Hass.io + Configurator + NGINX + Let's Encrypt = Problem

Hi there,
recently I got my Hass.io instance accessible from outside secured by SSL using the Let’s Encrypt and proxied by the NGINX addon.

I have some addons installed which I also want to secure and proxy using NGINX. I’ll take the configurator addon for this example.

This is my NGINX addon configuration:

{
  "domain": "hass.example.com",
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "hsts": "max-age=31536000; includeSubDomains",
  "customize": {
    "active": true,
    "default": "nginx_proxy_default*.conf",
    "servers": "nginx_proxy/*.conf"
  }
}

And here the Lets’Encrypt config:

{
  "email": "[email protected]",
  "domains": [
    "hass.example.com",
    "configurator.example.com"
  ],
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

The I created a new file /share/nginx_proxy/configurator.conf which currently looks like that:

server {
    listen 443 ssl;
    listen [::]:443;
    
    server_name configurator.example.com
    
    ssl_certificate ssl/fullchain.pem
    ssl_certificate ssl/privkey.pem
    
    location /configurator {
        proxy_pass http://localhost:3218/;
    }
}

I’ve created a seperate subdomain, because I don’t know how to do it otherwise. I’d like to have another location path inside hass.example.com which leads to the configurator (https://hass.example.com/e/configurator or something like that).

This configuration doesn’t work. I get a connection, but it seems as if it is not secured and using chrome i get following error:

ERR_SPDY_PROTOCOL_ERROR

Does anybody have this kind of setup running? Or can anybody spot my error?

Many thanks in advance!

Hi,
i’m looking for the same solution, did you find a solution?

Thanks in advance!

Hi, I used the Ngnix Proxy and Certbot Plugins in the end. Its the best as it gets without configuring my own NGNIX I guess.

I got this to work using standard Hass.io components - NGINX and Configurator.
I did not change the default setting for the NGINX add-on other than to add my domain.
My configurator was configured to use SSL and I added the following to /share/nginx_proxy_default.conf

location /configurator/ {
    rewrite /configurator/(.*) /$1 break;
    proxy_pass https://172.30.32.1:3218;
    proxy_redirect http:// https://;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
}

You have to remember that each docker container gets it’s own IP address so localhost won’t work - that will try to loop back to the NGINX docker container - not the Configurator docker container.
docker tends to use the same virtual IP network so the IP for your configurator will be similar to mine. If it doesn’t work try 172.30.32.2 or 172.30.32.3.
Remember to restart NGINX after each change.

Don’t forget to update your hass configuration.yaml to reflect the new path in panel_iframe:

panel_iframe:
  configurator:
    title: 'HASS Configurator'
    icon: mdi:wrench
    url: https://<your domain>:443/configurator/

Good luck!

I got it working with Node-red too. You have to tell node-red what the subfolder is in its config file otherwise you get a
“Cannot GET /nodered/” error.
Confusingly node-red is on the same virtual IP address as Configurator so now I’m not quite sure how the containers are configured in hass.io.
Remember the 172.30.32.1 is a VIRTUAL IP address for the virtual network running inside hass.io. You should use this address regardless of your local IP address range (192.168.x.x) - it is separate.

I have installed Hassio on raspberry pi 3b+
Hassio on docker.
I would like to use grafana from homeassistant, without opening port on router for grafana which is 3000.
Is it possible to reach grafana in homeassistant without forwarding port on router, from internet.
Please guide

Hi Kirpat.
Yes, very probably but how you do it depends on what Grafana supports.
Some webapps can run from a subfolder (mydomain.duckdns.org/grafana/) and some can’t. If not, you would need to create a new domain so grafana can run from the root (mygrafanadomain.duckdns.org/).

Configurator runs happily for a subfolder or from the root. Node-red needs a configuration setting in its settings.js file (httpNodeRoot) to tell it it is running from a subfolder.
Some webapps seem to need weird protocol translation and/or forwarding by Nginx and I don’t understand that stuff.

