Community Hass.io Add-on: Nginx Proxy Manager

Tags: #<Tag:0x00007f7c601294e8> #<Tag:0x00007f7c601291f0>

Does this add-on support WSS websockets via a custom config? I have a program running locally that I’d like to access remotely via NPM but it would require WSS. Here’s a sample Nginx config, I’m just wondering if this would be fully supported in the add-on: https://github.com/nicokaiser/nginx-websocket-proxy/blob/911db2f242dae32aa767ea034d06a09b454f955d/simple-wss.conf

Hello, ive my hassio work fine in ssl, now id like to build a personal cloud and it’s in listening on 443 as hassio. With this ngix can forward the traffic on 443 from specified domain to specified ipaddress? (my router permit portforwarding only for one ip)
Thanks in advance

Time for a new router :wink: but yea it should work - nginx reads the adress you enterd,
for example https://community.home-assistant.io and redirects the request to 192.167.8.12:8123
https://demo.home-assistant.io goes to 192.167.8.242:8123 and so on

Ahahahah You’re right! I need a new router but ngix is cheapee :smile:
Howeve, tthank’s for answer, ill try.
if install ngix i don’t have problem with my actual ssl configuration right?

Stuck on same step.
I even tried to follow this:


but still no luck. Allways get a timeout.
But the strangest is that even inside my network on the Nginx Proxy Manager if I click my new host the redirection to the hassio IP doesn’t work.
I’m missing something.

I shot a PM your way, Bruno. If you’re still having issues, I can tell you what I ran into with my particular setup that might have been causing the problem. Just let me know.

I get this error in the log:

[8/17/2019] [3:35:40 PM] [Global ] › :information_source: info PID 1435 listening on port 81 …
[8/17/2019] [3:37:24 PM] [SSL ] › :information_source: info Renewing Let’sEncrypt certificates for Cert #6: mysite.duckdns.org
[8/17/2019] [3:37:29 PM] [Express ] › :warning: warning Command failed: /usr/bin/certbot renew -n --force-renewal --disable-hook-validation --cert-name “npm-6”
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
No certificate found with name npm-6 (expected /etc/letsencrypt/renewal/npm-6.conf).

Maybe something to do with certificates?
So far the duckdns domain just forward me to router.

One thin funny is that I manually changed the host file to force mysite.duckdns.org to go to hassio IP and bum ERR_connection closed. Deleting this entry and I’m always routed to router IP address.

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mysite.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: unknownHost :: No valid IP addresses found for mysite.duckdns.org

Hey Guys,
I’m convinced my problem is firewall (not sure how, because i deleted all rules and still didn’t work) or something with the router it self.
I get all the errors above using any of these addons (Nginx, cerbot or Let’s encrypt). All fail in getting a certificate.

Did anyone got similar problems with edgerouter?
Would this be a solution?

Thanks!

I have an Ubiquiti USG, I only set the port redirection HTTP (80) and HTTPS (443) to my Hassio NGINX Proxy Manager on it’s respective ports 80 and 443 (default ports for the add-on). Make sure you forward both ports correctly, I think both ports are used for the SSL certificate challenge.

Then on the hosts page I just set for HomeAssistant redirect my domain i.e. ha.whatever.com to my internal IP 192.168.0.XXX on port 8123. After that I just click create, and then I edit it and I enabled the SSL, let it create the SSL certificate.
Once it creates the certificate successfully then I click on edit again and I enable the “Force SSL” option. Sometimes if I tried to do the whole thing in one step it would fail.

Also I removed the “Base URL” from my configuration.yaml otherwise it would create conflicts when calling internally or externally, so I just commented that line.

It might be. The hass.io core duckdns addon also does DNS challenge and doesn’t require port 80 to be open. Also, with a bit of help, I just cracked using the Caddy addon with DNS challenge as well so now on my router, only port 443 is open. (Note the LetsEncrypt addon and probably NGINX here require port 80 for the certificates)

1 Like

You’re spot on. I just checked LetsEncrypt (and anything using the certbot and most ACME clients) use port 80 by default.

There’s workaround like DNS challenge but you will most likely have to do it manually and play with the DNS zone records, I think in Duckdns you will only be able to do this for one domain\subdomain as you only have on TXT record.
https://jmorahan.net/article/lets-encrypt-without-port-80


At this point I recommend you to dump Duckdns and get your own domain in Cloudflare, having your own domain and having Cloudflare as DNS makes everything work effortlessly and more secure. It will probably cost you about 15-20USD for 2 years, the longer the cheaper it is. It is basically the domain cost only.

What you get from Cloudflare is security features which you should take advantage of since you’re exposing your instance to the internet. Using the FREE tier you get:

  • Cloudflare acts as a proxy, the IP resolved from your hostname does NOT point to your public IP. It will be pointing to Cloudflare servers. This is HIGHLY desirable.

  • You get DNSSEC

  • Firewall rules. Managed rules (You get protected from HTTP,UDP,SYN,ACK,QUIC flood), firewall rules (block known bots, block based on threat score of IP).
    In my case I block ALL bots and just allow Google and UptimeRobot bots to reach my instance so I can use Google Assistant. I do a JavaScript Challenge for low threat score IP and block high threat score (IPs known for malicious activity). I have also blocked or put challenge to HIGH risk countries such as Ukraine, Russia, China. You can have rate limiting so if any IP exceeds at threshold limit it will be blocked, this is highly effective. You can also block specific user agents.

