Connection issues with Nginx proxy

andrej_p · October 8, 2024, 2:15pm

Hi there, i have HA OS instance running in my LAN network and i can access it perfectly via internal IP in LAN. I have also set nginx reverse proxy on my router (gateway) that handles requests from “outside” to services in my LAN (HA, Nextcloud, …) based on requested subdomain. Nginx have a valid SSL cert and the encrypted connection ends here (at nginx proxy) and further is forwarded in LAN as an unencrypted.

And here is the problem:

When i access HA from outside via http: the page (frontend) loads perfectly.
But when i go via https: the frontend (even login page) is broken. Sometimes the frontend dont load at all, sometimes there are missing pieces of page. The zigbee2mqtt panel never loads!

Others services like nextcloud, portainer works perfectly.

So nginx is working perfectly when handling connection without SSL, but with SSL im observing some connections losses (not all JS requests can be loaded).

Im not expert in nginx conf but i follow many guides (also here) but no one works.

Im attaching part of my configuration.yaml and my nginx configuration…

server {
listen 80;
listen 443 ssl;

server_name hass.xxx.xxx.net;

ssl_certificate /root/.acme.sh/xxx.xxx.net/xxx.xxx.net.cer;
ssl_certificate_key /root/.acme.sh/xxx.xxx.net/xxx.xxx.key;

proxy_buffering off;

location / {
proxy_pass http://192.168.1.233:8123/;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}

Note: i had commented X-Forwarder-For because then it throwing error 400 Bad request

# Loads default set of integrations. Do not remove.
default_config:

# Load frontend themes from the themes folder
frontend:
  themes: !include_dir_merge_named themes

homeassistant:
  external_url: https://hass.xxx.xxx.net
  internal_url: http://192.168.1.233:8123

python_script:

#NGINX proxy setting 

http: 
  use_x_forwarded_for: true 
  cors_allowed_origins: https://hass.xxx.xxx.net
  trusted_proxies: 
    - 191.168.1.1
  server_port: 8123

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

Any suggestions are welcome.
Thanks. Andrej.

Rofo · October 8, 2024, 2:45pm

I use nginx proxy manager:-

Makes every super easy via a UI and integrates with Lets Encrypt to get your SSL certs.

andrej_p · October 8, 2024, 7:07pm

Ok, i solved and enabled “proxy_set_header” i had typo in “trusted_proxies” 191. it should be 192. so now i have enabled also proxy_set_header, but it didnt solve my main problem…

fleskefjes · October 8, 2024, 7:14pm

Try adding:

    location /api/websocket {
        proxy_pass http://YOUR HA IP:8123/api/websocket;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }

andrej_p · October 8, 2024, 7:38pm

Hi, unfortunately it didnt make any difference…

fleskefjes · October 8, 2024, 7:39pm

here’s my full, working config:

server {
    server_name  home.mydomain.com;

    location / {
        proxy_pass http://192.168.0.104:8123/;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /api/websocket {
        proxy_pass http://192.168.0.104:8123/api/websocket;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/home.mydomain.com/fullchain.pem; # managed by Certbot

andrej_p · October 9, 2024, 8:56am

No change, still the same issue… I think there would be some SSL configuration problem, because http traffic is working as expected.

andrej_p · October 19, 2024, 11:58am

Ok, I find the problem. I had enabled (don’t know why, maybe it’s specific configuration of openwrt version of nginx) http2 module and that causes the issue with closing some connections before load.
Is here someone to explain it just a little bit more, why is HA incompatible with http/2 protocol?

Anyway thank you all guys for your help…