Steve,
Thanks for responding, do you mean the “Nginx Proxy Manager” community add on ?
I searched for Dr Zz and got https://www.youtube.com/watch?v=fqi_p15eI8A
watching it now …
Well it’s an hour and a half long chat which touches upon nginx but only in passing and they didn’t get it up and running. Also nginx has moved on from that point (in the video) and it doesn’t give you sample config. I typed the whole of the sample (from the video) into the config, saved it, and the config disappeared. I noticed that there was now an “Open WEB UI” link on the Add On, I clicked it and it demanded an email address and a password. Assuming that this was ‘entry for new user’ I filled it in and it told me no such user could be found. I can’t find any information on a default user (presumably so I can log in and then change it to my details) but can’t get any further. A shame because nginx sounds perfect. Support also seems a bit lacking.
Any further information you can give on this would be brilliant.
Thanks in advance
Tom,
I went through the guides in the order I listed them.
I followed each to the letter and then permutations therof, it didn’t work.
Okay I precised this in my text and esentially there is little difference unless I have missed the point … dunno !
I was not using my router, I was using my phone, with wifi turned off
Blocking ports - no, see where it connected to the HA instance but refused entry ?
CGNAT, - dunno, don’t think so as see above.
Nabu Casa - No, and I don’t take it the wrong way. I simply want to make work a component that ‘should work’ and instead seems broken at a fundamental level.
I thank you for your time in responding, but if they don’t want DucksDNS to work - why list it as a standard Add On ? They could just incorporate the necessary bits into whatever other components need it.
Ditto on the no offense thing.
Again any errors I make please point out so I (and others) can learn from this
Cheers
Crhass,
Very, Very, Very Interesting.
As I said in my response to Steve nginx looks to be the panacea to connection issues
I’ve looked for guides or cofiguration information but have failed abysmally
If you would be so kind as to write up how to set up and use nginx in a similar level of detail as I did above, I (and I’m sure, may others) would be forever in your debt
Thanks in Advance
Bryan,
Sorry for not responding in order of posting.
Again, very interesting - I’ll play with this over the next couple of days.
Even though I’m repeating myself I love the idea of nginx, we just need someone to write it up
You deserve more words than this but it is summarised by “Thanks”
Cheers
Its the ‘NGINX Home Assistant SSL Proxy’ in the official addons. This has a simple config page and no Web UI. My configuration is:
{
"domain": "xxx.duckdns.org",
"certfile": "fullchain.pem",
"keyfile": "privkey.pem",
"hsts": "max-age=31536000; includeSubDomains",
"customize": {
"active": false,
"default": "nginx_proxy_default*.conf",
"servers": "nginx_proxy/*.conf"
}
}
My DuckDNS config:
{
"lets_encrypt": {
"accept_terms": true,
"certfile": "fullchain.pem",
"keyfile": "privkey.pem"
},
"token": "private token",
"domains": [
"xxx.duckdns.org"
],
"seconds": 300
}
Just those 2 addons handles the SSL just fine.
Edit to add: That was the video, the relevant parts are between 34 - 38 minutes.
Steve,
Sorry got confused with the community add on.
Thanks for this, I will play with this tomorrow, if its as simple as you say, ten minutes, but if necessary… 4 hours : - )))
Cheers
Mutt
Jason, any and all thoughts/contributions welcome.
Some threads have hidden gems and yours might have been one such
Mutt
I used this guide to setup the proxy.
Just setup mine not 5 minutes ago with JeanMtech videos on YouTube guide and works 100%
http:
base_url: https://my-domain.duckdns.org:8123
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
should be instead:
http:
base_url: https://my-domain.duckdns.org
server_port: 8123
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
Keith,
Not sure I like or want that, as there is no way to access your HA instance if your internet (or duckdns) is down
i.e. you always need to come in from duckdns.org
OR just keep changing your config : - \\\
There are some incorrect assumptions here. I’ll try to clarify.
