Docker SSL proxy with docker

pdwonline · November 18, 2017, 10:23pm

I use HomeAssistant on a machine that ‘lives’ behind an Nginux reverse proxy that handles SSL offloadning. see: Nginx automatic SSl ofloading proxy

My external domain points to the reverse proxy that is running on another machine than the HA docker runs on. So I have

machine 1:

is connected to my domain name
runs docker SSL offloading proxy with lets encrypt
runs a custom nginx proxy in docker to reroute traffic to machine 2:

Machine 2:

runs Home Assistant on docker

Home assist works fine if I connect directly on the local IP 10.0.0.15:8123, I have configured a password, su I have to login an that works fine.

If I try to connect from the outside world on my domain I also get the very same login screen and see that my SSL and routing works.

However, I will not be able to login…
I tried to peek what is happening and noticed that a websocket is tried and my firefox console says 'Firefox can not connect to wss://homeAssist.mydomain.com/api/websocket

So it seems nginx proxy cannot make the switch to sebsocket?

Here is how I start the proxy on server 1:

docker run --name home.dwii -p 8123:80 -d --restart=always
-v /etc/nginx/apps/homeAssistant:/etc/nginx/conf.d
-e VIRTUAL_HOST=<my home assist url .>
-e LETSENCRYPT_HOST=<my home assist url .>
-e LETSENCRYPT_EMAIL=<my domain email .>

This will then cause the docker nginx config generator to generate and start the SSL configuration.

/etc/nginx/conf.d will look like:

proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;

server {
server_name <my home assist url .>;
listen 80 ;
location / {
proxy_pass http://10.0.0.15:8123;
}
}

tmjpugh · November 19, 2017, 5:21am

Use this sample for nginx config. It works. Just add your IP and website

Make sure server not blocked. Checked banned_ip.yaml if you have this. It will cause OK local connection but NG nginx proxy if the docker IP gets blocked

pdwonline · December 4, 2017, 10:03pm

Thanks for your reply, but not exactly my situation. Found the solution anyway:

Since I was using the Letsencrypt nginx proxy generator, the generator is in charge for creating the files. So I found a solution by adding host specific configurations in vhost.d. Here is my complete solution:

# Server A (running HomeAssistant)

================================

docker run -d -p 8080:8123 --name home-assistant --net=host --restart=always --device=/dev/ttyACM0 -v /opt/homeAssistant:/config -v /etc/localtime:/etc/localtime:ro homeassistant/home-assistant

Server B (Running Proxy and SSL)

================================

Proxy

docker run --name nginx-proxy
-p 80:80 -p 443:443 -d --restart=always -v /etc/nginx/conf.d -v /etc/nginx/vhost.d -v /usr/share/nginx/html -v /etc/nginx/certs/:/etc/nginx/certs:ro --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy nginx

config-generator

(First create template using the following command)

curl https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl > /etc/nginx/templates/nginx.tmpl

(then start the configurator)

docker run --name nginx-config-gen
-d --restart=always --volumes-from nginx-proxy -v /etc/nginx/templates/:/etc/docker-gen/templates/:ro -v /var/run/docker.sock:/tmp/docker.sock:ro --label com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen jwilder/docker-gen -notify-sighup nginx-proxy -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf

SSL companion

docker run --name nginx-letsencrypt
-d --restart=always --volumes-from nginx-proxy -v /etc/nginx/certs/:/etc/nginx/certs:rw -v /var/run/docker.sock:/var/run/docker.sock:ro jrcs/letsencrypt-nginx-proxy-companion

Create a folder for your forewarder app:

sudo mkdir /etc/nginx/apps/ (replace with the url of your server without https://)

Add a file named default.conf with the following contents:

map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;


#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
#proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
#proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;


server {
    server_name <yourURL>
    listen 80 ;
    proxy_buffering off;

    location / {
	    proxy_pass http://10.0.0.15:8123;
	    proxy_set_header Host $host;
	    proxy_http_version 1.1;
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	    proxy_set_header Upgrade $http_upgrade;
	    proxy_set_header Connection $connection_upgrade;
    }
}

And then add some config to /etc/nginx/vhost.d/ (that will be added to the template)

{ echo ‘map $http_upgrade $proxy_connection {default upgrade;’’ close;}’
} > /etc/nginx/vhost.d/

{ echo ‘proxy_set_header Host $host;’
echo ‘proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;’
echo ‘proxy_set_header Upgrade $http_upgrade;’
echo ‘proxy_set_header Connection $proxy_connection;’
} > /etc/nginx/vhost.d/_location

Finally start proxy forwarder

docker run --name homeAssistant
-p 8123:80 -d --restart=always -v /etc/nginx/apps/:/etc/nginx/conf.d -e VIRTUAL_HOST= -e LETSENCRYPT_HOST= -e LETSENCRYPT_EMAIL= nginx