administrator/frigate
1
0
Fork 0
mirror of https://github.com/blakeblackshear/frigate.git synced 2026-05-07 22:15:28 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
4cfad07378
frigate/docs/docs/configuration/tls.md
Josh Hawkins 5a5d23b503
Some checks are pending
CI / AMD64 Build (push) Waiting to run
Details
CI / ARM Build (push) Waiting to run
Details
CI / Jetson Jetpack 6 (push) Waiting to run
Details
CI / AMD64 Extra Build (push) Blocked by required conditions
Details
CI / ARM Extra Build (push) Blocked by required conditions
Details
CI / Synaptics Build (push) Blocked by required conditions
Details
CI / Assemble and push default build (push) Blocked by required conditions
Details
Docs refactor (#22703) 
* add generation script

a script to read yaml code blocks from docs markdown files and generate corresponding "Frigate UI" tab instructions based on the json schema, i18n, section configs (hidden fields), and nav mappings

* first pass

* components

* add to gitignore

* second pass

* fix broken anchors

* fixes

* clean up tabs

* version bump

* tweaks

* remove role mapping config from ui
2026-03-30 10:36:45 -06:00

2.7 KiB
Raw Blame History

id title
tls TLS

import ConfigTabs from "@site/src/components/ConfigTabs"; import TabItem from "@theme/TabItem"; import NavPath from "@site/src/components/NavPath";

TLS

Frigate's integrated NGINX server supports TLS certificates. By default Frigate will generate a self signed certificate that will be used for port 8971. Frigate is designed to make it easy to use whatever tool you prefer to manage certificates.

Frigate is often running behind a reverse proxy that manages TLS certificates for multiple services. You will likely need to set your reverse proxy to allow self signed certificates or you can disable TLS in Frigate's config. However, if you are running on a dedicated device that's separate from your proxy or if you expose Frigate directly to the internet, you may want to configure TLS with valid certificates.

In many deployments, TLS will be unnecessary. Disable it as follows:

Navigate to .

  • Set Enable TLS to off if running behind a reverse proxy that handles TLS (default: on)
tls:
  enabled: False

Certificates

TLS certificates can be mounted at /etc/letsencrypt/live/frigate using a bind mount or docker volume.

frigate:
  ...
  volumes:
    - /path/to/your/certificate_folder:/etc/letsencrypt/live/frigate:ro
  ...

Within the folder, the private key is expected to be named privkey.pem and the certificate is expected to be named fullchain.pem.

Note that certbot uses symlinks, and those can't be followed by the container unless it has access to the targets as well, so if using certbot you'll also have to mount the archive folder for your domain, e.g.:

frigate:
  ...
  volumes:
    - /etc/letsencrypt/live/your.fqdn.net:/etc/letsencrypt/live/frigate:ro
    - /etc/letsencrypt/archive/your.fqdn.net:/etc/letsencrypt/archive/your.fqdn.net:ro
  ...

Frigate automatically compares the fingerprint of the certificate at /etc/letsencrypt/live/frigate/fullchain.pem against the fingerprint of the TLS cert in NGINX every minute. If these differ, the NGINX config is reloaded to pick up the updated certificate.

If you issue Frigate valid certificates you will likely want to configure it to run on port 443 so you can access it without a port number like https://your-frigate-domain.com by mapping 8971 to 443.

frigate:
  ...
  ports:
    - "443:8971"
  ...

ACME Challenge

Frigate also supports hosting the acme challenge files for the HTTP challenge method if needed. The challenge files should be mounted at /etc/letsencrypt/www.