So when setting up Frigate I realized that it is not secure and does not support any type of authentication. Therefore, it allowed anyone in without any security checks. Well, I shut that down right away. So, then I wondered about Authentication with HAProxy. I have used it in the past to authenticate the HAProxy Stats page. Finally, I found this post that outlined it perfectly for use in pfSense.
Step 1 – Create Custom Password Encryption
First, create the special password with and example hash. I used debian to create this hash.
Install whois
It may be needed to install whois package. Like below
sudo apt install whoisCreate Password Hash
Once installed then use mkpasswd to create the password hash.
printf "TheSuperSecretPasswordHere" | mkpasswd --stdin --method=sha-512This will generate the following
apauna@MSI:~$ printf “TheSuperSecretPasswordHere” | mkpasswd –stdin –method=sha-512
$6$uQz8XOERPi$ylyDGyzAhXIT3k.PwqhJoIULW21UvhjyHX2zoR.wsLBDLnBvEo3TlYNrClXNh/58w5j/F4DZxfXGPbykTHTDR/
Use the last line and store this in Custom Options.
Step 2 – Modify Settings Custom Options
In order to use Authentication it is critical to setup special users group like the one below.
userlist UserGroup
user admin password <Password hash from step 1 above>
Once saved then it is time to modify the backend to use the custom authentications.
You can add as many users as needed for access as you see fit for your application. For Figate I only needed the one user called admin.
Step 3 – Add ACL to backend.
For simplicity, I chose to add acl to the backend in HAProxy. Here is the steps that I did to perform these updates.
Open Backend in Question
Yes click the pencil to the very right of the backend that you wish to modify.
Dropdown Access control lists and actions item in backend editor.
Note the name and Custom acl: dropdown item selected and the associated http_auth(UserGroup) Note: usergroup shown here is set in step 2 above so use the same name here as what was set in step 2. In my case it is called “UserGroup”
Conclusion
So far, this is working well for creating some level of authentication around Frigate. Now, I can finally expose it to the wild and see what happens. I will update this post with any new findings related to HAProxy and Frigate. Hope you the best!