Correct nginx config for remote access

chenks · December 11, 2024, 3:54pm

need some help getting my HA and nginx config correct.

have my own domain, going thru cloudflare to a local install of nginx

Home Assistant OS as VM in proxmox (192.168.50.14)
Nginx Proxy Manager as LCX in proxmox (192.168.50.17)

have updated HA URL to my own URL and it says “External Access Enabled”
set up proxy host in nginx to point to HA.
accessed HA from URL (from external source) initially i got the 400 error as expected.

this is where i’ve read a lot of conflicting info.

i added the following to the configuration.yaml

http:
    use_x_forwarded_for: true
    trusted_proxies: 192.168.50.17

in nginx i added the following config

also enabled “websockets support”

the issue i now have is that, whilst the HA login page loads fine. 80% of the time when i enter a correct user/password i get bounced back to the login page saying “start over”, using the same user/password when accessing locally has zero issues. the other 20% of the time it does accept the user/password and logs in all ok.

the logs show it as an invalid login attempt, but the it’s not as the user/password is correct

WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 162.158.33.231 (162.158.33.231)

i’m assuming i still have a config issue in either HA or nginx.
can anyone advise?

chenks · December 13, 2024, 7:49am

anyone help?

Tinkerer · December 13, 2024, 8:46am

There’s nothing wrong with HA, if there was then you’d get an error about untrusted proxy.

What does the text of your NGINX config look like?

chenks · December 13, 2024, 9:20am

well clearly something is wrong somewhere, as it’s looping back to “start over” when using a correct user/password when connecting remotely.

not sure what you mean by what the text looks like
i use nginx proxy manager so everything is conigured via the UI

the original post shows the config for the home assistant host.

Tinkerer · December 13, 2024, 9:23am

And it creates a text file that NGINX uses.

That text file is more helpful than some limited screenshots.

chenks · December 13, 2024, 9:27am

map $scheme $hsts_header {
    https   "max-age=63072000; preload";
}

server {
  set $forward_scheme http;
  set $server         "192.168.50.14";
  set $port           8123;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;


  server_name <redacted>;


  # Let's Encrypt SSL
  include /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf;
  include /etc/nginx/conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-4/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-4/privkey.pem;

Tinkerer · December 13, 2024, 9:29am

Nothing there shows websockets are enabled.

chenks · December 13, 2024, 9:30am

sorry just realised i didn’t paste the full file.
2 seconds and i’ll get the full file

chenks · December 13, 2024, 9:36am

map $scheme $hsts_header {
    https   "max-age=63072000; preload";
}

server {
  set $forward_scheme http;
  set $server         "192.168.50.14";
  set $port           8123;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name <redacted>;

  # Let's Encrypt SSL
  include /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf;
  include /etc/nginx/conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-4/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-4/privkey.pem;

  # Block Exploits
  include /etc/nginx/conf.d/include/block-exploits.conf;

    # Force SSL
    include /etc/nginx/conf.d/include/force-ssl.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

  access_log /data/logs/proxy-host-5_access.log proxy;
  error_log /data/logs/proxy-host-5_error.log warn;

  location / {
    proxy_set_header    Upgrade     $http_upgrade;
proxy_set_header    Connection  "upgrade";

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP		$remote_addr;

    set $proxy_forward_scheme http;
    set $proxy_server         "192.168.50.14";
    set $proxy_port           8123;

    proxy_pass       $proxy_forward_scheme://$proxy_server:$proxy_port;

  # Block Exploits
  include /etc/nginx/conf.d/include/block-exploits.conf;

    # Force SSL
    include /etc/nginx/conf.d/include/force-ssl.conf;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

chenks · December 16, 2024, 11:00am

i have uploaded the full content of the config file, the original upload wasn’t complete

Tinkerer · December 16, 2024, 11:17am

Thanks.

The indenting is all over the place, but I don’t think that matters for NGINX’s config file. I don’t see any obvious problems.

chenks · December 16, 2024, 11:21am

so what is the cause of the “start over” and a log showing invalid login when i’m using a correct user/pass when attempting to connet remotely?

i just tested it again.
1st attempt resulted in the “start over”.
2nd attempt resulted in a successful login

both attempts used the same user/password.

Tinkerer · December 16, 2024, 11:31am

The only reasons HA has to reject login are:

If the IP is banned
If the credentials are wrong

All I can assume is that there’s something funky going on with NGINX

chenks · December 16, 2024, 11:36am

just tested it again.

1st attempt results in the “start over”
2nd attempt resulted in a successful login

this now seems to be reproducable - ie, it’s not as ranom as first thought.
i have been able to reproduce this multiple times now - ie 1st attempt fails, 2nd attempt works.

neither of those would give a “start over” prompt though? they would give the standard “wrong login details” prompt ?