Editing Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software (section)

== Step 6: Making Frigate Secure ==

<blockquote>'''NOTE:''' (if the complexities of docker networking confuse you, skip ahead to “steps”)
</blockquote>
Newer frigate has username/password authentication, but it is so useless you will not want to ever log into it. That isn’t helpful.

Older frigate has no authentication, so anyone who goes to <code>http://192.168.5.2:5000</code> on your local network has admin access to everything. They can stop recording, delete recordings, have your setup record [https://en.wikipedia.org/wiki/Goatse.cx goatse], etc. '''VERY BAD'''.

Further complicating things, our Frigate plugin on Home Assistant, at <code>192.168.5.4</code>, needs to communicate with <code>192.168.5.2</code> in order to grab Frigate’s camera setup, on port 5000 – WITHOUT authentication. The communication to grab the camera setup is separate from the mqtt traffic. :( This makes it difficult to secure versions of Frigate that have a functioning UI.

We can set up <code>nginx</code> as a reverse proxy – this directs all traffic that is received on port 80 &amp; 443 to <code>https://</code> traffic that directs to Frigate on port 5000. We can add username/password authentication using <code>nginx</code> here, so that people need a password to view it. Then, we can block port 5000 by binding Frigate to only work on localhost.

But this means that Home Assistant won’t be able to connect to it – since it’s running on another machine. '''F&amp;^!'''

* Plan to set up username/password authentication for Frigate:
** Use <code>iptables</code> to allow all traffic to port 5000 from <code>127.0.0.1</code> (localhost, the computer running Frigate), so that <code>nginx</code> can connect to Frigate.
** Allow all traffic from <code>192.168.5.4</code>, our Home Assistant virtual machine, to connect to port 5000 Frigate.
** Block EVERYTHING ELSE on port 5000.
** Set up <code>nginx</code> as a webserver on port 443 with https &amp; ssl.
** Tell <code>nginx</code> anyone accessing the <code>nginx</code> webserver they need to submit a username &amp; password to get in.
** Tell <code>nginx</code> to show anyone who enters that user/pass when showing up on port 443 to be able to see Frigate on port 5000.

'''TL;DR'''

* We’re telling everyone who wants to view the cameras they have to enter a username &amp; password.
* This allows you to view your cameras just fine.
* This tells anyone who tries to get into your system without a password to gargle your balls.
* This allows homeassistant to connect without being blocked.

We have to do this on the machine itself, since people on our LAN are not going to have to talk to the router in order to log into Frigate, since they are on the same network. These rules will be added on <code>192.168.5.2</code>, aka <code>happycloud.home.arpa</code>, our machine that is running Frigate.

<span id="making-iptables-rules"></span>
==== 6.1 Making iptables rules ====

Allow established connections (makes https more stable, [https://www.reddit.com/r/radiohead/comments/ovvkrg/understanding_ok_computers_fitter_happier/ fitter, happier, more productive]. Not eating too much)

<pre>sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</pre>
<blockquote>Allow localhost access to port 5000:
</blockquote>
<pre>sudo iptables -A INPUT -i lo -p tcp --dport 5000 -j ACCEPT</pre>
<blockquote>Allow Home Assistant access to port 5000
</blockquote>
<pre>sudo iptables -A INPUT -s 192.168.5.4 -p tcp --dport 5000 -j ACCEPT</pre>
<blockquote>Block all other access to port 5000
</blockquote>
<pre>sudo iptables -A INPUT -p tcp --dport 5000 -j DROP</pre>
<blockquote>Make sure Docker respects these rules
</blockquote>
<pre>sudo iptables -I DOCKER-USER -j RETURN</pre>
<blockquote>Install the <code>iptables-persistent</code> package:
</blockquote>
<pre>sudo apt install iptables-persistent</pre>
# During installation, you’ll be asked if you want to save the current iptables rules. Choose Yes.
# If you’re not prompted, you can manually save the rules by running: <code>sudo netfilter-persistent save</code>
# YOU NEED TO INSTALL <code>IPTABLES-PERSISTENT</code> AND TELL IT TO SAVE YOUR RULES OR ELSE YOU HAVE TO RUN THIS EVERY TIME YOU BOOT!

<span id="installing-nginx"></span>
==== 6.2 Installing nginx ====

Next up, it’s time to install nginx &amp; everything necessary for us to have it ask for a username and a password to log in.