  • Cloudflare access. This is VERY good, but you’re limited to 5 users. Basically you can have an extra authentication step in Cloudflare, so anyone using your domain MUST authenticate. You can add exceptions to Cloudflare access, in this case I added Google API and UptimeRobot IPs as an exception so they do NOT have to authenticate.
    You will run into this authentication page, you can authenticate via several methods as per below and more. I can either get a “magic” link to authenticate without putting any codes, getting a code on my email or use other methods like FB or Google authentication.


    You can also create page rules to disable or enable features based on the URL. So you can expose specific URLs.

Once you’ve done such things you can basically DROP everything in your firewall that is NOT coming from Cloudflare servers, you only allow stuff coming from their proxy servers. Everything will have to go through Cloudflare including API calls, webhooks, etc but you get the extra layers of security.

Or you can also disable the proxy feature in Cloudflare and let everything go straight to your instance, let it be just a DNS resolver. Basically what DuckDns is doing.

As an extra you get one free wildcard certificate, analytics, FAST DNS resolver, and additional modes if you think you’re getting hacked. Also they do some black magic to speed up everything. Not a pro in this, just got started but I am more than happy with the features.

So basically anyone running into a HA instance will run into the Cloudflare firewall (dangerous IPs, bots, high risk countries and others get blocked or challenged based on the risk), then Cloudflare Access authentication, then you can reach your instance. Authentication can be saved so you do it once from known clients.

And anyone trying to reach you by IP address directly will be dropped by your firewall since only Cloudflare servers will be whitelisted.

I have a bunch of subdomains for several services like NextCloud, PLEX, HA, Unifi, CCTV system, etc. Definitely not a must have, but a really nice thing to have.

1 Like

I’ve thought about using cloudflare but it seems too complex. Using Caddy, I currently have around 10 subdomains (working with DNS validation not not using port 80). I just don’t see a reason to change.

got the same problem, did you solve?
My error is this


[8/24/2019] [1:45:20 PM] [SSL      ] › ℹ  info      Revoking Let'sEncrypt certificates for Cert #8: xxx-docker.duckdns.org
[8/24/2019] [1:45:25 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #9: xxx-docker.duckdns.org
[8/24/2019] [1:45:26 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot renew -n --force-renewal --disable-hook-validation --cert-name "npm-9" 
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
No certificate found with name npm-9 (expected /etc/letsencrypt/renewal/npm-9.conf).

Never got it working properly …
So removed it, lol

Having big problem now, can’t access my xxx.duckdns.org, can’t renew my certificate from the ADDON (and also any other mode is not worlkking), any clue?

[email protected]:/data/logs/letsencrypt$ cat letsencrypt.log
2019-09-06 08:31:41,104:DEBUG:certbot.main:certbot version: 0.30.2
2019-09-06 08:31:41,105:DEBUG:certbot.main:Arguments: [’-n’, ‘–force-renewal’, ‘–disable-hook-validation’, ‘–cert-name’, ‘npm-4’]
2019-09-06 08:31:41,106:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-09-06 08:31:41,131:DEBUG:certbot.log:Root logging level set at 20
2019-09-06 08:31:41,132:INFO:certbot.log:Saving debug log to /data/logs/letsencrypt/letsencrypt.log
2019-09-06 08:31:41,134:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.30.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3.6/site-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/lib/python3.6/site-packages/certbot/main.py”, line 1271, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3.6/site-packages/certbot/renewal.py”, line 394, in handle_renewal_request
conf_files = [storage.renewal_file_for_certname(config, config.certname)]
File “/usr/lib/python3.6/site-packages/certbot/storage.py”, line 51, in renewal_file_for_certname
“{1}).”.format(certname, path))
certbot.errors.CertStorageError: No certificate found with name npm-4 (expected /etc/letsencrypt/renewal/npm-4.conf).
[email protected]:/data/logs/letsencrypt$ ^C
[email protected]:/data/logs/letsencrypt$

Anybody also using the Wireguard addon?

How do you configure the NGINX Proxy Manager addon to listen on port 51820 for Wireguard to function? I’m assuming it’s something to do with either ‘custom locations’ or something to add in the advanced options, but I have no idea what to change/add.

Any help would be appreciated. :slightly_smiling_face:

Thanks!

Not even sure what you are asking because the 2 things are unrelated. You need to forward UDP port 51820 just like you forwarded TCP ports 80 and 443 for Nginx Proxy Manager.

Hello. I am trying to enable external access to Home Assistant API without external access to UI.

Can I do it with this add-on?

I use ddns and forwarded port from ty router to 80 port (used by Nginx Proxy manager add-on). How can I add proxy host to enable access only to http://ip_address:8123/api/?

I think a figured it out.
To allow access only to http://ip_address:8123/api/

  1. I added custom location / with forward hostname and port homeassistant 8123 and additional options:
deny all;
return 404;
  1. I added custom loation /api/ with hostname and port homeassistant/api/ 8123

Seems to work.