He’s telling you to remove any https/ssl config from home assistant, since you will be using swag instead, and ssl configured in Home Assistant will create a conflict. Then he’s providing an example of what to remove. So, if you had api password, ssl cert, etc in your homeassistant config.yaml, you need to remove those
You need the pgid and puid of your user in Ubuntu that runs docker commands. So, if my Ubuntu user is mwav3, I would run id mwav3 and it will give me the uid. It’s usually 1000 unless you created it later or have multiple users. You need this for the Swag compose so the config files can be edited, otherwise they belong to root or another user.
I use subdomains. I have other things besides Homeassistant behind the proxy, like node red, I want to use. Using the subdomains allows me to setup multiple proxies with the same ssl cert
Yes
This is for accessing websites built with PHP, which you’re probably not going to use anyway. NGINX doesn’t support PHP natively, however PHP comes with the swag container, but requires additional configuration to work. The swag image is almost like a mini server running within docker, and swag is using port 9000 only within the Swag container to process PHP, and you keep it port 9000. Since you are not mapping port 9000 out of the container (you only map http port 80 and https port 443), there is no conflict with portainer or any other service running on port 9000 on the host OS.
I believe his config for PHP is wrong here anyway, as you don’t change the IP to your address of the machine, and keep it the 127.0.0.1 (which is a loopback address to the swag container itself), so the line should be
fastcgi_pass 127.0.0.1:9000;
I never had luck getting that to work. The site configs are meant to primarily be used to reference other commonly used docker images running on the same bridged docker network. This works great if you have multiple containers running in bridge mode Bridge network driver | Docker Docs on the same docker network. It fails however when you have a container running in Host networking mode Host network driver | Docker Docs like Home Assistant. The reason is that on a docker bridge network, you can reference other containers in the docker DNS by their container name, but you cannot reference a container by name if it is running in Host networking mode. This is because the containers in Host networking mode, like Home Assistant, are actually separated from your docker network. Home Assistant also needs host networking mode for auto discovery of integrations to work properly, so you can’t install it on the bridge. There is a post here from someone who put together a guide that uses that subdomain file, but the last poster I was helping there has still not been able to get it working properly - you can read more about that config here if it is a route you want to try - Remote access with Docker . I get confused about using that setup because now your nginx config is spread out across different files that reference each other. I find it easier to just put the whole nginx config for everything in the default.conf file, the way Juan’s guide mentioned.
When starting out this reverse proxy was one of the hardest things for me to setup. The container install is definitely more complicated then the HAOS install with addons, but provides the most flexibility to install and use the machine for other none home assistant software. Once you get more comfortable with docker and get this going, it will be worth it in the end. This is my nginx config below from the default.conf file, which I’m sure isn’t perfect, but everything has worked well so far with it for me. It is configured to use zwavejsui, zigbee2mqtt, nodered, and home assistant behind the proxy. You can delete or comment out the sections you don’t need. Be sure to replace “yourdomain” with your duckdns domain name, and “192.youriphere” with the IP number of the machine running docker/homeassistant on your LAN. This config should put your homeassistant instance up at https://homeassistant.yourdomain.duckdns.org. If you are still running into trouble try posting your docker compose and any log references that come up for swag when it starts up.
## Version 2020/05/23 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name yourdomain.duckdns.org;
return 301 https://$host$request_uri;
}
# main server block
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /config/www;
index index.html index.htm index.php;
server_name yourdomain.duckdns.org;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;
# enable for ldap auth
#include /config/nginx/ldap.conf;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
# enable for geo blocking
# See /config/nginx/geoip2.conf for more information.
#if ($allowed_country = no) {
#return 444;
#}
client_max_body_size 0;
location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
# location ^~ /cp {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050/cp;
# }
}
# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
#
# root /config/www;
# index index.html index.htm index.php;
#
# server_name cp.*;
#
# include /config/nginx/ssl.conf;
#
# client_max_body_size 0;
#
# location / {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
# include /config/nginx/proxy.conf;
# proxy_pass http://192.168.1.50:5050;
# }
#}
# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
#
# root /config/www;
# index index.html index.htm index.php;
#
# server_name heimdall.*;
#
# include /config/nginx/ssl.conf;
#
# include /config/nginx/ldap.conf;
#
# client_max_body_size 0;
#
# location / {
# # the next two lines will enable ldap auth along with the included ldap.conf in the server block
# auth_request /auth;
# error_page 401 =200 /ldaplogin;
#
# include /config/nginx/proxy.conf;
# resolver 127.0.0.11 valid=30s;
# set $upstream_app heimdall;
# set $upstream_port 443;
# set $upstream_proto https;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# }
#}
# sample reverse proxy config for "heimdall" via subdomain, with Authelia
# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
# notice this is a new server block, you need a new server block for each subdomain
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
#
# root /config/www;
# index index.html index.htm index.php;
#
# server_name heimdall.*;
#
# include /config/nginx/ssl.conf;
#
# include /config/nginx/authelia-server.conf;
#
# client_max_body_size 0;
#
# location / {
# # the next line will enable Authelia along with the included authelia-server.conf in the server block
# include /config/nginx/authelia-location.conf;
#
# include /config/nginx/proxy.conf;
# resolver 127.0.0.11 valid=30s;
# set $upstream_app heimdall;
# set $upstream_port 443;
# set $upstream_proto https;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# }
#}
################################################################################
### SUBDOMAIN 1a Node Red Admin#################################################
server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name red.yourdomain.duckdns.org;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
include /config/nginx/proxy.conf;
proxy_pass http://192.putyouriphere:1880;
}
}
################################################################################
### SUBDOMAIN 1b Node Red Endpoints##############################################
server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name redend.yourdomain.duckdns.org;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
include /config/nginx/proxy.conf;
proxy_pass http://192.putyouriphere:1880/endpoint/;
}
}
################################################################################
### SUBDOMAIN 2 Zwave JS########################################################
server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name zwave.yourduckdns.duckdns.org;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
include /config/nginx/proxy.conf;
proxy_pass https://192.putyouriphere:8091;
}
}
################################################################################
### SUBDOMAIN 3 ZigbeeMQTT########################################################
server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name zigbee.yourduckdns.duckdns.org;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
include /config/nginx/proxy.conf;
proxy_pass http://192.putyouriphere:8086;
}
}
### HOMEASSISTANT ##############################################################
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name homeassistant.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app homeassistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass http://192.putyouriphere:8123;
}
location /api/websocket {
resolver 127.0.0.11 valid=30s;
set $upstream_app homeassistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass http://192.putyouriphere:8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;