I don’t know what grafana supports but, either way, you need to know the IP address of your Grafana host and whether the host is serving up HTTP or HTTPS (if it’s HTTP don’t worry - Nginx will encrypt it for you on the Internet).
Is Grafana running on a separate box or in a Hass.io docker container? what URL do you use to access Grafana on your internal network?

Nick.

Grafana is working in Hassio as addon, and docker ip for grafana is 172.30.33.4
I have embedded grafana in homeassistant with my localip.
I can directly access grafana with https://192.168.1.2:3000 which is my local up.
But I can’t access it from internet i.e. with my domain.
If you guide I am ready to have trial and error.
One more thing I have forwarded port 8123 on my router for homeassistant.
Port 443 is reserved for my orangepi
Thanks for ur reply

TL;DR - trying to use sub folders with NGINX (my.domain/server) and NOT subdomains (server.my.domain). Always get a 502 Bad Gateway no matter what server/service I’m trying to proxy to whether it is a separate machine like my router, or another addon on the same machine. Config file below.

I’m having issues with NGINX as well. I will start with the fact that I DO NOT want to use Subdomains. I have a limited number of available domain names through my provider that will not be enough for what I need and I do not want to switch. I have had a longstanding ddns through no-ip that I have been using over the years for access to my camera system and a couple other items on my network using port forwarding rules. When i setup hassio a year or so ago I forwarded 8123 to my RasPi and called it a day.

I recently switched to a linux VM with Docker and installed hassio in the docker using the generic linux install method so that I have a little more horsepower behind my hassio to process video feeds, etc from my cameras. Kept the port forwarding until the Google Assistant integration was broken and now requires SSL to work proper. I implemented the ssl options under the

http:

header in my config.yaml, used the Let’s Encrypt addon to obtain my certs, and all was good in my home again.

Now that the backstory is out of the way, I can move on to my current issue. I keep seeing peoples mention of using NGINX as a revers proxy for increased security for their hassio installs, but also to reduce the port forwarding required in ones router for other services. I decided I liked the idea and started researching NGINX. I installed the NGINX SSL Proxy addon and input my domain in the config. I forwarded 443 to 443 on my hassio VM and it started working. Good for me, on to expanding my setup to include subfolders, so I change my customize > “active” option to true, then setup a nginx_proxy_default.conf file in my /share folder. In that .conf file I decided to start with an easy forward that shouldn’t require too much, my router. I entered :

location /router/ {
rewrite /router/(.*) /$1 break;
proxy_pass http://192.168.1.1;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded_for $proxy_add_x_forwarded_for;
proxy_set_header_ Upgrade $http_upgrade;
proxy_set_header Connection ‘upgrade’;
}

I expect when I enter

https://my.domain/router/

that it would take me to my router login page, but no such luck. It instead takes me to a “502 Bad Gateway” page with “nginx/1.14.0” below the Bad Gateway text. The log for NGINX says something about an invalid header and I know netgear routers have an issue currently about invalid null characters in the header and no longer work in Chrome; so assuming that is the issue, I also tried using similar settings for the Configurator addon and the IDE addon, but using http:127.0.0.1 for the proxy_pass since they are hosted on the same machine. Both of which take me to the same “502 Bad Gateway” page, but with a different error (same error for all the addons, but different from the router).

[error] 21#21: *64 connect() failed (111: Connection refused) while connecting to upstream, client: ::ffff:xx.yy.zz.vv, server: my.domain, request: “GET /ide/ HTTP/2.0”, upstream: “http://127.0.0.1:8321/”, host: “my.domain”

^ Where xx.yy.zz.vv is the public internet IP of the computer I’m trying to access from, my.domain is the domain name of my home, and /ide/ is the subfolder name (location /ide/ in my .conf file) used in NGINX.

