[Support]: How to restrict access to site directories ie /config

[chrislawso]

Describe the problem you are having

I want to block some users from accessing some parts of frigate, for example, https://frigate.address.com/config , and for security purposes to prevent wan access to the config page so that ip addresses, api keys, passwords, etc are not easily accessible. While submitting this post I found another similar post at #10953

I am running caddy in front of frigate and I added the following into the caddy config and this does not help perform the function of blocking access

@blocked {
    path /config
}
respond @blocked 403

When accessing frigate over the authenticated port :8971 through the caddy proxy a user is always directed to https://frigate.address.com/login and after they successfully login then the main live page is loaded https://frigate.address.com/

The frigate web ui is performing some additional javascript functions ie front end routing and page loading on behalf of the browser without performing an actual page load and this circumvents the caddy proxy block.
const ConfigEditor = lazy(() => import("@/pages/ConfigEditor"));
<Route path="/config" element={<ConfigEditor />} />

When a user is logged in and uses the frigate webgui and clicks the settings menu button and then the "Configuration editor" frigate opens the /config page for the user effectively bypassing the above caddy proxy block on /config.

The caddy proxy config posted above only blocks access to /config when a user manually has typed in or pasted in the https://frigate.address.com/config address into the browser url box field and hits enter or when they refresh/reload the page when on this address. In other words, the user can click "Configuration editor" button menu in frigate and the config page will open and then if they press the browser refresh/reload button they will see a 403 error block page.

Are there any methods to restrict certain users from certain page access or is there anything else that can be attempted with the caddy proxy? Are there any methods of restricting access to some other pages ie the Settings>Users page allows any user to set password for any other user and to delete any user.

Version

0.15 beta

What browser(s) are you using?

chrome, firefox, edge

Frigate config file

not relevant to issue

Relevant Frigate log output

not relevant to issue

Relevant go2rtc log output

not relevant to issue

FFprobe output from your camera

not relevant to issue

Frigate stats

No response

Install method

Proxmox via Docker

docker-compose file or Docker CLI command

version: "3.9"
services:
  frigate:
    container_name: frigate
    privileged: true   # this may not be necessary for all setups
    restart: unless-stopped
    image: ghcr.io/blakeblackshear/frigate:stable-tensorrt
    shm_size: "512mb" # update for your cameras based on calculation above
    devices:
      - /dev/nvidia0:/dev/nvidia0
      - /dev/nvidiactl:/dev/nvidiactl
      - /dev/nvidia-uvm-tools:/dev/nvidia-uvm-tools
      - /dev/nvidia-uvm:/dev/nvidia-uvm
     # - /dev/bus/usb:/dev/bus/usb # Passes the USB Coral, needs to be modified for other versions
     # - /dev/apex_0:/dev/apex_0 # Passes a PCIe Coral, follow driver instructions here https://coral.ai/docs/m2/get-started/#2a-on-linux
     # - /dev/video11:/dev/video11 # For Raspberry Pi 4B
      - /dev/dri/renderD128:/dev/dri/renderD128 # For intel hwaccel, needs to be updated for your hardware
    volumes:
      #- /docker/ffmpeg:/usr/lib/btbn-ffmpeg:ro
      - /etc/localtime:/etc/localtime:ro
      - /docker/config:/config
      - /docker/media/frigate:/media/frigate
      - type: tmpfs # Optional: 1GB of memory, reduces SSD/SD Card wear
        target: /tmp/cache
        tmpfs:
          size: 1000000000
    ports:
      - "8971:8971"
      - "5000:5000" # Internal unauthenticated access. Expose carefully.
      - "8554:8554" # RTSP feeds
      - "8555:8555/tcp" # WebRTC over tcp
      - "8555:8555/udp" # WebRTC over udp
    environment:
       FRIGATE_RTSP_PASSWORD: "password"
    deploy:    # <------------- Add this section
      resources:
        reservations:
          devices:
            - driver: nvidia
              device_ids: ['0'] # this is only needed when using multiple GPUs
             # count: 1 # number of GPUs
              capabilities: [gpu]
~                                                                                                                                                                                                                                         
~

Object Detector

TensorRT

Network connection

Wired

Camera make and model

not relevant

Screenshots of the Frigate UI's System metrics pages

No response

Any other information that may be helpful

No response