Can't reach Home assistant in Docker from outside

Franzi98 · January 10, 2023, 7:12pm

Hello, i’m trying to get access to my home assistant instance from outside. I create a domain with duckdns and get certificate with certbot plugin for duckdns. Inside my network i can reach ha with https://localip:8123 but not with duckdns domain name and internally i can reach my router page with https://mydomain (I don’t know but today doesn’t work, it seems is in a loopback and recharges endlessy the page).I opened ports on router and doesn’t work. So i try to ping from outside and i find out i can’t ping my router, seems it doesn’t aceept external connection. I’ve been trying for 3 days but with to no results. Can anyone help me pls?

EDIT: port 80 is busying because of pihole container

tmjpugh · January 10, 2023, 7:32pm

look at this

i think at least use_x_forwarded_for must be configured but use reverse proxy and never forward directly to HA

EDIT
since ping doesnt work maybe your server provider is blocking it
if using port 80 maybe try a different incoming port to your router. port 80 is blocked many times

M0E-lnx · January 10, 2023, 9:20pm

Your router may be blocking pings from the outside (this is a common security practice).

I run this setup on my install and implemented as follows:

Setup nginx-proxy-manager on a docker container to manage and automate the certificate creation / updates
Setup a proxy host on NPM pointing your domain to your local homeassistan instance
On your homeassistant config, add the NPM host as a trusted proxy

Port 8123 should not be open to the outside world, so if you opened that on your router, close it now.
All traffic to homeassistant should be coming through https and NPM just distributes that to the right host within your LAN

I find it more helpful to use static IP addresses for services like this within my LAN and reference them with IP addresses instead of hostnames because mDNS can fail at times and I just dont like having that extra point of failure there, but that’s a personal preference.

Franzi98 · January 10, 2023, 10:59pm

Unfrtounatelly I don’t know anything about that, i think i can’t do this.

Can pi hole be a problem? It uses port 80

tmjpugh · January 10, 2023, 11:48pm

Is HA and Pihole on same server
What port in router do you forward to HA

mwav3 · January 11, 2023, 12:07am

I run a docker home assistant install and use the SWAG container to act as a reverse proxy for secure access to home assistant. Here is a guide how to set it up.

You port forward ports 80 and 443 to the machine running swag - then the proxy will work both when you specify http:// and https://. If you specify http://, the proxy will automatically upgrade it to https:// based on the nginx config in the attached guide. There is no need to port forward 8123 to home assistant through the router, and you should not do this anyway when a reverse proxy is used.

Whatever proxy you use, if Pihole is on the same machine, ideally you will need to get its web interface off port 80 so the proxy can use it. Otherwise, you must make sure you always use https:// to access your domain as http:// won’t work. I run adguard, which pretty much does the same thing as Pihole, and does not need port 80 since you can access its webUI over port 3000 instead.

If you want to keep pihole, there appears to be a file you can edit to have its UI off port 80 and set it to something else (like 8080 or whatever)

https://www.reddit.com/r/pihole/comments/dhit3y/disabling_port_80_web_interface/

juan11perez · January 11, 2023, 4:30am

To run pihole docker on port 80, you create a mclavan network and set up pihole as such:

network:

networks:
  myvlan:  # set up for pihole
    driver: macvlan
    driver_opts:
      parent: br0 <check your docker network>
    ipam:
      config:
      - subnet: 192.168.99.0/24 #        gateway: 192.168.1.1

pihole:

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    restart: unless-stopped
    hostname: UNRAID      
    cap_add:
    - NET_ADMIN
    dns:
    - 127.0.0.1 
    - 1.1.1.1
    volumes:
    - /mnt/cache/appdata/pihole:/etc/pihole
    - /mnt/cache/appdata/pihole/dnsmasq:/etc/dnsmasq.d
    env_file: secrets/.pihole  
    ports:
    - "53:53/tcp"
    - "53:53/udp"
    - "67:67/udp"
    - "80:80"
    - "443:443"
    networks:
      myvlan:
        ipv4_address: 192.168.99.99    # set up for pihole
    labels:
    - "com.centurylinklabs.watchtower.enable=true"

Franzi98 · January 11, 2023, 10:18am

Yes, PiHole and Home assistant running in same server with differente container.
I Forward port 80, 443 and 8123

Franzi98 · January 11, 2023, 10:24am

Hi all, I spent a lot of time to configure https and duckdns, so, if it possible i would continue with this configuration. But if I haven’t chance to work it I try your alternative methods. I will not at home since weekend, Saturday I’m going to post here my pi hole docker configuration if can help.

Franzi98 · January 11, 2023, 10:25am

Thanks for reply, I think my pi hole already uses port 80 for default. Unfortunatelly I will not at home for some days

Franzi98 · January 11, 2023, 10:34am

Thanks for reply. As sayed before, I hope to stay with mi actual configuration because i spent a lot of time to create it. However if I will not find a solution, this seems a good alternative.

This is the first time I read about adguard. I spent most of my time to setting Pi Hole on my server, if is possible I would not change

This is great, thanks!

mwav3 · January 11, 2023, 2:05pm

I realize it’s difficult when we’ve spent a lot of time on something - we really want to see it through and not start over. Based on the posts above, it looks like you can keep Pihole and get it off port 80 or run it in a macvlan, so you wouldn’t have to abandon that.

However, there really is no way your configuration will work to access home assistant securely, as https: is over port 443, and home assistant runs on port 8123. You need a reverse proxy so home assistant’s instance on port 8123 can be forwarded and served on port 443 for https securely and externally. So, I can’t see any way to make your current configuration work. It’s best to stop now and change direction before investing more time in something that won’t work, or worse, works but leaves you vulnerable to security issues and attacks because things aren’t setup properly.

If you don’t want to invest any more time or change your configuration, a simple option can be to pay a few dollars a month for the Nabu Casa service, which provides secure access without needing a proxy or port forwarding.

Franzi98 · January 11, 2023, 3:49pm

It’s very frustrating when you spent a lots of time and nothing works at the end ahahah

Seems to be a better solution mostly for my security on the internet.
I’m still in time to change way and use a proxy server, maybe it will be usefull for other project in the future, never say never. Morover I never used a proxy, this is time to learn another thing.

I already know about Nabu Casa but this is the last chance for me. I prefer do it myself, it is more rewarding and is an excellent opportunity to learn something more

Franzi98 · January 13, 2023, 3:38pm

I search in some forums and see lots of people using Caddy. I will try with it

Franzi98 · January 17, 2023, 12:29pm

I try with caddy with no success.
I think my problem is something about networking because i can’t reach my server from outside.
I try with nginx reverse proxy as well with the same result.
If someone can help me I have a zyxel router and my ISP is Wind Infostrada (Italy).
Thank you a lot