[Config Support]: Frigate doesnt seem to read Auth Headers from Caddy

[longhtran91]

Describe the problem you are having

2025/10/12 14:40:38.989 DEBUG http.handlers.reverse_proxy upstream roundtrip {"upstream": "frigate:8971", "duration": 0.004182904, "request": {"remote_ip": "172.16.110.167", "remote_port": "60833", "client_ip": "172.16.110.167", "proto": "HTTP/2.0", "method": "GET", "host": "fg.domain.com", "uri": "/api/stats", "headers": {"Priority": ["u=1, i"], "Sec-Fetch-Site": ["same-origin"], "Cookie": ["REDACTED"], "X-Forwarded-For": ["172.16.110.167"], "X-Forwarded-Proto": ["https"], "X-Forwarded-Host": ["fg.domain.com"], "Accept": ["*/*"], "Referer": ["https://fg.domain.com/config"], "X-Token-User-Name": ["First Last"], "X-Token-User-Roles": ["viewer super_admin user"], "Sec-Fetch-Mode": ["cors"], "Sec-Fetch-Dest": ["empty"], "Accept-Encoding": ["gzip, deflate, br, zstd"], "Sec-Ch-Ua": ["\"Brave\";v=\"141\", \"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"141\""], "X-Token-User-Email": ["[email protected]"], "X-Token-Subject": ["2a42bf29-4bd4-4a9b-9857-6b82219fadc5"], "Sec-Ch-Ua-Platform": ["\"macOS\""], "Sec-Ch-Ua-Mobile": ["?0"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36"], "Accept-Language": ["en-US,en;q=0.9"], "X-Cache-Bypass": ["1"], "Via": ["2.0 Caddy"], "X-Csrf-Token": ["1"], "Sec-Gpc": ["1"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "fg.domain.com"}}, "headers": {"Content-Type": ["application/json"], "Content-Length": ["12551"], "Connection": ["keep-alive"], "Server": ["nginx/1.27.4"], "Date": ["Sun, 12 Oct 2025 14:40:38 GMT"]}, "status": 200}

Here is what I see in Caddy. It sends a long with 2 headers
"X-Token-User-Email": ["[email protected]"]
"X-Token-User-Roles": ["viewer super_admin user"]

Here is my Frigate config:

auth:
  enabled: false

proxy:
  default_role: admin
  separator: " "
  header_map:
    user: X-Token-User-Email
    role: X-Token-User-Roles

Frigate couldn't recognize the user or the role from the headers. Am I missing something here? Thank you!

Version

0.16.1

Frigate config file

auth:
  enabled: false

proxy:
  default_role: admin
  separator: " "
  header_map:
    user: X-Token-User-Email
    role: xX-Token-User-Roles

Relevant Frigate log output

NA

Relevant go2rtc log output

NA

Frigate stats

No response

Operating system

Debian

Install method

Docker Compose

docker-compose file or Docker CLI command

networks:
  main-cidr:
    name: main-cidr
    external: true
volumes:
  frigatemedia:
    driver: local
    driver_opts:
      type: nfs
      o: "addr=172.16.100.10,nfsvers=4"
      device: ":/mnt/RAIDZ1-HDD/Frigate"
services:
  frigate:
    container_name: frigate
    networks:
      - main-cidr 
    restart: unless-stopped
    image: ghcr.io/blakeblackshear/frigate:0.16.1-rocm
    cap_add:
      - SYS_ADMIN
    shm_size: "256mb" # update for your cameras based on calculation above
    devices:
      #- /dev/bus/usb:/dev/bus/usb  # Passes the USB Coral, needs to be modified for other versions
      - /dev/apex_0:/dev/apex_0
      - /dev/kfd:/dev/kfd
      - /dev/dri:/dev/dri
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /home/lhtadmin/frigate/config:/config
      - frigatemedia:/media/frigate
      - type: tmpfs # Optional: 1GB of memory, reduces SSD/SD Card wear
        target: /tmp/cache
        tmpfs:
          size: 1000000000
    ports:
      #- "5000:5000"
      - "8971:8971"
      - "8554:8554" # RTSP feeds
      - "8555:8555/tcp" # WebRTC over tcp
      - "8555:8555/udp" # WebRTC over udp
    environment:
      FRIGATE_RTSP_PASSWORD: "password"
      LIBVA_DRIVER_NAME: "radeonsi"
      HSA_OVERRIDE_GFX_VERSION: "9.0.0"

Object Detector

Coral

Screenshots of the Frigate UI's System metrics pages

No response

Any other information that may be helpful

No response

[inkeep-ai-assistant[bot]]

I can see a typo in your configuration that's preventing Frigate from reading the role header correctly.

In your Frigate config, you have:

role: xX-Token-User-Roles

But your Caddy logs show the header as:

"X-Token-User-Roles": ["viewer super_admin user"]

You have an extra "x" at the beginning - it should be:

auth:
  enabled: false

proxy:
  default_role: admin
  separator: " "
  header_map:
    user: X-Token-User-Email
    role: X-Token-User-Roles

However, there's another important consideration. The header X-Token-User-Roles is not one of the default permitted headers in Frigate (1). You may need to ensure this header is properly whitelisted.

The standard header name for roles with proxies is X-Forwarded-Groups (1). If you can configure Caddy to send the role information in the X-Forwarded-Groups header instead, that would be the most compatible approach.

Alternatively, you might need to configure Frigate to accept the custom X-Token-User-Roles header by mounting a custom proxy trusted headers configuration file (2).

📚 Sources:

1. [Support]: proxy.header_map.role isn't applied
2. [Support]: Frigate Proxy Map doesn't include X-Auth-Request-* headers

---

Have another question? Just tag @inkeep.

[longhtran91]

I just realized Frigate only support certain headers, so I have to change from Caddy

		authorization policy mypolicy {
			set auth url /caddy-security/oauth2/generic
			allow roles user
			inject header "X-Forwarded-Email" from email
			inject header "X-Forwarded-Groups" from roles
		}

auth:
  enabled: false

proxy:
  default_role: admin
  separator: ","
  header_map:
    user: X-Forwarded-Email
    role: X-Forwarded-Groups