Community Hass.io Add-on: Nginx Proxy Manager

Tags: #<Tag:0x00007f3f1715baf0> #<Tag:0x00007f3f1715b9b0>

I use this as a docker in Ubuntu and just wanted to say a big thank you for developing this!

Thanks for your writeup. I just spent several hours tryping to setup Nginx Proxy Manager addon but could not understand why HA is not accessible while other sites work fine.

This did the trick:

In Configuration.yaml, comment out the HTTP section if not already done
#http:
# base_url: http://mydomain.com:8123
# ssl_certificate: /ssl/fullchain.pem
# ssl_key: /ssl/privkey.pem

In add-on configs, confirm: “ssl”: false,
2 Likes

I’m trying get my head around this.
Can I use this addon to reverseproxy an internal webserver to be shown inside HA, without giving direct access to it from the outside?
I have a PI with FlightRadar24 running, and I would like to display the map in a card.
I don’t want the FR24 exposed to the world, as it’s not secure.

So what do I do, I have an internal DNS of course (pihole), so I can create whatever local dns names that is required.
The Forward Hostname I guess is the fr24 server, right? And I can make it go to a subfolder as well with the ‘location’.
I’ve set up reverse proxies before, but I don’t get what I’m supposed to enter in ‘Domain name’.

running hassio 95.4 in ubuntu docker container.
I have being using duckdns addon with SSL successfully, now trying to migrate to
Nginx proxy manager.

As of now I am able to reach hassio using http

http:\\\XXXX.duckdns.org

But when I go ahead and enable HTTPS, I get an error “Internal Error”

And this what I see in the logs

Failed authorization procedure. XXX.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://XXX.duckdns.org/.well-known/acme-challenge/aUZkXX9e1pUwJP7XXXXXXXXqgSOl0RszR0: Timeout during connect (likely firewall problem)

below is my configuration.yaml

#http:
  # Secrets are defined in the file secrets.yaml
#  api_password: !secret http_password
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
#  base_url:  !secret baseurl
#  ssl_certificate: /ssl/fullchain.pem
#  ssl_key: /ssl/privkey.pem

Port forwarded 80>80 & 443>443 to ubuntu IP

Can someone point me out what I am missing here, I would realy like to get the addon working :slight_smile:

For a single proxy host, how can I use this to 1) forward all non-www to www while also 2) forward all http to https?

all of my addresses just take me to my gateway? aka my usg

I’m in the same boat as Mr. Sharp. I feel like there are some steps missing in the installation instructions…or perhaps something I should have installed prior to this add-on to make it work? I’m a complete noob with HA, so forgive my ignorance.

Router is Unifi USG. Ports 80 and 443 inbound forwarded to hassio IP address ports 80 & 443. No other forwarded ports.

Fresh install of hassio on rpi3, installed configurator, node-red, and now Nginx Proxy Manager add-ons.

Created a duckdns domain, and pointed it at my home network’s public IP. started proxy manager, and get the “listening on port 81 message” in the log.

Open web UI, and set up new host with ha.domain.duckdns.org, scheme: https, forward address/IP: hassio IP address, forward port: 8123, block common exploits & websockets support both enabled, Access List: publicly accessible. On SSL tab: Requested new cert, force SSL enabled, agreement accepted, email address entered, Saved.

New host shows:
ha.mydomain.duckdns.org under source
https://(home assistant IP):8123 under destination
Let’s Encrypt under SSL
Public under Access
Online under Status.

Everything looks good.

Restart Nginx Proxy Manager add-on, wait for “listening on port 81”

Attempting to access https://ha.mydomain.duckdns.org from inside my network yields a page in my browser warning me that the site isn’t secure. If I allow the exception, it takes me to my router’s login page (although I very briefly see the hassio page loading for a split second before the apparent redirect.

using http:// or nothing at all in front of the subdomain yields the same result.

Outside of my network, I get a timeout…regardless of http://, https://, etc.

Any kind soul care to tell me where I’m obviously screwing things up?