<ol style="list-style-type: decimal;">
<li><p>'''Install Nginx:'''</p>
<pre>sudo apt install nginx</pre></li>
<li><p>'''Run the following commands:'''</p>
<pre>sudo apt update
sudo apt install nginx -y</pre></li>
<li><p>'''Create a Self-Signed SSL Certificate'''
Generate the certificate:</p>
<pre>sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt</pre></li></ol>

<blockquote>'''Note:''' For the Common Name (CN), use your local domain (e.g., happycloud.home.arpa).
</blockquote>
<ol start="4" style="list-style-type: decimal;">
<li><p>'''Create Strong Diffie-Hellman Group''', makes security and https better, because we totally need more security on a LAN connection nobody else will be able to connect to besides your kid who’s trying to troll you with</p>
<pre>sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048</pre></li>
<li><p>'''Create Password File for Basic Auth'''
Install apache2-utils and create the password file:</p>
<pre>sudo apt install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd your_username</pre></li>
<li><p>Replace your_username with your desired username.</p></li></ol>

<span id="configure-nginx"></span>
==== 6.3 Configure Nginx ====

Create a new Nginx configuration file:

<pre>sudo nano /etc/nginx/sites-available/frigate</pre>
If this directory does not exist, you might be using a newer version of nginx, which places configuration files in <code>/etc/nginx/conf.d</code> instead. Running <code>nginx -v</code> will tell you whether you are using an older version that defaults to [https://www.reddit.com/r/nginx/comments/re8ksm/why_is_sitesenabled_and_sitesavailable_deprecated/ <code>/etc/nginx/sites-available</code> and <code>/etc/nginx/sites-enabled</code>] or a newer version that uses <code>/etc/nginx/conf.d/</code> in that case:

<pre>sudo nano /etc/nginx/sites-available/frigate</pre>
Add the following configuration: remember to replace '''“happycloud.home.arpa”''' as well as '''“192.168.5.2”''' with the hostname &amp; IP address of YOUR server!

<pre>server {
    listen 80;
    server_name happycloud.home.arpa 192.168.5.2;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name happycloud.home.arpa 192.168.5.2;
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    auth_basic &quot;Restricted Access&quot;;
    auth_basic_user_file /etc/nginx/.htpasswd;
    location / {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    location /ws {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection &quot;upgrade&quot;;
        proxy_set_header Host $host;
    }
}</pre>
<blockquote>'''NOTE''': Many open source projects suggest using nginx as a reverse proxy. They are kind &amp; cordial enough to provide their own configuration files for you so you don’t have to write everything above &amp; configure it yourself.

While well meaning, many of them set the cipher(security thingie) manually, a throwback tot he days when nginx used to default to insecure ciphers. So you may see old docs by developers that MEANT WELL to provide you a helping hand with stuff like this in their nginx configuration files:
</blockquote>
<pre>    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384;</pre>
<blockquote>This is bad. Remove things like this as long as you are using a modern version of nginx. These change often and if you are manually setting it, that is not a great thing to be doing. Also consider politely''(POLITELY)'' mentioning to the devs who had that in there that this isn’t necessary anymore since nginx no longer defaults to insecure ciphers.
</blockquote>
<span id="enable-the-nginx-configuration"></span>
==== 6.4 Enable the Nginx Configuration ====

Enable the configuration and reload Nginx. The commands below do the following:

<code>sudo ln -s /etc/nginx/sites-available/frigate /etc/nginx/sites-enabled/</code> This takes our configuration file out of the “chamber” (sites-available) and into the breech (sites-enabled). Your configuration file you place in sites-available will not work unless it is in sites-enabled. <code>ln -s</code> creates a symlink, similar to how a shortcut works in Windows. <code>nginx -t</code> checks our configuration file for errors. <code>sudo systemctl reload nginx</code> allows nginx to load a new configuration file ''without'' shutting down.

<pre>sudo ln -s /etc/nginx/sites-available/frigate /etc/nginx/sites-enabled/ 
sudo nginx -t # This checks if config is bad &amp; tells us what we did wrong
sudo systemctl reload nginx</pre>
<span id="test-frigate-does-it-require-userpass"></span>
==== 6.5 Test Frigate; does it require user/pass? ====

* Log into <code>http://192.168.5.2:5000</code> from other computers on your LAN. If it doesn’t work, you did good.
* Your nephew can no longer replace your cameras with goatse.

<span id="make-sure-home-assistant-still-connects-to-frigate."></span>
==== 6.6 Make sure Home Assistant still connects to Frigate. ====

# Go over to Home Assistant at <code>http://192.168.5.4:8123</code> or <code>http://homeassistant.home.arpa</code>
# Go to '''Settings → Devices &amp; Integrations → Frigate'''
# Click '''“ADD DEVICE”''' blue button on bottom right
# Enter the IP or hostname, along with port, of the machine running Frigate on port 5000 like such: <code>http://192.168.5.2:5000</code> or <code>http://happycloud.home.arpa:5000</code>
# Click '''SUBMIT'''.
# If Home Assistant’s Frigate plugin can find your cameras by connecting to Frigate on port 5000, but no other computer on your LAN can, YOU DID GOOD.
# Go to http://192.168.5.2 – it should auto-redirect you to SSL https://192.168.5.2 &amp; then ask for username &amp; password.
# Enter your username &amp; password.
# If you are now in Frigate, you done good.

<span id="replacing-google-drive-photos-docs-sheets-keep"></span>