Frigate: User Authentication with HAProxy on pfSense

May 18, 2023

So when setting up Frigate I realized that it is not secure and does not support any type of authentication. Therefore, it allowed anyone in without any security checks. Well, I shut that down right away. So, then I wondered about Authentication with HAProxy. I have used it in the past to authenticate the HAProxy Stats page. Finally, I found this post that outlined it perfectly for use in pfSense.

Step 1 – Create Custom Password Encryption

First, create the special password with and example hash. I used debian to create this hash.

Install whois

It may be needed to install whois package. Like below

sudo apt install whois

Create Password Hash

Once installed then use mkpasswd to create the password hash.

printf "TheSuperSecretPasswordHere" | mkpasswd --stdin --method=sha-512

This will generate the following

apauna@MSI:~$ printf “TheSuperSecretPasswordHere” | mkpasswd –stdin –method=sha-512
$6$uQz8XOERPi$ylyDGyzAhXIT3k.PwqhJoIULW21UvhjyHX2zoR.wsLBDLnBvEo3TlYNrClXNh/58w5j/F4DZxfXGPbykTHTDR/

Use the last line and store this in Custom Options.

Step 2 – Modify Settings Custom Options

Add Custom Option on Settings page in pfSense.

In order to use Authentication it is critical to setup special users group like the one below.

userlist UserGroup
user admin password <Password hash from step 1 above>
These two lines have to be the last items in custom options list!!!

Once saved then it is time to modify the backend to use the custom authentications.

Sample of custom options I have setup

You can add as many users as needed for access as you see fit for your application. For Figate I only needed the one user called admin.

Step 3 – Add ACL to backend.

For simplicity, I chose to add acl to the backend in HAProxy. Here is the steps that I did to perform these updates.

Open Backend in Question

Backend to be modified for ACL.

Yes click the pencil to the very right of the backend that you wish to modify.

Dropdown Access control lists and actions item in backend editor.

Example of ACL for Access Control Lists and associated actions

Note the name and Custom acl: dropdown item selected and the associated http_auth(UserGroup) Note: usergroup shown here is set in step 2 above so use the same name here as what was set in step 2. In my case it is called “UserGroup”

Example of Access control table itself from above image.
Example of ACL Action that associates acl to “UserGroup” realm unless it is BackendAccess authenticated. Again this should match the user group name setup in step 2 above.

Conclusion

So far, this is working well for creating some level of authentication around Frigate. Now, I can finally expose it to the wild and see what happens. I will update this post with any new findings related to HAProxy and Frigate. Hope you the best!

apauna

🌐

Leave a Reply

Your email address will not be published. Required fields are marked *