Also, which is coming to the last straw, I can no longer access anything on my home network that requires forwarding, such as my security cameras or my OctoPi setup. The NGINX server sucks up all incoming https traffic and prevents it from passing by.

Does your provider actually limit sub domains??? That would be incredibly unusual.

127.0.0.1 is usually the IP for localhost. If these are in Docker containers then they may not be the same localhost. Try using the IP of the actual host machine they’re running on. Unless I’m reading that nginx log wrong. I use Caddy so not entirely sure.

Thanks for the replies.

My provider limits me to 3 total subdomains, but that is probably because I am on their free tier.

I have tried using 127.0.0.1, localhost, the IP of my host (192.168.1.xxx), and the docker IP of the container for the IDE addon. using the docker IP gets me a 404 Not Found page and no entry in the NGINX log. using 127.0.0.1, localhost, and my host IP all return the 502 Bad Gateway

Same happened to me, and I stopped struggling.
If you get this working please let us know so that we can make it work on our system too.

I’m pretty much at the point of scrapping NGINX and just going back to port forwarding. I know its not as secure, but right now I have lost access to view my cameras remotely and remote manage some other devices on my network. The only benefit NGINX is providing currently is to allow me to locally connect to my homeassistant using 192.168.1.xx as opposed to having to always use the domain like I have to when setting up the ssl in the HTTP section of my config.

So I have made a very minor amount of progress. I installed PiHole (Home Assistant Community Add-on: Pi-hole) and set it up in my nginx_proxy_default.conf file as such:

location /pihole/ {
rewrite /pihole/(.*) /$1 break;
proxy_pass https://localhost:4865/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded_for $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header_ Upgrade $http_upgrade;
proxy_set_header Connection ‘upgrade’;
}

and my pihole addon config as:

{
  "log_level": "info",
  "password": "password",
  "update_lists_on_start": false,
  "admin_port": 4865,
  "dns_port": 53,
  "ssl": true,
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "interface": "",
  "ipv6": true,
  "ipv4_address": "",
  "ipv6_address": "",
  "virtual_host": "my.domain.net",
  "hosts": []
}

When i go to my.domain.net/pihole/ it now redirects me to my pihole admin page. The biggest thing that stands out to me is the second to last line in the pihole config

"virtual_host": "my.domain.net"

where I enter my domain between the quotations. I have yet to get past the 502 Bad Gateway on any of my other servers/services.

Did u get any clue

I messed around with the other settings, but have yet to make it work. My router will never work because of the null headers, and Netgear has brushed it off as an End-of-Life device and won’t publish an update to fix this small thing that is a major flaw.
I believe the other services need something like the virtual host option. the couple add-ons that reference it seem to state that it’s necessary when running in a docker container. I don’t know if it’s a hidden option in other configs, or if their developers need to add it in.

I had the same issue getting the configurator to proxy correctly, below is how I solved it in the nginx config file. If you are still getting “No auth header received” errors after reloading nginx that is due to the browser not asking for new auth after the change. You can force it by including http://user@domain/configurator/ and it should pop up a new basic auth window.

location /configurator {
  return 301 https://example.tld/configurator/;
}

location ~ /configurator/(?<path>.*) {
  proxy_pass http://hassio.local:3218/$path$is_args$args;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Forwarded-Server $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_http_version 1.1;
  proxy_pass_request_headers on;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
}

Dear, here above u have mention path for location as well as url,
Please explain the need and what should be the path when I am on Hassio on rpi raspbian?

Hi all,

It took me a very long time to figure out how to make grafana works in hassio as a subfolder of the main domain.

The solution was to pass environment variable to Grafana so it knows it is in a subfolder:

  "env_vars": [
    {
      "name": "GF_SERVER_DOMAIN",
      "value": "your domain"
    },
    {
      "name": "GF_SERVER_ROOT_URL",
      "value": "%(protocol)s://%(domain)s:/grafana"
    }
  ],

All details can be found in these links:
Grafana configuration with sub path

An example for the hassio addon