Edit: I ended up getting all of this to work. NPM is quite excellent, once it’s actually working. I’m not 100% positive on what I did that actually fixed the issue, as I eventually just reinstalled hassio (I only had a few things in my setup thus far, so this wasn’t as big a deal as it might be for most people), and started off installing the configurator add-on and NginX Proxy Manager add-on only. But…I think I may have previously had the http: component enabled inside my config.yaml file. If you had previously been using DuckDNS add-on or some other choice for handling your certs, the instructions for that add-on may have instructed you to do so. I left the http: component commented out (and never added the SSL key stuff like the DuckDNS instructions tell you to) on the fresh install, and was able to get everything working fine without it. If you’re new, like me…and getting stuck with this after previously using DuckDNS/Let’s Encrypt…comment out the http: stuff in your config.yaml before starting the NPM setup. It might be your issue.

Does this add-on support WSS websockets via a custom config? I have a program running locally that I’d like to access remotely via NPM but it would require WSS. Here’s a sample Nginx config, I’m just wondering if this would be fully supported in the add-on: https://github.com/nicokaiser/nginx-websocket-proxy/blob/911db2f242dae32aa767ea034d06a09b454f955d/simple-wss.conf

Hello, ive my hassio work fine in ssl, now id like to build a personal cloud and it’s in listening on 443 as hassio. With this ngix can forward the traffic on 443 from specified domain to specified ipaddress? (my router permit portforwarding only for one ip)
Thanks in advance

Time for a new router :wink: but yea it should work - nginx reads the adress you enterd,
for example https://community.home-assistant.io and redirects the request to 192.167.8.12:8123
https://demo.home-assistant.io goes to 192.167.8.242:8123 and so on

Ahahahah You’re right! I need a new router but ngix is cheapee :smile:
Howeve, tthank’s for answer, ill try.
if install ngix i don’t have problem with my actual ssl configuration right?

Stuck on same step.
I even tried to follow this:


but still no luck. Allways get a timeout.
But the strangest is that even inside my network on the Nginx Proxy Manager if I click my new host the redirection to the hassio IP doesn’t work.
I’m missing something.

I shot a PM your way, Bruno. If you’re still having issues, I can tell you what I ran into with my particular setup that might have been causing the problem. Just let me know.

I get this error in the log:

[8/17/2019] [3:35:40 PM] [Global ] › :information_source: info PID 1435 listening on port 81 …
[8/17/2019] [3:37:24 PM] [SSL ] › :information_source: info Renewing Let’sEncrypt certificates for Cert #6: mysite.duckdns.org
[8/17/2019] [3:37:29 PM] [Express ] › :warning: warning Command failed: /usr/bin/certbot renew -n --force-renewal --disable-hook-validation --cert-name “npm-6”
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
No certificate found with name npm-6 (expected /etc/letsencrypt/renewal/npm-6.conf).

Maybe something to do with certificates?
So far the duckdns domain just forward me to router.

One thin funny is that I manually changed the host file to force mysite.duckdns.org to go to hassio IP and bum ERR_connection closed. Deleting this entry and I’m always routed to router IP address.

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mysite.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: unknownHost :: No valid IP addresses found for mysite.duckdns.org

Hey Guys,
I’m convinced my problem is firewall (not sure how, because i deleted all rules and still didn’t work) or something with the router it self.
I get all the errors above using any of these addons (Nginx, cerbot or Let’s encrypt). All fail in getting a certificate.

Did anyone got similar problems with edgerouter?
Would this be a solution?

Thanks!

I have an Ubiquiti USG, I only set the port redirection HTTP (80) and HTTPS (443) to my Hassio NGINX Proxy Manager on it’s respective ports 80 and 443 (default ports for the add-on). Make sure you forward both ports correctly, I think both ports are used for the SSL certificate challenge.

Then on the hosts page I just set for HomeAssistant redirect my domain i.e. ha.whatever.com to my internal IP 192.168.0.XXX on port 8123. After that I just click create, and then I edit it and I enabled the SSL, let it create the SSL certificate.
Once it creates the certificate successfully then I click on edit again and I enable the “Force SSL” option. Sometimes if I tried to do the whole thing in one step it would fail.

