Hi, is there anywhere documentation on how to configure the nginx plugin for hassio?
I was searching, and couldnt find anything that helps me. Where are the folders for the conf files?
My goal is to have the hassio available via SSL (as i have it right now) on my xyz.duckdns.org DDNS.
But I’d like to access my other services as well, that are currently located on a different machine in local network.
Ideally i’d want to access them via xyz.duckdns.org/OTHERSERVICES/
I was using Apache for VirtualHosts on my other machine, but am unable to load Home Assistant with it. So i thought ill give it a try the other way around.
I was trying out your NGINX Addon…
Does the config follow the normal NGINX configuration?
How do i reuse the already made SSL certificate that i have?
Where do i edit the normal ssl.conf & proxy.conf
I’d like to combine this with the new hassio “duckdns & letsencrypt” addon
as for the Proxypass, do i just add this in the section where you currently have the Virtual Host?
i.e:
}
location /hassio {
include /etc/nginx/conf.d/proxy.conf;
proxy_pass http://localhost:8123;
}
The nginx configuration is generated from the add-on config section. It doesn’t support “raw” nginx configuration. There is a template which is filled with the values from the configuration. I will post a working example with the resulting nginx config tomorrow.
server {
server_name sub1.redacted.tld;
listen 80 default_server;
listen [::]:80 default_server;
location ~ /.well-known {
allow all;
root /ssl/wk/;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name sub1.redacted.tld;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_session_timeout 1d;
#ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /data/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /ssl/letsencrypt/live/rpi/chain.pem;
ssl_certificate /ssl/letsencrypt/live/rpi/fullchain.pem;
ssl_certificate_key /ssl/letsencrypt/live/rpi/privkey.pem;
location ~ /.well-known {
allow all;
root /ssl/wk/;
}
location / {
proxy_pass http://172.17.0.1:8123;
}
}
You cannot directly edit it. So you will have to create a link between the certificates generated by the “duckdns & letsencrypt” and the right folder ( /ssl/letsencrypt/live/rpi/ in my case ).
What are the advantage of the duckdns & letsencrypt addon over my certbot addon ?
If you need a simpler way, you can also use my caddy addon which will create and renew the certificates as needed.
I am newb especially on certificates, proxy, ssl, and all that.
So far I am using letsencrypt+duckdns and forwarding port 443 to 8123 of HASSIO. All is working fine, but, as many suggested, would like to use in all inside configuration http://192.168.1.12:8123 and do this “proxy thing”
Since I can-t install it on the NUC, I tried it on my pi3 with HASSIO
I get this error
2018/01/03 08:26:21 [xxx.duckdns.org] failed to get certificate: acme: Error 403 - urn:acme:error:unauthorized - Incorrect validation certificate for tls-sni-01 challenge. Requested f6064ac08xxxxxx.1f575d03eb266afcbe94xxxxx.acme.invalid from 87.10.xxx.xxx:443. Received 2 certificate(s), first certificate had names “xxx.duckdns.org”
Error Detail:
Validation for xxx.duckdns.org:443
Resolved to:
87.10.xxx.xxx
Used: 87.10.xxx.xxx
Activating privacy features…
You need to have ports 80 and 443 forwarder to your hassio installation. When dns resolution works and with port forwarding on, it should be strait forward.
and I receive this in your log. What am I doing wrong?
starting version 3.2.2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxx2.duckdns.org
http-01 challenge for xxx1.duckdns.org
http-01 challenge for xxx.duckdns.org
Using the webroot path /ssl/wk for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. xxx1.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxx1.duckdns.org/.well-known/acme-challenge/p-bWEWynBWBCZ7yIEz5M_cL5zC5uTcWtFa9wYXc1gjE: Connection refused, xxx2.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxx2.duckdns.org/.well-known/acme-challenge/LgDaD5K4QoTdJ_84wLNqo5_dKeCuuVCR6AgOCoaMybM: Connection refused, xxx.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxx.duckdns.org/.well-known/acme-challenge/ORxezIJsgxQDMSW-7UFJCXxcVwF3PxOXhRBLjCe5FgM: Connection refused
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: xxx1.duckdns.org
Type: connection
Detail: Fetching
http://xxx1.duckdns.org/.well-known/acme-challenge/p-bWEWynBWBCZ7yIEz5M_cL5zC5uTcWtFa9wYXc1gjE:
Connection refused