-
DuckDns simply provides a DNS alias (or “A”) record that can be dynamically updated via a small script that you run on some machine behind your non-static IP. This DNS alias will be reasonably up-to-date with your current IP. There is a DNS lookup involved, but there is no traffic that DuckDns relays to your local HA instance.
-
Let’s Encrypt provides a certificate so that you can use HTTPS. If you configure HomeAssistant to use a certificate you created with your DuckDns domain name, then that is now the only way you can connect to that HomeAssistant instance – no longer by IP address, since there is no longer an HTTP way to get to it.
-
The public/private key stuff is all handled by negotiation between the web server and your browser. We don’t really need to get into this level of detail.
-
Port 443 is the default HTTPS port, like 80 is the default HTTP port. You don’t need to use the default port, it’s just the simplest thing to do. You mentioned exactly this.
-
Regarding point 2. The reason some people (myself included) have configured the NGINX reverse proxy to use their let’s encrypt certificate rather than HA itself is so we can have the best of both worlds – From the internet side of things, I get an HTTPS-exposed service (NGINX) that does the decryption of the HTTPS data, and forwards it onto my internal HA instance on (unencrypted) port 8123. There’s lots of documentation on how to set up NGINX to do this. Everything inside my house is HTTP, but everything exposed to the internet is HTTPS. DuckDNS and Let’sEncrypt are completely de-coupled from Home Assistant.
Renier, Thanks but I watched Juan’s video and it just showed the DuckDNS part, nothing about nginx
As I said earlier, I don’t want to switch off local access and I don’t want to have to keep changing my config.
Sorry but it didn’t help
Thanks anyway
Mutt
Did you try the guide I posted the link too?
Crhass,
Thanks I did, I’m just about to reply to SteveDinn as he gave me the hint I needed.
But I have to say that your link gave me the meat and two veg of the required solution.
I owe you (and the others above, who mentioned nginx (SteveM, Tom, Brian) a huge debt
Thanks All
Mutt
SteveDinn,
You gave me the clue I needed.
Admittedly, the nginx crew did most of the heavy lifting but your clue tipped me over the edge.
I have DuckDNS set up and running, logs look clean
I have NGINX up and running, logs look clean and parms/key generation thang went okay (a couple of times it didn’t, so I had no option but to step back a level and start again) it finally completed and I breathed a sigh of relief (must have been the way I was holding my tongue !)
I have NOTHING in my configuration file regarding http: or alike ; - )))))
Anyway I STILL was not getting any joy.
I was reading your post and the bit " there is no traffic that DuckDns relays to your local HA instance " hit me.
I have a DrayTek Vigor 2762ac Modem Router (my old router 1. needed rebooting every 3 to 6 weeks 2. could only keep fixed IP addresses for 32 items. 3. wasn’t ac)
All routers port forwarding options are a little different but I read up and went through the options, anyway one of the options was to configure the portforwarding from where it originated, so I did a DNS lookup on duckdns.org and filled their IP address (and later even all AWS server range) into the origin for the forward.
This is what stopped me as the data was not comming from there but from whatever NAT I was connecting through outside my LAN
Ta Da !!!
MANY, MANY, MANY, MANY, MANY, Thanks
Mutt
I’ll write up what I did for others as I DEFFINATELY think nginx is the way to go and maintain your standard 8123 clear for local
Okay,
As you can see from the above, there is a lot of confusion over which ports you can/should use.
Some saying it HAS to be 8123 on the local side and that you HAVE to specify an http: entry in your configuration. No, you don’t ! 
Edit (20200512) : ‘sometime’ since this post was written the configuration no longer likes some of the “quotes” so I have included what the ‘modern’ versions of the config are, Note: I did not set it up with these (they were changed by updates to the packages) so can not testify to their equivalency, if you have problems, get back to me and I’ll update this post again.
list : -
- Install DuckDNS
- Install NGINX (from the core add-ons)
- Portforward 443 external to YourHAInstanceIPAddr:443 internal (careful of your routers intracacies bearing in mind the above post, this was my stumbling block)
(Not sure this is necessary but … ) Portforward 80 external to YourHAInstanceIPAddr:80 internal- Find out what your router’s WAN IP address is (make sure this is not via CGNAT (basically NAT layering) as it won’t mean anything on the www.
