Help with moving reverse proxy to separate server - no more nginx and ddns

I have had a trouble-free system for ages now; but recently had to introduce another service to my home network that requires port 443. So it seems inevitable that to go forward I am going to rely on a separate server to handle directing traffic to my Home assistant installation and other services.
I am using Caddy Web Server for this and am confident I have my configuration sorted for this job. But I am having trouble refining my Hass configuration. It’s been a looong time since I have had to tinker with my configuration.yaml as everything has been rock solid for so long.
I was guessing the steps would be:

  • Disable NGINX Home Assistant SSL Proxy
  • Disable Duck DNS
  • Edit my base_url to point to my new HTTPS url

Configuration.yaml as it was:

  ip_ban_enabled: True
  login_attempts_threshold: 3
#  ssl_certificate: /ssl/fullchain.pem  #Certs disabled a while back when NGINX was deployed
#  ssl_key: /ssl/privkey.pem

My efforts to nail this…
My reverse proxy is pointing to the IP of my HA,
I changed my configuration.yaml to

# I've stuck with no certificate references, because they
# are located on another server - outside of HA's ecosystem

If I navigate to, I get my login screen and enter credentials. But then rather than getting to the front end - I am returned to a blank page with the HA logo and error, saying retry. Retry just takes me back to the login screen.

So, I have I missed a step? Is this an authentication problem with settings I need to fix?
Or should I have tried something like:


Hope somebody can set me straight.

What do Nginx logs show?

Did you change domain?
If not you may be looking at cached pages.

Hi. Not using nginx, using Caddy Web Server (excellent product)

Yes, I have changed the domain name.

It just occurred to me that, I think, HA requires a websocket connection. That’s something I’ll have to add to my reverse proxy config.

In any case, in this scenario, should base_url be my new domain name? Or the local IP address?

You can use any external port you want and have your router fwd it to 8123. It just means that you need to include your port on your URL, e.g.

This also works for the iOS and presumably Android apps.

But I am running HTTPS, and want to use 443. Thanks for your input.

I just added the websocket protocol to my reverse proxy server.
Also, seems I didn’t need a base_url reference at all now. I’ve commented it out.

Bingo - I’m up and running again

Not an expert by any stretch of the imagination, but I would suggest commenting out the

# http:
#  base_url:

from the configuration yaml in the first instance as it’s unnecessary.

Caddy is managing the redirect at the certificates, so you shouldn’t need to do the redirect. You would need to have Caddy redirect websockets as well.

Thank you. Yes, I believe that is correct as you can see from my previous post.
However I kept http: so that I can still enforce IP Bans

No worries, you must have posted that while I was drafting my reply which is why I didn’t see it. I got distracted by work half way through :wink:

1 Like

Hi again. Adding an extra tip… Whilst base_url might not be a deal breaker to login in to HA; unless it exists you may run into problems setting up certain integrations. I had to return the value to my config, because installing the Spotify integration was failing as per these instructions…

“If you are using an externally accessible address, you will likely also need to set the base_url attribute of the HTTP Integration.”