Docker SSL proxy with docker

I use HomeAssistant on a machine that ‘lives’ behind an Nginux reverse proxy that handles SSL offloadning. see: Nginx automatic SSl ofloading proxy

My external domain points to the reverse proxy that is running on another machine than the HA docker runs on. So I have

machine 1:

  • is connected to my domain name
  • runs docker SSL offloading proxy with lets encrypt
  • runs a custom nginx proxy in docker to reroute traffic to machine 2:

Machine 2:

  • runs Home Assistant on docker

Home assist works fine if I connect directly on the local IP 10.0.0.15:8123, I have configured a password, su I have to login an that works fine.

If I try to connect from the outside world on my domain I also get the very same login screen and see that my SSL and routing works.

However, I will not be able to login…
I tried to peek what is happening and noticed that a websocket is tried and my firefox console says 'Firefox can not connect to wss://homeAssist.mydomain.com/api/websocket

So it seems nginx proxy cannot make the switch to sebsocket?

Here is how I start the proxy on server 1:

docker run --name home.dwii -p 8123:80 -d --restart=always
-v /etc/nginx/apps/homeAssistant:/etc/nginx/conf.d
-e VIRTUAL_HOST=<my home assist url .>
-e LETSENCRYPT_HOST=<my home assist url .>
-e LETSENCRYPT_EMAIL=<my domain email .>

This will then cause the docker nginx config generator to generate and start the SSL configuration.

/etc/nginx/conf.d will look like:

proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;

server {
server_name <my home assist url .>;
listen 80 ;
location / {
proxy_pass http://10.0.0.15:8123;
}
}

Use this sample for nginx config. It works. Just add your IP and website

Make sure server not blocked. Checked banned_ip.yaml if you have this. It will cause OK local connection but NG nginx proxy if the docker IP gets blocked

Thanks for your reply, but not exactly my situation. Found the solution anyway:

Since I was using the Letsencrypt nginx proxy generator, the generator is in charge for creating the files. So I found a solution by adding host specific configurations in vhost.d. Here is my complete solution:

# Server A (running HomeAssistant)

================================

docker run -d -p 8080:8123 --name home-assistant --net=host --restart=always --device=/dev/ttyACM0 -v /opt/homeAssistant:/config -v /etc/localtime:/etc/localtime:ro homeassistant/home-assistant

Server B (Running Proxy and SSL)

================================

Proxy

docker run --name nginx-proxy
-p 80:80 -p 443:443 -d --restart=always -v /etc/nginx/conf.d -v /etc/nginx/vhost.d -v /usr/share/nginx/html -v /etc/nginx/certs/:/etc/nginx/certs:ro --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy nginx

config-generator

(First create template using the following command)

curl https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl > /etc/nginx/templates/nginx.tmpl

(then start the configurator)

docker run --name nginx-config-gen
-d --restart=always --volumes-from nginx-proxy -v /etc/nginx/templates/:/etc/docker-gen/templates/:ro -v /var/run/docker.sock:/tmp/docker.sock:ro --label com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen jwilder/docker-gen -notify-sighup nginx-proxy -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf

SSL companion

docker run --name nginx-letsencrypt
-d --restart=always --volumes-from nginx-proxy -v /etc/nginx/certs/:/etc/nginx/certs:rw -v /var/run/docker.sock:/var/run/docker.sock:ro jrcs/letsencrypt-nginx-proxy-companion

Create a folder for your forewarder app:

sudo mkdir /etc/nginx/apps/ (replace with the url of your server without https://)

Add a file named default.conf with the following contents:

map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;


#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
#proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
#proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;


server {
    server_name <yourURL>
    listen 80 ;
    proxy_buffering off;

    location / {
	    proxy_pass http://10.0.0.15:8123;
	    proxy_set_header Host $host;
	    proxy_http_version 1.1;
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	    proxy_set_header Upgrade $http_upgrade;
	    proxy_set_header Connection $connection_upgrade;
    }
}

And then add some config to /etc/nginx/vhost.d/ (that will be added to the template)

{ echo ‘map $http_upgrade $proxy_connection {default upgrade;’’ close;}’
} > /etc/nginx/vhost.d/

{ echo ‘proxy_set_header Host $host;’
echo ‘proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;’
echo ‘proxy_set_header Upgrade $http_upgrade;’
echo ‘proxy_set_header Connection $proxy_connection;’
} > /etc/nginx/vhost.d/_location

Finally start proxy forwarder

docker run --name homeAssistant
-p 8123:80 -d --restart=always -v /etc/nginx/apps/:/etc/nginx/conf.d -e VIRTUAL_HOST= -e LETSENCRYPT_HOST= -e LETSENCRYPT_EMAIL= nginx

1 Like