- Goto duckdns.org and enter your WAN IP Address and generate your token (make a note of this and your sub-domain of duckdns.org e.g. myfortressofsolitude.duckdns.org)
- Go back to your DuckDNS Add On and change to config to : -
{
"lets_encrypt": {
"accept_terms": true,
"certfile": "fullchain.pem",
"keyfile": "privkey.pem"
},
"token": "123456wouldntyouliketoknow123456",
"domains": [
"myfortressofsolitude.duckdns.org"
],
"seconds": 300
}
The quotes shown are necessary (edit: recent implementaions remove the quotes, if yours does the same ‘it must be alright’ ) - (edit2 (Mar 2021): It appears that syntax checking has become slightly more onerous, requiring that the empty key “aliases: []” be present, as shown below).The following is what mine looks like now : -
lets_encrypt:
accept_terms: true
certfile: fullchain.pem
keyfile: privkey.pem
token: 123456wouldntyouliketoknow123456
domains:
- myfortressofsolitude.duckdns.org
aliases: []
seconds: 300
- Save and start your DuckDNS
- Goto your NGINX Add On and change the config to
{
“domain”: “myfortressofsolitude.duckdns.org”,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”,
“hsts”: “max-age=31536000; includeSubDomains”,
“customize”: {
“active”: false,
“default”: “nginx_proxy_default*.conf”,
“servers”: “nginx_proxy/*.conf”
}
}
Again the quotes are necessary and ports are not, nor is an https:// prefix (edit: recent implementaions remove the quotes, if yours does the same ‘it must be alright’ ) again; this is what mine looks like now : -
domain: myfortressofsolitude.duckdns.org
certfile: fullchain.pem
keyfile: privkey.pem
hsts: max-age=31536000; includeSubDomains
cloudflare: false
customize:
active: false
default: nginx_proxy_default*.conf
servers: nginx_proxy/*.conf
- Save and start your NGINX (keep refreshing the log until it generates the parms/keys and says “starting nginx …” Then wait 60 secs more.
- Goto your configuration.yaml and comment out ANYTHING under http: including the “http:” itself
- Reboot your router (to be sure, to be sure)
- Reboot your HASS instance (to be sure, to be sure, to be sure)
- Goto https://myfortressofsolitude.duckdns.org and login to your HA instance (you did set passwords etc. didn’t you
) - you can now go back and delete the portforward for port 80 and remove same from nginx (that’s if you did it. Some say that port 80 was necessary to generate the keys and do the negotiations for duckdns set up - I dunno
- you ‘should’ now be able to access your HA locally (LAN and xxx.xxx.xxx.xxx:8123 or hassio.local:8123 (whatever, I never use that)) and Remote (https://xxxx.duckdns.org (note: no port numbers on external)
- Go and have a drink to celebrate, you’ve earned it !
Note: I have observed that my certificates have ‘self renewed’ twice since the above install, this is with ONLY port 443 exposed (but encrypted) and no intervention from myself.
Edit: I’ve noticed that as of 20191114 - 7 people have clicked on https://myfortressofsolitude.duckdns.org - just letting you know, I’m not THAT stupid !
20200202 it’s upto 29 people clicking - Really, what do you think you’ll find ?
I REALLY recommend enabling Multi-factor Authentication Modules
This is under your profile settings (bottom right)
it will lead you through what you have to do from there
Np 
he still has some Excelent and well documemted videos enjoy. Will keep you posted if I find anything relevant to your issues
Number 12 surprised me. I thought it was necessary to leave just the http: in to enable the http interface but it would appear it is only needed if you don’t want to use default settings.