Also I removed the “Base URL” from my configuration.yaml otherwise it would create conflicts when calling internally or externally, so I just commented that line.

It might be. The hass.io core duckdns addon also does DNS challenge and doesn’t require port 80 to be open. Also, with a bit of help, I just cracked using the Caddy addon with DNS challenge as well so now on my router, only port 443 is open. (Note the LetsEncrypt addon and probably NGINX here require port 80 for the certificates)

1 Like

You’re spot on. I just checked LetsEncrypt (and anything using the certbot and most ACME clients) use port 80 by default.

There’s workaround like DNS challenge but you will most likely have to do it manually and play with the DNS zone records, I think in Duckdns you will only be able to do this for one domain\subdomain as you only have on TXT record.
https://jmorahan.net/article/lets-encrypt-without-port-80


At this point I recommend you to dump Duckdns and get your own domain in Cloudflare, having your own domain and having Cloudflare as DNS makes everything work effortlessly and more secure. It will probably cost you about 15-20USD for 2 years, the longer the cheaper it is. It is basically the domain cost only.

What you get from Cloudflare is security features which you should take advantage of since you’re exposing your instance to the internet. Using the FREE tier you get:

  • Cloudflare acts as a proxy, the IP resolved from your hostname does NOT point to your public IP. It will be pointing to Cloudflare servers. This is HIGHLY desirable.

  • You get DNSSEC

  • Firewall rules. Managed rules (You get protected from HTTP,UDP,SYN,ACK,QUIC flood), firewall rules (block known bots, block based on threat score of IP).
    In my case I block ALL bots and just allow Google and UptimeRobot bots to reach my instance so I can use Google Assistant. I do a JavaScript Challenge for low threat score IP and block high threat score (IPs known for malicious activity). I have also blocked or put challenge to HIGH risk countries such as Ukraine, Russia, China. You can have rate limiting so if any IP exceeds at threshold limit it will be blocked, this is highly effective. You can also block specific user agents.

  • Cloudflare access. This is VERY good, but you’re limited to 5 users. Basically you can have an extra authentication step in Cloudflare, so anyone using your domain MUST authenticate. You can add exceptions to Cloudflare access, in this case I added Google API and UptimeRobot IPs as an exception so they do NOT have to authenticate.
    You will run into this authentication page, you can authenticate via several methods as per below and more. I can either get a “magic” link to authenticate without putting any codes, getting a code on my email or use other methods like FB or Google authentication.


    You can also create page rules to disable or enable features based on the URL. So you can expose specific URLs.

Once you’ve done such things you can basically DROP everything in your firewall that is NOT coming from Cloudflare servers, you only allow stuff coming from their proxy servers. Everything will have to go through Cloudflare including API calls, webhooks, etc but you get the extra layers of security.

Or you can also disable the proxy feature in Cloudflare and let everything go straight to your instance, let it be just a DNS resolver. Basically what DuckDns is doing.

As an extra you get one free wildcard certificate, analytics, FAST DNS resolver, and additional modes if you think you’re getting hacked. Also they do some black magic to speed up everything. Not a pro in this, just got started but I am more than happy with the features.

So basically anyone running into a HA instance will run into the Cloudflare firewall (dangerous IPs, bots, high risk countries and others get blocked or challenged based on the risk), then Cloudflare Access authentication, then you can reach your instance. Authentication can be saved so you do it once from known clients.

And anyone trying to reach you by IP address directly will be dropped by your firewall since only Cloudflare servers will be whitelisted.

I have a bunch of subdomains for several services like NextCloud, PLEX, HA, Unifi, CCTV system, etc. Definitely not a must have, but a really nice thing to have.

I’ve thought about using cloudflare but it seems too complex. Using Caddy, I currently have around 10 subdomains (working with DNS validation not not using port 80). I just don’t see a reason to change.