Hello, i’m trying to get access to my home assistant instance from outside. I create a domain with duckdns and get certificate with certbot plugin for duckdns. Inside my network i can reach ha with https://localip:8123 but not with duckdns domain name and internally i can reach my router page with https://mydomain (I don’t know but today doesn’t work, it seems is in a loopback and recharges endlessy the page).I opened ports on router and doesn’t work. So i try to ping from outside and i find out i can’t ping my router, seems it doesn’t aceept external connection. I’ve been trying for 3 days but with to no results. Can anyone help me pls?
EDIT: port 80 is busying because of pihole container
i think at least use_x_forwarded_for must be configured but use reverse proxy and never forward directly to HA
EDIT
since ping doesnt work maybe your server provider is blocking it
if using port 80 maybe try a different incoming port to your router. port 80 is blocked many times
Your router may be blocking pings from the outside (this is a common security practice).
I run this setup on my install and implemented as follows:
Setup nginx-proxy-manager on a docker container to manage and automate the certificate creation / updates
Setup a proxy host on NPM pointing your domain to your local homeassistan instance
On your homeassistant config, add the NPM host as a trusted proxy
Port 8123 should not be open to the outside world, so if you opened that on your router, close it now.
All traffic to homeassistant should be coming through https and NPM just distributes that to the right host within your LAN
I find it more helpful to use static IP addresses for services like this within my LAN and reference them with IP addresses instead of hostnames because mDNS can fail at times and I just dont like having that extra point of failure there, but that’s a personal preference.
I run a docker home assistant install and use the SWAG container to act as a reverse proxy for secure access to home assistant. Here is a guide how to set it up.
You port forward ports 80 and 443 to the machine running swag - then the proxy will work both when you specify http:// and https://. If you specify http://, the proxy will automatically upgrade it to https:// based on the nginx config in the attached guide. There is no need to port forward 8123 to home assistant through the router, and you should not do this anyway when a reverse proxy is used.
Whatever proxy you use, if Pihole is on the same machine, ideally you will need to get its web interface off port 80 so the proxy can use it. Otherwise, you must make sure you always use https:// to access your domain as http:// won’t work. I run adguard, which pretty much does the same thing as Pihole, and does not need port 80 since you can access its webUI over port 3000 instead.
If you want to keep pihole, there appears to be a file you can edit to have its UI off port 80 and set it to something else (like 8080 or whatever)
Hi all, I spent a lot of time to configure https and duckdns, so, if it possible i would continue with this configuration. But if I haven’t chance to work it I try your alternative methods. I will not at home since weekend, Saturday I’m going to post here my pi hole docker configuration if can help.
Thanks for reply. As sayed before, I hope to stay with mi actual configuration because i spent a lot of time to create it. However if I will not find a solution, this seems a good alternative.
This is the first time I read about adguard. I spent most of my time to setting Pi Hole on my server, if is possible I would not change
I realize it’s difficult when we’ve spent a lot of time on something - we really want to see it through and not start over. Based on the posts above, it looks like you can keep Pihole and get it off port 80 or run it in a macvlan, so you wouldn’t have to abandon that.
However, there really is no way your configuration will work to access home assistant securely, as https: is over port 443, and home assistant runs on port 8123. You need a reverse proxy so home assistant’s instance on port 8123 can be forwarded and served on port 443 for https securely and externally. So, I can’t see any way to make your current configuration work. It’s best to stop now and change direction before investing more time in something that won’t work, or worse, works but leaves you vulnerable to security issues and attacks because things aren’t setup properly.
If you don’t want to invest any more time or change your configuration, a simple option can be to pay a few dollars a month for the Nabu Casa service, which provides secure access without needing a proxy or port forwarding.
It’s very frustrating when you spent a lots of time and nothing works at the end ahahah
Seems to be a better solution mostly for my security on the internet.
I’m still in time to change way and use a proxy server, maybe it will be usefull for other project in the future, never say never. Morover I never used a proxy, this is time to learn another thing.
I already know about Nabu Casa but this is the last chance for me. I prefer do it myself, it is more rewarding and is an excellent opportunity to learn something more
I try with caddy with no success.
I think my problem is something about networking because i can’t reach my server from outside.
I try with nginx reverse proxy as well with the same result.
If someone can help me I have a zyxel router and my ISP is Wind Infostrada (Italy).
Thank you a lot