52,7 @@ module.exports = {
        "configuration/authentication",
        "configuration/hardware_acceleration",
        "configuration/ffmpeg_presets",
+        "configuration/tls",
        "configuration/advanced",
      ],
    },