http-auth port (8971) returns "400 Bad Request" when accessed via Kubernetes ingress

[masantiago]

Environment

• Frigate version: 0.15.2
• Frigate Helm chart: blakeblackshear/frigate 7.8.0
• Ingress controller: Traefik
• Platform: Kubernetes

Problem Description

When configuring Kubernetes ingress to use the http-auth port (8971) instead of the standard http port (5000), requests fail with a 400 Bad
Request error:

400 Bad Request
The plain HTTP request was sent to HTTPS port
nginx/1.25.3

Expected Behavior

The http-auth port (8971) should work correctly when accessed through HTTPS ingress configurations, providing authenticated access to Frigate.

Actual Behavior

• ✅ Port 5000 (http) works perfectly with ingress
• ❌ Port 8971 (http-auth) fails with 400 Bad Request
• Both ports are properly exposed in the Kubernetes service
• Both ports are accessible when connecting directly to pods

Configuration

Helm Values (Working - Port 5000):

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: frigate.example.com
      paths:
        - path: /
          pathType: ImplementationSpecific
          portName: http  # This works ✅
  tls:
    - secretName: tls-wildcard-cert
      hosts:
        - frigate.example.com

Helm Values (Failing - Port 8971):

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: frigate.example.com
      paths:
        - path: /
          pathType: ImplementationSpecific
          portName: http-auth  # This fails ❌
  tls:
    - secretName: tls-wildcard-cert
      hosts:
        - frigate.example.com

Service Configuration (Generated by Helm):

ports:
- name: http
  port: 5000
  protocol: TCP
  targetPort: http
- name: http-auth
  port: 8971
  protocol: TCP
  targetPort: http-auth
# ... other ports (rtsp, webrtc, etc.)

Investigation Results

1. Direct pod access: Both ports work when accessing pods directly
2. Service access: Both ports respond correctly when accessing the service from within cluster
3. Ingress issue: Only port 8971 fails when accessed through ingress with TLS termination
4. Error pattern: The error suggests a protocol mismatch (HTTP vs HTTPS)

Questions

1. Is port 8971 (http-auth) designed to work with reverse proxies/ingress controllers?
2. Does this port expect specific headers or configuration when used behind HTTPS terminators?
3. Is there additional configuration required for the authenticated port to work with ingress?

Impact

This issue prevents users from:
- Using the authenticated endpoint through Kubernetes ingress
- Securing Frigate access when exposing it externally
- Leveraging the intended security benefits of the http-auth port

Workaround

Currently using port 5000 (http) which works but doesn't provide the authentication layer that port 8971 should offer.

[Dkhil]

you juste need to add annotation on the service so it will reach for the service on https/8971 instead oh http/5000

annotations: { traefik.ingress.kubernetes.io/service.serversscheme: "https" }

and add insecure-skip-verify for your ingress controller
exmple traefik

--serversTransport.insecureSkipVerify=true