Now that I’m getting going with HA, I’m looking to make it accessible over my WAN. I know HA has an available password option, but I’d prefer a passwordless authentication.
Has anyone put HA behind a Nginx reverse proxy with success? Furthermore, has anyone implemented certificate based auth on nginx?
The only access I want on my WAN would be from my phone and tablet (Android based), but I’d leave HA wide open on my LAN.
Thoughts?
Unfortunately, I haven’t been able to figure out how to accomplish this. While not exactly the same, I’d like to have multiple subdomains hass.mydomain.com, sabnzbd.mydomain.com, etc point to the various servers that I’ve got running on my home network. I would like it all to be encrypted and use nginx for reverse proxy. I wouldn’t mind entering passwords as I will likely want to access certain aspects via browser. I’d gladly pay someone if they were able to help me pull this off.
Thanks for the response @jthacker48. What you described is exactly what I do on my home network with Sab, couchpotato, sonarr, subsonic, Plex, guacamole, and more. I will definitely do the same with hass. It would take me 10 seconds to add hass if I wanted to use the built-in hass password option. I have a Comodo wildcart cert that I use with Nginx, so that reverse proxy terminates SSL for me. All my services, or at least most, just run http and is http to my reverse proxy over my LAN (which I’m fine with).
Here is a link to a post on my blog, that may help you get the same setup.
https://deviantengineer.com/2015/05/nginx-reverseproxy-centos7/
Feel free to email me or leave a comment on that post if you run into trouble.
I’m going to try setting up cert based auth tomorrow, but thought I’d reach out to see if anyone else currently does this. I’ll likely make a post on my blog about it if I can get it working, and I’ll be sure to share here!
Yes, it’s not hard, and it’s fast if you already have worked with nginx. Since you later say you’ve worked with nginx a lot, I am not sure what the difficulty is? I use basic auth on nginx and no auth on HASS.
I’d like to have multiple subdomains hass.mydomain.com,
sabnzbd.mydomain.com, etc point to the various servers that I’ve got
running on my home network. I would like it all to be encrypted and use
nginx for reverse proxy.
Also simple, though perhaps not easy for you. Have your various domains in DNS all pointing to the same IP (where nginx is running). Then in each server{} block in nginx set server_name to the DNS domain and a different proxy_pass setting each. nginx will terminate SSL (so you need a certificate or SAN for each DNS name), then encryption between nginx and LAN is up to you and the LAN services.
@AlucardZero, thanks for your response. I’m more than confident that I can setup hass behind Nginx, however hearing from others who have already done it before I have a chance to try could save me time and help others as well. I was primarily seeking if there were any gotchas with Prix headers, etc., that I should be aware of. Sounds like probably not.
Beyond that, I imagine cert based auth is straight forward for nginx. Shouldn’t be any gotchas caused by hass. I’ll have a chance to try it out tomorrow sometime and will share my findings.
This is AWESOME! Thanks for the reply. I’m going to read through the blog article and try to get an understanding of things. I’ll reach out once I get a chance to look at it thoroughly.
Just following up to say that using Nginx as a reverse proxy for HASS is super straight forward. Setting up certificate-based authentication was also straight forward, and only took me about 15 minutes to get going. The gist is generating a certificate authority (I used openssl under CentOS 7), generate your CRL, and issue certificates. Only required 3 values be added to my Nginx config and it just worked as expected.
I will be writing up something for my blog (https://deviantengineer.com) in the near future, in case anyone else is interested.
Now that the HASS frontend uses websockets, it seems using certificate-based authentication in NGINX breaks streaming updates in the frontend: it keeps showing me “Connection lost. Reconnecting…” in a pop-up in the lower left corner, and I have to refresh the page to see state changes. If I remove the authentication from my NGINX configuration, then everything is fine.
Anyone seeing the same behaviour? And more importantly: how can this be fixed without giving up the certificate-based authentication?
Same issue on my side, happening with both basic (user&password) and certificate-based authentication.
Looking forward to a solution as well.
@fanaticDavid After further investigation it seems to me this is an issue related to Safari (iOS/Mac).
Chrome is working fine with certificate-based authentication on my side, both on Mac and PC.
Having the same issue using basic auth with nginx. Connection lost issues on Safari only.
I was having the “Connection Lost…” error in Chrome and on my Android, I added these two lines into the nginx conf file and it now seems to be working okay
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
I’m using client certificates authentication…adjusted the file \etc\nginx\sites-enabled\default
location / {
proxy_pass http://127.0.0.1:8123/; # The server you want to redirect to
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}
Everything now seems to be working fine for me
Have you upgraded to .38?
My client certificate authentication stopped working in Safari after .38 upgrade.
I am still running 0.35.2. It’s working, and I haven’t seen any new features yet that have me wanting to upgrade.
Just gave a try with HAProxy instead of nginx…
Same result… as soon as I require client certificates I lost access via Safari on iOS…
Thank you so much. You made my day easy
I’m also having trouble with client certificates and Safari (both on mobile and desktop).
WebSocket connection to ‘wss://myhainstall/api/websocket’ failed: Unexpected response code: 400
I’m getting an “SSL Handshake failed” error. “unknown protocol”. Connecting to other services behind my nginx reversre proxy works fine. Do I need to make changes on the HA side ?
For what it’s worth, I think I figured out how to hack around client certs not working with Safari/iOS:
http://blog.christophermullins.com/2017/04/30/securing-homeassistant-with-client-certificates/
Can you give an example?