Help with HTTPS

[PrestonMcAfee]

My situation: I have Frigate running on a dedicated i5 mini-PC, 2 USB corals, 4TB SSD. It runs great, all metrics green. Frigate runs in a docker container on Ubuntu 24.04. I have HAOS running on an N100 PC. I have Nabu Casa so I can reach the N100 over HTTPS. I have a Ubiquiti cloud gateway as a router. I use port forwarding to reach Frigate but currently that only works over HTTP.

I would like to reach Frigate over HTTPS.

If I set TLS: enabled: True and restart the docker, I can't reach Frigate at all. I've only succeeded with TLS not enabled, suggested by the guide.

I spent a full day trying to reach the Frigate machine securely with cloudflare zero trust (my DNS provider, and webhost via R2) without success -- cloudflare reported it was connected but the URL wouldn't reach Frigate (error 400). I've now spent hours looking at NGINX configuration but am stymied because I just want to access Frigate securely over port 8971; I don't want to direct all incoming traffic (port 80!) to the Frigate PC because some traffic goes to the home assistant PC, and indeed I occasionally go remotely to my office PC via Remmina, and it seems like all that would be diverted to the wrong machine. I'm aware that a reverse proxy can direct traffic to these machines but I need a much easier introduction that won't immediately break what I have now. (A link might be an answer.) Caddy seems promising.

I also realize I just don't understand how this works.

So if you have a "here's a gentle explanation" or "how to get TLS enabled working in Frigate" (beyond "maybe you don't need it"), please post. After a long time on Reddit, it is clear that some others have related difficulties.

BTW, the reason I want to reach Frigate securely is so I can enable notifications and be alerted when two of my cameras detect a person. Person detection works so amazingly well -- zero of either type of error -- that I'm ready to notify, but for that I need HTTPS.

I anticipate receiving 'you should run Frigate inside HAOS.' Maybe so. I have this configuration because for over a decade I used Blue Iris, which really needs its own machine. I installed home assistant years ago so naturally they ran on separate machines. Frigate needs a more powerful machine than my HAOS installation requires and an advantage of my current arrangement is that if one goes down, the other is unaffected. But that would be a solution since then I could use HA notifications which already work.

Sorry for the long post. I understand so little about HTTPS that I don't even know how to ask.

[NickM-27]

If you want to reach Frigate securely you will likely want to setup something like cloudflare, ddns, tailscale, etc. Having TLS in Frigate won't help that, and with any of these solutions they will provide TLS and you'll want to leave Frigate's disabled

[PrestonMcAfee]

I'm going to report how I resolved my issue -- without resolving the HTTPS issue -- and close.

I had not connected Frigate with Home Assistant but this was easy to do. Indeed, the hard thing was that reading how to do it made me try to take a lot of unnecessary steps. If you have HACS already working, it is just a few clicks to install MQTT and then Mosquitto broker in HA. I thought I had to install a separate broker and then connect HA to it, but HA operates the broker. So the only remaining step is to connect Frigate to HA. Here again I tried to make this harder than necessary (a continuing theme is that there is a config for docker and a config for Frigate; only the config for Frigate is involved, not the docker-compose but I guessed wrong about which config).

Connecting Frigate to HA produced 566 entities, letting me e.g. take an action, including notifications, when a person is detected when they are unexpected, but also turning on lights. So the reason I was trying to get HTTPS is now moot, and I will return to trying cloudflare zero trust when I have the time.

Frigate is really an amazing piece of software and I am so much happier with it than I was with Blue Iris. Probably first is the ease of just editing a YAML file to change the camera settings. No .bvr files, everything in mp4. No need for Windows and its obnoxious ads. Great person and car detection.