I know this subject as been widely debated, but i am having some trouble making my setup to work since i updated the NGINX Home Assistant SSL proxy addon.
Here is my setup:
Domain registered with CloudFlare DNS with a subdomanin proxied to my home IP address
Kemp LoadMaster to forward traffic from each subdomanin to the correct local ip address
traffic from ha.mydomain.com is being redirected to my Home Assistant instance through port 443
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.16.0.0/12 #some tests
- 10.10.50.0/24 #ip range of my home network
- 172.30.33.0/24 #from NGINX Home Assistant SSL proxy documentation
- 127.0.0.1 #more tests
ip_ban_enabled: true
login_attempts_threshold: 5
I am surely missing something here because this setup was working fine before i updated the NGINX Home Assistant SSL proxy addon. Also i don’t have any kind of errors when accessing Home Assistant from the external address which is making this hard to debug…
So cloudflare is the first reverse proxy in your chain of reverse proxies. Given that shouldn’t you have cloudflare: true in your Nginx SSL proxy config? That’s the intended use case of that option.
Ok another reverse proxy. It looks like this is a device you have in your house so I assume you control its config. Why do you have the NGinx SSL addon? Seems very unnecessary to add a third reverse proxy in the chain of reverse proxies here. Why not just set the upstream for ha.mydomain.com in the loadmaster to <homeassistant lan address>:8123 and drop the addon?
Also out of curiousity why are you using Let’s Encrypt for the certificate? Cloudflare gives you a wildcard certificate for your domain in this setup. It’ll also give you an origin certificate to put on your local server to ensure all external traffic has first gone through your web application firewall (Cloudflare).
I thought it could be something related to delivering https traffic to http. Kemp receives the requests through port 443 and delivering it to 8123 through http could be the cause of the error.
Then i saw some post online with the Let’s Encrypt + Nginx SSL addon with a similar setup (also using Kemp), and everything worked as expected…
Also tried this with no luck…probably i failed something in the config, i don’t know.
I actually have that origin certificate installed on my Kemp. I have a couple of other services being proxied from cloudflare to my home ip address (HTTPS to HTTP).
By the way, i have little to zero experience with webservers and such, so sorry if am saying some kind of blaspheme
Unlikely. That’s one of the primary use cases of reverse proxies, ensuring external traffic is encrypted when talking with services that don’t have those features. There might be something wrong with your particular config but this has to be a supported use case for a reverse proxy. And besides as you said later you do go from HTTPS to HTTP with other services on your network.
So this is pretty weird although I didn’t think about it at first. Certificates are valid for a particular hostname only, whatever name you requested them on. If you have a let’s encrypt certificate its for a public domain. But if Kemp LoadMaster is running in your network then its not talking to the nginx ssl proxy with that name, its talking to it by IP address I assume? Which means the certificate isn’t valid for those requests.
Do you have ssl verification turned off in Kemp LoadMaster in the config for HA? If so then that furthers my point that Let’s Encrypt is adding nothing in this setup (except I assume causing Cloudflare to send you a “certificate transparency” email once every couple months). You could just generate any self-signed certificate with an expiration date of 2100 or whatever and forget about it if it’s not going to be verified anyway.
I searched for that error and found this post:
I don’t know Kemp Loadmaster at all so I’m not sure how it is configured but does it think its supposed to use HTTPS for the upstream? If it’s text based you could probably share it and maybe me or someone on here could spot something. Lot of the terms on reverse proxies are pretty standard.
Now i am still wondering how this setup worked previously…I have some backups for my test Home Assistant from a year ago when i first installed it, so i am going to restore a few to a point where all was working with the re-encrypt option active in Kemp. Then see which update “breaks” it (Home Assistant or the Addon) and review the changelog to see if i can find something relevant that changed.
