Hassio Behind an NGINX

So Im trying to setup HassOS with my NGINX. Here’s my setup:

Currently I have nginx running on a raspberry pi(192.168.1.102). This handles requets for other services(sonarr, radar…etc) I have running on a server(192.168.1.101)

I want to add a sub-subdomain that HA(192.168.1.103) can use for external access. https://hassio.mydomain.duckdns.org

Here’s where I currently am:

http://hassio.mydomain.duckdns.org  

– gets me the generic NGINX landing page.

http://hassio.mydomain.duckdns.org:8123  

– gets me the unsecured version of HA

https://hassio.mydomain.duckdns.org

– gets me the “Your connection is not private” error

http://localip:8123   

– works

In HA, my “internet” address is set to https://hassio.mydomain.duckdns.org

In NGINX, my server block is:

server {
server_name hassio.mydomain.duckdns.org

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.duckdns.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    location hassio.mydomain.duckdns.org {
        proxy_pass               http://192.168.1.103:8123;
        proxy_set_header         Host                    $host;
        proxy_redirect           http://                 https://;
        proxy_http_version       1.1;
        proxy_set_header         X-Forwarded-For         $proxy_add_x_forwarded_for;
        proxy_set_header         Upgrade                 $http_upgrade;
        proxy_set_header         Connection              "Upgrade";
    }

}

I need help resolving that https error on the internet address. and disabling the unsecured version

I have nginx and homeassistant in docker so might be a bit different but had to add trusted proxies like the below. (In configuration.yaml. Which proxies values needed you will get from the homeassistant log.

Uncomment this if you are using SSL/TLS, running in Docker container, etc.

http:

base_url: 192.168.86.103:8123

base_url: 192.168.86.103/ha/

server_port: 8123

use_x_forwarded_for: true
trusted_proxies:
  • 172.0.0.0/8
  • 192.168.0.0/16
  • 127.0.0.1
  • ::1

Got all that.

I think my issue lies more with NGINX than with HA. the correct https is not being passed.

You forgot to include websockets. This is my nginx configuration:

# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name home.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://10.0.0.66:8123;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://10.0.0.66:8123;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

server {
server_name hassio.domain.duckdns.org;

if ($host = hassio.domain.duckdns.org) {
    return 301 https://$host$request_uri;
} # managed by Certbot

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/Domain.duckdns.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.duckdns.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


location hassio.domain.duckdns.org {
    proxy_pass               http://192.168.1.103:8123;
    proxy_set_header         Host                    $host;
    proxy_redirect           http://                 https://;
    proxy_http_version       1.1;
    proxy_set_header         X-Forwarded-For         $proxy_add_x_forwarded_for;
    proxy_set_header         Upgrade                 $http_upgrade;
    proxy_set_header         Connection              "Upgrade";
}


location /api/websocket {
    set $upstream_app homeassistant;
    set $upstream_port 8123;
    set $upstream_proto http;
    proxy_pass http://192.168.1.103:8123;

    proxy_set_header Host $host;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

}

This is my new nginx. still getting the error

I take it you’re using the https:// address, but still getting the “your connection is not private” message. When this has happened to me in the past, it’s usually been a misconfigured certificate. If you click the padlock icon in the browser, it may give you more info. I’ve also found that using Firefox gives me the option to “add an exception” for the site, essentially acknowledging but ignoring the error. (Chromium browsers don’t seem to have that feature.)

You may also be able to simplify your Nginx config by removing X-Forwarded-For. It seems counterintuitive, but it works. And when you get rid of it, you don’t need trusted proxies in your Home Assistant config.

Here is my Nginx config for reference:

# This avoids an error message 'could not build server_names_hash'.
server_names_hash_bucket_size 64;

# Serve static files
server {
    listen 80;
    listen 443 ssl;
    server_name  mypi.home;
    ssl_certificate  /etc/ssl/certs/mypi.home.crt;
    ssl_certificate_key  /etc/ssl/private/mypi.home.key;
    location / {
        root /usr/share/nginx/html;
        index index.html index.htm;
    }
}

# Home Assistant redirection and SSL off-loading.
server {
    server_name homeassistant.mypi.home;
    return 301 https://homeassistant.mypi.home;
}

# Do not use "proxy_set_header X-Forwarded-For $remote_addr;" or Home Assistant
# will block the request.
server {
    server_name homeassistant.mypi.home;
    listen 443 ssl;
    location / {
        proxy_pass http://mypi.home:8123;
    }
    location /api/websocket {
        proxy_pass http://mypi.home:8123;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

A couple of things that differ from your setup is, I’m running Home Assistant in a Docker container, and I’m also using Nginx as a web server in addition to reverse proxy. Though when comparing to your config, it looks as if you’re on the right track. I would just double-check the certificate. My guess is that is the source of your “untrusted” message.

The Error on the cert is “NET::ERR_CERT_COMMON_NAME_INVALID”

So I double checked my certificate, realized there was an issue with the cert on the common name line. So I removed it and reissued a new cert with the wildecard. Now there’s no specific line on my server that says Common name, but the domain is listed with a wildecard *

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: xxx.duckdns.org
    Serial Number: xxx
    Key Type: RSA
    Domains: *.xxx.duckdns.org
    Expiry Date: 2022-07-23 01:33:17+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/xxx.duckdns.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/xxx.duckdns.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

It’s possible the wildcard certificate may be the root of your problem. I seem to remember trying this and failing. My current setup uses Subject Alternative Names (SANs) for all of the servers I’m using the certificate with. So when I view the cert, there are multiple sub-domains instead of a single wildcard. SANs