Help with docker Nginx proxy manager, invalid auth. inner vlan routing

I’m trying to connect to HA using a nginx server. The server is a fork (nginx proxy manager) and is running on a separate Vlan from ha. I have managed to get the port forwarding setup, and can load a home assistant login page. I am not able to login and am stuck with the HA logo and a “retry” button. Logging into HA (via its network) I can see in the logs a request coming from the external address and though nginx, but HA is giving a “request with invalid auth” error.

Here are the http and auth_providers sections of my config file.

#  server_port: 8123
  use_x_forwarded_for: true
    - 192.XXX.X.X/24  #lan where nginx is running

    - type: trusted_networks
         - 192.XXX.X.X/24  #lan where nginx is running
    - type: homeassistant  

I would post my nginx config but nginx proxy manager uses a GUI so there is no code to post. nginx is using a domain with a certificate from lets encrypt. This is managed on nginx and HA has no way to know about it.

Any thoughts on things to try? I’m out of ideas.

Try the nginx config at link

I recommend Trusted proxy be the specific nginx host ip. If both HA and nginx share host then the ip depends on how you routing traffic.

Anything on can login without password? Doesn’t seem right but maybe it is.

They are on the same hardware, but each connecting to separate interfaces and Vlans. So my understanding is they are treaded as separate hosts.

I think you are right that the trusted _networks should be removed. Those queries would be coming from nginx, so they should require a password.

If I follow the guide you listed, I’m probably setting up the Nginx config wrong. I’m using nginx proxy manager, which uses a gui to generate the config file. My guess is something is missing from that configuration but I’m not sure how to add it.

I have no idea what I did. But it is working now. The server used to be running lets encrypt locally. So I guess it was possible something had a certificate stashed somewhere. Thank you for your help.

I use docker internal network between containers and nginx

Honestly if you don’t do that ip_bans doesn’t work because HA see traffic as coming from localhost or the host ip for everything


How your phone probably connect now
mobile device>>WAN>>LAN>>host>docker LAN>> nginx>>docker LAN>>host>>docker LAN>>HA
In this scenario the nginx IP is dropped due to trusted proxy but since your host would be last device in connection it connection is seen as coming from there. You can add host as trusted proxy but then anything could send traffic to your host for HA and although not a big deal it is not the best setup in my opinion.

How a phone connect if you docker network between HA/Nginx
mobile device>>WAN>>LAN>>host>docker LAN>> nginx>>docker LAN>>HA

In this scenario nginx is sending ip and mobile device ip is clearly identified(purpose of x_forward_for)

Anyway I may have gotten some thing wrong but this works well and I think best nginx out to services from docker. I’m actually curious how other handle this and results.