Frequent, seemingly random disconnects when using NGINX Home Assistant SSL proxy add-on

pbcrunch · September 18, 2024, 12:17pm

I’m using the NGINX Home Assistant SSL proxy add-on. It seems to be configured more-or-less correctly. I can visit my Home Assistant box by going to https://subdomain.duckdns.org and it works with no SSL errors. Wonderful.

The problem is that the connection never stays working for very long. After some indeterminate period of time the entities in the front end will stop updating and my browser will say something about losing connection. I can manually refresh the page and things start working again.

All I see in the add-on’s logs are messages like this:

2024/09/09 15:58:42 [error] 128#128: *20047 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: butanal.duckdns.org, request: "GET /api/websocket HTTP/1.1", upstream: "http://172.30.32.1:8123/api/websocket", host: "subdomain.duckdns.org"

I don’t see any obvious options to increase the logging level.

The add-on’s config looks like this:

domain: subdomain.duckdns.org 
hsts: max-age=31536000; includeSubDomains 
certfile: fullchain.pem 
keyfile: privkey.pem 
cloudflare: false 
customize: 
active: false 
default: nginx_proxy_default*.conf 
servers: nginx_proxy/*.conf 
real_ip_from: []

And I have this bit in my configuration.yaml:

http: 
  use_x_forwarded_for: true 
  trusted_proxies: 
    172.30.33.0/24

I can access Home Assistant via my duckdns subdomain, but if I try to access https://homeassistant.local I get errors about SSL_ERROR_UNRECOGNIZED_NAME_ALERT. I don’t think that has anything to do with my problem, but there it is.

I don’t know if it matters or not, but I do not have the “NGINX Proxy Manager” add-on installed.

Rofo · September 18, 2024, 1:36pm

A couple of things.

I use uptime kuma to monitor my HA install and its shown me the duckdns is really unstable. I might consider using something like https://freedns.afraid.org/ for your DNS instead. Super easy to setup.

Also, Iirc, the duckdns addon forces SSL, even when accessed locally. Before I moved off using the duckdns addon, I had these in my configuration.yaml file:-

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

This also means any wifi devices will now have the SSL overhead even when talking back to HA locally.

My solution, which has been rock solid was the use Nginx Proxy Manager on a VM or container and afraid.org for DNS.

pbcrunch · September 18, 2024, 2:11pm

I might not understand things properly, but wouldn’t DuckDNS stability issues manifest as problems establishing a connection? I can always connect to my server, but the continued connection is what fails after a while.

Rofo · September 18, 2024, 2:16pm

I’m not sure its your underlying issue.
The short answer is yes, a failure of DNS resolution would cause connection issues, but when I say it was unstable, uptime kuma would lose its connection (say) once every few days or weeks. Your description sounds like its more frequent than that ?

pbcrunch · September 18, 2024, 3:08pm

Yes, it is constant. I can open a browser window and immediately connect to Home Assistant. If I walk off for a little while it is just about guaranteed that the connection will be lost when I get back.

Rofo · September 18, 2024, 3:21pm

So has this issue only started happening since you started using the duckdns addon ?

pbcrunch · September 18, 2024, 3:37pm

If I connect to http://homeassistant.local:8123 I do not experience the issue.

If I connect to https://subdomain.duckdns.org (port 443) I get these consistent connection problems.

pbcrunch · September 18, 2024, 5:14pm

I don’t know if this is related at all, but when I try to go to the web UI of any of my add-ons (Node-Red as an example), I go to the address:

http://homeassistant.local:8123/a0d7b954_nodered/ingress

but nothing ever happens. I can see the Home Assistant side bar, but no “content”.

If I go to:

https://subdomain.duckdns.org/a0d7b954_nodered/ingress

I see Node-Red like I expect. The same thing happens for Studio Code Server and other add-ons with their own web UIs.

michaelblight · September 19, 2024, 4:08am

Your problem looks suspiciously similar to this one:

Rofo · September 19, 2024, 8:39am

Have you considered moving off the Nginx addon and using something like nginx proxy manager standalone to handle your SSL ?

There definitely seems to be an SSL issue at play here.

akeslo · September 20, 2024, 2:26pm

I am running NPM standalone, seperate server.