External HA access with a RedHat proxy nginx

Installation Home Assistant OS
1

Hi,

First, i’m a new HA user & i’m french (With a poor english…)

Salvation,

I have installed HA on a VM (Esxi).

Everything is going well with local access.
I would also like to have access to HA from the outside by taking advantage of my domain …

Basically I have a public IP address and DNS-leveled all my subdomains on it.

At the router level, I send all 433 flows (https to a redhat server (with nginx).

At my nginx.conf, I send each subdomain under the right server and the right port.

For the HA part, I therefore tried the following conf:

server {
listen 443 ssl;
server_name domo.sorsdetacoquille.fr 1;
ssl_certificate /etc/pki/tls/certs/sdtc.crt;
ssl_certificate_key /etc/pki/tls/private/sdtc.key;
client_max_body_size 10M;
location / {
proxy_pass http://192.168.1.69:8123/;
proxy_http_version 1.1;
proxy_set_header Upgrade $ http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $ host;
proxy_cache_bypass $ http_upgrade;
}

If I test my config, I find myself on an HA data loading page …

Any ideas ? (I’m no nginx pro, it’s a bit of copy paste.

Thank you in advance for your help.

2

Are the blanks between “$” and the various “http” copy-paste issues?
If not, remove them.

3

hi,

thanks for replie.

yes it’s a copy/paste issue : there are no blanks.

server {
        listen 433 ssl;
        server_name domo.sorsdetacoquille.fr;
        ssl_certificate /etc/pki/tls/certs/sdtc.crt;
        ssl_certificate_key /etc/pki/tls/private/sdtc.key;
        client_max_body_size 10M;
        location / {
            proxy_pass http://192.168.1.69:8123/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection keep-alive;
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        }
    }

Missed “;” after server name.

Retry after nginx retsart : but now i’ve got a bad gateway …

My test :

PC-17 is my Red Hat server.

4

Here is my working configuration.
Looks like your problem is websocket.

I suspect proxy_set_header Connection $connection_upgrade; might solve it.

        location / {
                include global/proxy_params.conf;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
				proxy_set_header Host $http_host;
				proxy_set_header X-Real-IP $remote_addr;
				proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
				proxy_set_header X-Forwarded-Proto $scheme;
				proxy_ssl_name $host;
				proxy_ssl_server_name on;

                proxy_pass http://backend_ha;
        }
5

trying to change ‘proxy_set_header Connection keep-alive;’ by ‘proxy_set_header Connection $connection_upgrade;’

but nginx doesn’t restart (unknown “connection_upgrade” variable)

initialized in your global/proxy_params.conf ?

trying ti define it in my conf :

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

but even “Bad gateway”

6

Ah, yeah. I have the same map that you tried in my config.
No clue

My actual full config if it can help

log_format halog '$remote_addr - $remote_user [$time_local] '
               '"$request" $status $bytes_sent '
               '"$http_referer" "$http_x_forwarded_for" "$request_body"';


map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

upstream backend_ha {
    server 192.168.3.244:8123;
}

server {
        listen 8143;
        listen [::]:8143;
        access_log /var/log/nginx/ha.access.log halog;

        include global/ssl_be.conf;

        server_name <my_fqdn>;

        proxy_buffering off;

        location / {
                include global/proxy_params.conf;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;

                proxy_pass http://backend_ha;
        }
}

proxy_params.conf

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_name $host;
proxy_ssl_server_name on;

ssl_be.conf

ssl on;

ssl_certificate /usr/local/etc/dehydrated/certs/<my_domain>/fullchain.pem;
ssl_certificate_key /usr/local/etc/dehydrated/certs/<my_domain>/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dh2048.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";