Skip to main content

TLS

Frigate's integrated NGINX server supports TLS certificates. By default Frigate will generate a self signed certificate that will be used for port 8080. Frigate is designed to make it easy to use whatever tool you prefer to manage certificates.

Frigate is often running behind a reverse proxy that manages TLS certificates for multiple services. You will likely need to set your reverse proxy to allow self signed certificates or you can disable TLS in Frigate's config. However, if you are running on a dedicated device that's separate from your proxy or if you expose Frigate directly to the internet, you may want to configure TLS with valid certificates.

In many deployments, TLS will be unnecessary. It can be disabled in the config with the following yaml:

tls:
enabled: False

Certificates

TLS certificates can be mounted at /etc/letsencrypt/live/frigate using a bind mount or docker volume.

frigate:
...
volumes:
- /path/to/your/certificate_folder:/etc/letsencrypt/live/frigate:ro
...

Within the folder, the private key is expected to be named privkey.pem and the certificate is expected to be named fullchain.pem.

Note that certbot uses symlinks, and those can't be followed by the container unless it has access to the targets as well, so if using certbot you'll also have to mount the archive folder for your domain, e.g.:

frigate:
...
volumes:
- /etc/letsencrypt/live/frigate:/etc/letsencrypt/live/frigate:ro
- /etc/letsencrypt/archive/frigate:/etc/letsencrypt/archive/frigate:ro
...

Frigate automatically compares the fingerprint of the certificate at /etc/letsencrypt/live/frigate/fullchain.pem against the fingerprint of the TLS cert in NGINX every minute. If these differ, the NGINX config is reloaded to pick up the updated certificate.

If you issue Frigate valid certificates you will likely want to configure it to run on port 443 so you can access it without a port number like https://your-frigate-domain.com by mapping 8080 to 443.

frigate:
...
ports:
- "443:8080"
...

ACME Challenge

Frigate also supports hosting the acme challenge files for the HTTP challenge method if needed. The challenge files should be mounted at /etc/letsencrypt/www.