Can't access HA on WAN using DuckDNS and NGINX!

n0ir · April 17, 2022, 11:08pm

Hi!

I recently noticed I can’t access Home Assistant outside my LAN. I’ve been accessing using DuckDNS without NGINX but reinstalled everything including the NGINX Home Assistant SSL proxy add-on.

In my configuration.yaml I have:

http:
  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
    - 172.30.33.7
    - 172.30.32.0/24
    - 127.0.0.1

The NGINX configuration (options in the add-on):

certfile: fullchain.pem
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf
domain: XXX.duckdns.org
hsts: max-age=31536000; includeSubDomains
keyfile: privkey.pem

The configuration for the Duck DNS add-on:

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
  algo: secp384r1
token: XXX-XXX-XXX
domains:
  - XXX.duckdns.org
aliases: []
seconds: 300

In the NGINX log I get this error:

2022/04/17 23:51:03 [error] 253#253: *406 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: XXX.duckdns.org, request: “GET /api/websocket HTTP/1.1”, upstream: “http://172.30.32.1:8123/api/websocket”, host: “XXX.duckdns.org”

I assume I need to add some IP to the trusted_proxies but what? I don’t seem to have any errors in the home-assistant.log relating to this.

Please advice!

007DJ · April 18, 2022, 10:38am

I had the same issue… Mine was TOO simple, but I decided to risk it and see if by chance you missed the same step I did initally. In your router port forwarding… did you update your NAT (Port Forwarding)?
Before NGINX, I bet it was External Port 443 to Internal (HA Address) Port 8123?
After NGINX it needs to be External Port 443 to Internal (HA Address) Port 443.

For comparisons, (Mine is working)…
In the configuration.yaml file (Important headers Included for syntax):

homeassistant:
# NGINX
  auth_providers:
  - type: homeassistant
  - type: trusted_networks
    trusted_networks:
      - 192.168.1.0/24
      - 127.0.0.1
      - ::1
default_config:
## DuckDNS.org Encryption & NGINX
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 170.30.32.0/24
    - 172.30.33.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 2

Your NGINX configuration (options in the add-on) were spot-on.
Did this help?

n0ir · April 20, 2022, 2:58pm

Thank you for your suggestion!

I had changed the port to 443 but your replay made me check the network and it seems one of my recently installed IP cameras (an old D-Link DCS-930L I had found and thought I should re-use for Home Assistant) also used port 443 for some reason. This meant the port didn’t forward to the Home Assistant IP properly. Really weird error but now everything seems to work EXCEPT I still get a lot of errors in the log for NGINX Home Assistant SSL proxy add-on:

2022/04/20 14:00:05 [error] 258#258: *35 connect() failed (111: Connection refused) while connecting to upstream, client: 83.187.164.223, server: XXX.duckdns.org, request: “POST /api/webhook/5e6270903387596eb3c1523c8c4f404c9b1a963e9331ecdb9d9d64a69f4dbfe6 HTTP/2.0”, upstream: “http://172.30.32.1:8123/api/webhook/5e6270903387596eb3c1523c8c4f404c9b1a963e9331ecdb9d9d64a69f4dbfe6”, host: “XXX.duckdns.org”
2022/04/20 14:08:24 [error] 258#258: *338 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: XXX.duckdns.org, request: “POST /api/webhook/bd77c3c1b039e3e0e9325664bf383a6d05aa2778c67a9ea71639196f8108e045 HTTP/2.0”, upstream: “http://172.30.32.1:8123/api/webhook/bd77c3c1b039e3e0e9325664bf383a6d05aa2778c67a9ea71639196f8108e045”, host: “XXX.duckdns.org”

The errors do not seem to affect the possibility to access Home Assistant on the LAN or WAN but make me nervous. :S

I’ve tried to add the IP:s shown in the log (both the one after “client:” and the one after “upstream:”) in configuration.yaml under trusted_proxies but it doesn’t seem to do anything:

http:
  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.32.1
    - 83.187.164.223
    - 192.168.1.1
  ip_ban_enabled: true
  login_attempts_threshold: 5

Should i just ignore the errors in the log?

EDIT: Tried to add:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 0.0.0.0/0

to allow everything and I still got the errors in the log. I assume it’s something trying to ping something?

007DJ · April 24, 2022, 7:47am

I think I may know what is happening… I had something like it with a few of the cloud type integrations.

As you can tell, I am going completely by assumptions… But those integrations were initially set up using port 8123… What worked for me was removing the integration and adding it again…