Hi,
I have a clean instance of HASS which I want to make available through the internet and an already running instance of NGINX with configured SSL via Let’s Encrypt.
When I try to access it via the subdomain, I am getting 400 Bad Request
and the logs from the HASS Docker container prints:
2021-12-31 15:17:06 ERROR (MainThread) [homeassistant.components.http.forwarded] A request from a reverse proxy was received from 172.19.0.3, but your HTTP integration is not set-up for reverse proxies
Other subdomains from the same NGINX instance I can access without an issue.
I added the IP address and multiple other things (including 0.0.0.0/0) into the HASS configuration.yml as trusted_proxies
, but it does not seem to change anything. I also verified that the IP adress is the correct one via docker network inspect
and it seems to be the case (output below).
Also when I log into the bash of the HASS docker container, I can ping the nginx instance without a problem using its IP address or hostname.
I posted all the relevant configurations below.
Thanks in advance for any hints, since I’m fairly new to HASS.
BR,
Patrick
docker-compose.yml
version: '3'
services:
nginx:
image: nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- /home/pi/docker/nginx/etc/nginx/conf.d:/etc/nginx/conf.d
- /home/pi/docker/nginx/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
- /home/pi/docker/nginx/www/data:/www/data
- /home/pi/docker/certbot/conf:/etc/letsencrypt
- /home/pi/docker/certbot/www:/var/www/certbot
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
image: certbot/certbot:arm32v6-latest
restart: unless-stopped
volumes:
- /home/pi/docker/certbot/conf:/etc/letsencrypt
- /home/pi/docker/certbot/www:/var/www/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
homeassistant:
image: "ghcr.io/home-assistant/home-assistant:stable"
volumes:
- /home/pi/docker/home-assistant:/config
- /etc/localtime:/etc/localtime:ro
ports:
- 8123:8123
devices:
- /dev/ttyACM0:/dev/ttyACM0
restart: unless-stopped
privileged: true
hass.conf (nginx config)
upstream homeassistant {
server nginx_homeassistant_1:8123;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
# Update this line to be your domain
server_name hass.my.domain;
# These shouldn't need to be changed
listen 80;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
server {
# Update this line to be your domain
server_name hass.my.domain;
# Ensure these lines point to your SSL certificate and key
ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
# Ensure this line points to your dhparams file
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# These shouldn't need to be changed
listen 443 ssl;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# ssl on; # Uncomment if you are using nginx < 1.15.0
ssl_session_cache shared:SSL:10m;
proxy_buffering off;
location / {
proxy_pass http://homeassistant;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
configuration.yaml
# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:
# Nginx Proxy stuff
http:
base_url: https://hass.my.domain
server_port: 8123
# For extra security set this to only accept connections on localhost if NGINX is on the same machine
# Uncommenting this will mean that you can only reach Home Assistant using the proxy, not directly via IP from other clients.
#server_host: 127.0.0.1
use_x_forwarded_for: true
# You must set the trusted proxy IP address so that Home Assistant will properly accept connections
# Set this to your NGINX machine IP, or localhost if hosted on the same machine.
trusted_proxies:
- 0.0.0.0/0
# Other things I tried
# - 127.0.0.1
# - 172.19.0.0/16
# - 172.19.0.0/24
# - 172.19.0.3/16
# - 172.19.0.3/24
# - 192.168.0.0/24
# - 192.168.1.0/24
# - nginx_nginx_1
ip_ban_enabled: true
login_attempts_threshold: 5
# Text to speech
tts:
- platform: google_translate
group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
docker network inspect nginx_default
[
{
"Name": "nginx_default",
"Id": "5b1ead5cbd4acce47b13e2a26ea4afa755754923d52a4c2ec836e9ca96672760",
"Created": "2021-12-31T14:05:12.356005105+01:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.19.0.0/16",
"Gateway": "172.19.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"3e661d1ec5f5a9cae39bfad97ca0181a69702b5c61dc044598309582727c4aea": {
"Name": "nginx_homeassistant_1",
...
"IPv4Address": "172.19.0.4/16"
},
"ad70140d7b3c5d99503c1c2757f5e8a66cc6acc8dc87fa2681e8157031127f56": {
"Name": "nginx_certbot_1",
...
"IPv4Address": "172.19.0.2/16"
},
"c6f219b5437bcaa21ba06de2dca3f6d295ed5944a07e42184722e976566a6ed4": {
"Name": "nginx_nginx_1",
...
"IPv4Address": "172.19.0.3/16"
}
},
"Options": {},
"Labels": {
"com.docker.compose.network": "default",
"com.docker.compose.project": "nginx",
"com.docker.compose.version": "2.0.0"
}
}
]