As you can see from the above, there is a lot of confusion over which ports you can/should use.
Some saying it HAS to be 8123 on the local side and that you HAVE to specify an http: entry in your configuration. No, you don’t !
Edit (20200512) : ‘sometime’ since this post was written the configuration no longer likes some of the “quotes” so I have included what the ‘modern’ versions of the config are, Note: I did not set it up with these (they were changed by updates to the packages) so can not testify to their equivalency, if you have problems, get back to me and I’ll update this post again.
list : -
- Install DuckDNS
- Install NGINX (from the core add-ons)
- Portforward 443 external to YourHAInstanceIPAddr:443 internal (careful of your routers intracacies bearing in mind the above post, this was my stumbling block)
(Not sure this is necessary but … ) Portforward 80 external to YourHAInstanceIPAddr:80 internal
- Find out what your router’s WAN IP address is (make sure this is not via CGNAT (basically NAT layering) as it won’t mean anything on the www.
- Goto duckdns.org and enter your WAN IP Address and generate your token (make a note of this and your sub-domain of duckdns.org e.g. myfortressofsolitude.duckdns.org)
- Go back to your DuckDNS Add On and change to config to : -
The quotes shown are necessary (edit: recent implementaions remove the quotes, if yours does the same ‘it must be alright’ ) The following is what mine looks like now : -
- Save and start your DuckDNS
- Goto your NGINX Add On and change the config to
“hsts”: “max-age=31536000; includeSubDomains”,
Again the quotes are necessary and ports are not, nor is an https:// prefix (edit: recent implementaions remove the quotes, if yours does the same ‘it must be alright’ ) again; this is what mine looks like now : -
hsts: max-age=31536000; includeSubDomains
- Save and start your NGINX (keep refreshing the log until it generates the parms/keys and says “starting nginx …” Then wait 60 secs more.
- Goto your configuration.yaml and comment out ANYTHING under http: including the “http:” itself
- Reboot your router (to be sure, to be sure)
- Reboot your HASS instance (to be sure, to be sure, to be sure)
- Goto https://myfortressofsolitude.duckdns.org and login to your HA instance (you did set passwords etc. didn’t you )
- you can now go back and delete the portforward for port 80 and remove same from nginx (that’s if you did it. Some say that port 80 was necessary to generate the keys and do the negotiations for duckdns set up - I dunno
- you ‘should’ now be able to access your HA locally (LAN and xxx.xxx.xxx.xxx:8123 or hassio.local:8123 (whatever, I never use that)) and Remote (https://xxxx.duckdns.org (note: no port numbers on external)
- Go and have a drink to celebrate, you’ve earned it !
Note: I have observed that my certificates have ‘self renewed’ twice since the above install, this is with ONLY port 443 exposed (but encrypted) and no intervention from myself.
Edit: I’ve noticed that as of 20191114 - 7 people have clicked on https://myfortressofsolitude.duckdns.org - just letting you know, I’m not THAT stupid !
20200202 it’s upto 29 people clicking - Really, what do you think you’ll find ?