So Im trying to setup HassOS with my NGINX. Here’s my setup:
Currently I have nginx running on a raspberry pi(192.168.1.102). This handles requets for other services(sonarr, radar…etc) I have running on a server(192.168.1.101)
I have nginx and homeassistant in docker so might be a bit different but had to add trusted proxies like the below. (In configuration.yaml. Which proxies values needed you will get from the homeassistant log.
Uncomment this if you are using SSL/TLS, running in Docker container, etc.
You forgot to include websockets. This is my nginx configuration:
# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name home.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app homeassistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass http://10.0.0.66:8123;
}
location /api/websocket {
resolver 127.0.0.11 valid=30s;
set $upstream_app homeassistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass http://10.0.0.66:8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
I take it you’re using the https:// address, but still getting the “your connection is not private” message. When this has happened to me in the past, it’s usually been a misconfigured certificate. If you click the padlock icon in the browser, it may give you more info. I’ve also found that using Firefox gives me the option to “add an exception” for the site, essentially acknowledging but ignoring the error. (Chromium browsers don’t seem to have that feature.)
You may also be able to simplify your Nginx config by removing X-Forwarded-For. It seems counterintuitive, but it works. And when you get rid of it, you don’t need trusted proxies in your Home Assistant config.
Here is my Nginx config for reference:
# This avoids an error message 'could not build server_names_hash'.
server_names_hash_bucket_size 64;
# Serve static files
server {
listen 80;
listen 443 ssl;
server_name mypi.home;
ssl_certificate /etc/ssl/certs/mypi.home.crt;
ssl_certificate_key /etc/ssl/private/mypi.home.key;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
# Home Assistant redirection and SSL off-loading.
server {
server_name homeassistant.mypi.home;
return 301 https://homeassistant.mypi.home;
}
# Do not use "proxy_set_header X-Forwarded-For $remote_addr;" or Home Assistant
# will block the request.
server {
server_name homeassistant.mypi.home;
listen 443 ssl;
location / {
proxy_pass http://mypi.home:8123;
}
location /api/websocket {
proxy_pass http://mypi.home:8123;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
A couple of things that differ from your setup is, I’m running Home Assistant in a Docker container, and I’m also using Nginx as a web server in addition to reverse proxy. Though when comparing to your config, it looks as if you’re on the right track. I would just double-check the certificate. My guess is that is the source of your “untrusted” message.
The Error on the cert is “NET::ERR_CERT_COMMON_NAME_INVALID”
So I double checked my certificate, realized there was an issue with the cert on the common name line. So I removed it and reissued a new cert with the wildecard. Now there’s no specific line on my server that says Common name, but the domain is listed with a wildecard *
It’s possible the wildcard certificate may be the root of your problem. I seem to remember trying this and failing. My current setup uses Subject Alternative Names (SANs) for all of the servers I’m using the certificate with. So when I view the cert, there are multiple sub-domains instead of a single wildcard.