Getting Nginx Reverse Proxy to work with Libreelec and VPN

Anand_Suppiah · August 7, 2021, 9:10am

Hi. I am looking for a guide on setting up reverse proxy for home assistant where the nginx proxy server is on a macvlan docker.

A little background:-

I have libreelec running on raspberry pi 4. the libreelec (kodi) uses a VPN connection. Because of this, Home assistant cannot be accessed from outside the home network.

I have installed Home Assistant via docker using this code:-

docker run -d --name="home-assistant" -v /storage/hass-config:/config -v /etc/localtime:/etc/localtime:ro -p 8123:8123/tcp --net=host --restart=unless-stopped homeassistant/raspberrypi4-homeassistant:stable

Then I created a Macvlan network for docker by

 docker network create -d macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.254 \
  -o parent=eth0 pub_net

I then installed nginx reverse proxy on a separate docker with this command

docker create --name=swag --cap-add=NET_ADMIN --net=pub_net --ip=192.168.1.131 -e PUID=1000 -e PGID=1000 -e TZ=Asia/Kuala_Lumpur -e URL=subdomain.duckdns.org -e SUBDOMAINS=www,ha -e VALIDATION=http -e [email protected] -p 443:443 -p 80:80 -v /storage/letsencrypt:/config --restart unless-stopped linuxserver/letsencrypt

nginx is technically working as I can see the sample site. However, I am struggling to configure the default file and the homeassistant.subdomain.conf file. I keep getting a bad gateway error

I hope someone can point me in the right direction

My previous configuration is here. Trying to get reverse proxy to work

This wont work with VPN.

koying · August 7, 2021, 9:20am

I don’t clearly see the link between HA, libreelec and the need for a macvlan here, tbh.
Is everything on the same machine? So, basically, librelec + docker, with HA as a container?

Anand_Suppiah · August 7, 2021, 10:16am

Hi.
Libreelec with HA as docker container works fine. However, when i try to use vpn, it kills of all incoming connection from outside the network.

To bypass vpn, the docker needs its own network interface.

koying · August 7, 2021, 10:31am

Your internat router is 192.168.1.254, right?
Do you forward port 443 to 192.168.1.131 on it?
Can you ping nginx from the router?

If so, then I guess nginx should be configured with the 192.168.1.x of the host machine, as HA is still using host networking

Anand_Suppiah · August 7, 2021, 10:44am

Yes correct.

Yes i did

I am able to access the nginx server to its default html page.

I configured the reverse proxy using the sample file for home assistant.

So if i use www subdomain, i get to access the

# Welcome to your [SWAG](https://github.com/linuxserver/docker-swag) instance

A webserver and reverse proxy solution brought to you by [linuxserver.io](https://www.linuxserver.io/) with php support and a built-in Certbot client.

We have an article on how to use swag here: [docs.linuxserver.io](https://docs.linuxserver.io/general/swag)

For help and support, please visit: [linuxserver.io/support](https://www.linuxserver.io/support)

If i use the subdomain homeassistant.duckdns then i get bad gateway. Im guessing that nginx cannot see home assistant.

The router can see nginx

koying · August 7, 2021, 10:54am

What do your nginx *.conf contain?

Anand_Suppiah · August 7, 2021, 11:03am

homeassistant.subdomain.conf contents are as follows

## Version 2021/07/13
# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

# As of homeassistant 2021.7.0, it is now required to define the network range your proxy resides in, this is done in Homeassitants configuration.yaml
# https://www.home-assistant.io/integrations/http/#trusted_proxies
# Example below uses the default dockernetwork ranges, you may need to update this if you dont use defaults.
#
# http:
#   use_x_forwarded_for: true
#   trusted_proxies:
#     - 172.16.0.0/12

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name homeassistant.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.1.84:8123;

    }

    location /api {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.1.84:8123;
    }

    location /local {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.1.84:8123;
    }
}

the default file contents are as follows

## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default

error_page 502 /502.html;

# redirect all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    # enable for geo blocking
    # See /config/nginx/geoip2.conf for more information.
    #if ($allowed_country = no) {
    #return 444;
    #}

    client_max_body_size 0;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        try_files $uri $uri/ /index.html /index.php?$args =404;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#    location ^~ /cp {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
#        include /config/nginx/proxy.conf;
#        proxy_pass http://192.168.1.50:5050/cp;
#    }

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name cp.*;
#
#    include /config/nginx/ssl.conf;
#
#    client_max_body_size 0;
#
#    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
#        include /config/nginx/proxy.conf;
#        proxy_pass http://192.168.1.50:5050;
#    }
#}

# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name heimdall.*;
#
#    include /config/nginx/ssl.conf;
#
#    include /config/nginx/ldap.conf;
#
#    client_max_body_size 0;
#
#    location / {
#        # the next two lines will enable ldap auth along with the included ldap.conf in the server block
#        auth_request /auth;
#        error_page 401 =200 /ldaplogin;
#
#        include /config/nginx/proxy.conf;
#        resolver 127.0.0.11 valid=30s;
#        set $upstream_app heimdall;
#        set $upstream_port 443;
#        set $upstream_proto https;
#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#    }
#}

# sample reverse proxy config for "heimdall" via subdomain, with Authelia
# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
# notice this is a new server block, you need a new server block for each subdomain
#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name heimdall.*;
#
#    include /config/nginx/ssl.conf;
#
#    include /config/nginx/authelia-server.conf;
#
#    client_max_body_size 0;
#
#    location / {
#        # the next line will enable Authelia along with the included authelia-server.conf in the server block
#        include /config/nginx/authelia-location.conf;
#
#        include /config/nginx/proxy.conf;
#        resolver 127.0.0.11 valid=30s;
#        set $upstream_app heimdall;
#        set $upstream_port 443;
#        set $upstream_proto https;
#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#    }
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

my home assistant docker name is “home-assistant” if it matters

koying · August 7, 2021, 11:15am

Is your RPI host ip 192.168.1.84 ?
Does an nc -zv 192.168.1.84 8123 work from inside the nginx container?

Anand_Suppiah · August 7, 2021, 11:19am

Yes.

No.

LibreELEC2:~ # docker exec swag nc -zv 192.168.1.84 8123

nc: 192.168.1.84 (192.168.1.84:8123): Host is unreachable

koying · August 7, 2021, 12:04pm

macvlan is surely the culprit.
I don’t see why you need it though.

Just use host networking on nginx, forward from your router to the RPI4 IP, and it should work…

Anand_Suppiah · August 7, 2021, 12:18pm

That was my previous setup. Unfortunately, whenever i am connected to VPN, i cant connect to HA remotely

koying · August 7, 2021, 12:28pm

I see numerous reference to the inability of connecting from container to host with a macvlan setup.
There is maybe something fishy with your VPN setup. It shouldn’t cause issue on your 192.168.1.0/24 network…

What VPN is it and what’s the rpi4 route when the VPN is connected?

Anand_Suppiah · August 7, 2021, 12:39pm

Im using the openVPN manager from Zomboided (Zomboided) · GitHub . I have tried using cyberghostvpn and NordVPN. both have the same result.

Apparently that is the expected result. See Using Nginx with VPN - Add-on Support - LibreELEC Forum .

Did some further reading and this seems to be the case. I have to figure out a different setup to make all this play together nicely