Home Assistant Cloud with OnPrem/local reverse proxy for SSL connection

Penny30 · November 3, 2025, 9:51am

Hi everyone ,

I’m currently trying to revise my homelab-infrastructure and how to access everything from internally as well as externally similarly.

I don’t know why but I like to have access to all my internal stuff via SSL encrypted traffic . I know that normally there is no actual sense to secure everything inside your home environment, but I like to be consistent when connecting to each service and prevent the security message to come up, not just from the services facing the public internet.

So, what I did so far, was creating another LXC container on my Proxmox host with a Nginx Proxy Manager instance installed. I thought this is the easiest way to obtain and manage certs centrally without configuring acme.sh on each and every host independently.

Now I know, that the question comes to your mind: “Why not just configuring the acme.sh on every host he has, since there should not be so many changes in his home environment?”

But I don’t know why, my inner voice won’t let go of me to simplify everything and finally be able to sleep well again .

What I want to achieve:
I’ve established remote access to my HA VM via the Nabu Casa Cloud (and I want to keep this connection) and obtained an SSL cert for the local connection via the Let’s Encrypt AddOn inside of HA.

That works perfectly, but I was wondering whether it might be possible to have a reverse proxy for the local connection in place (restricting it via configuration.yaml to accept the traffic coming from the proxy) to have all certs and configurations in one place (and probably get rid of the default port in the URL…I know, just cosmetics, but I like it being pretty )

Of course, I would disable the internal SSL config then and let the proxy forward the traffic directly to http://…:8123, then.

When I was reading the documentation for the HA’s reverse proxy settings, I asked myself whether this breaks the built-in cloud connection to Nabu Casa or whether these settings don’t harm the cloud connection possibilities, when I tell HA to accept only the traffic coming through the proxy, to prevent anyone from connection to it, directly.

Does anyone already have a similar setup or has tested it and can confirm that it doesn’t work the way I’d like it to?

If you have any questions or assumptions, feel free to ask :)!

Thanks in advance
Penny

SJ20035 · November 3, 2025, 10:49am

It should not break the Nabu Casa cloud connection as that is actually an outbound connection from your HA server to the Nabu Casa servers.

The Let’s Encrypt AddOn is basically ‘acme.sh’ on the Home Assistant Server.

One thing to note, is if you did this you will likely be forwarding all inbound traffic on ports 80 and 443 to your Nginx Proxy Manager LXC and hence you could be exposing Apps to the external network that you do not necessarily want. This can be avoided by running two instances of Nginx Proxy Manager keeping one for internal and one for external (you would just port forward to the external one).

Penny30 · November 3, 2025, 11:41am

Ah okay, that makes sense when I think about it and how it’s working technically.

Yes I know, but when I set this up, I didn’t have a clue that I’ll come up with this internal reverse proxy idea anytime .

Good hint! I know this kind of architecture setup, but I didn’t think of it, since I didn’t plan to expose the NPM LXC publicly (yet). I’m currently using Tailscale with its “VPN On Demand” option to access any internal service (such as my local Pi-Hole etc.), but now I’m considering it, because it makes things easier since I have a dedicated port forwarding in place for my Synology NAS.

But maybe I would then go with a split-DNS config approach! Anyway, thanks for your reply .

Edit:

Maybe I don’t use the reverse proxy for my HA and just use it for every other service I’m running at home…

Or what are your experiences with reverse proxying the HA instance? Any disadvantages?

tmjpugh · November 3, 2025, 3:35pm

I have a local only domain <myhome.com>
I setup all my services in caddy using that domain so https://homeassistant.myhome.com works.
This caddy server is setup in docker and does not work outside home.
There is not port forwarding or other connection from outside local lan into this proxy.

for ssl cert, I use letsencrypt. This does not require port forward.
caddy has modules that allow letsencrypt renewal to domain host without port forward

I use nginx for external/remote connections. I added caddy locally becasue I have some local only services-- zwave, matter, esphome, others – that I didnt want to memorize IP to access or needed ssl but I did not feel comfortable adding them to external proxy for fear misconfiguration may expose them to web. NGINX is also a bit tenacious and I wanted simpler proxy for management. This gave me good test of caddy. also i like to fiddle with stuff for fun.

I have local DNS. As I think of it Im pretty sure you would need local resolution of domain.

You can do either/or
Nabu for remote
direct connection when local
One does not affect the other.

Penny30 · November 4, 2025, 7:17am

Yes that sounds exactly like what I want to achieve but just with NPM. I also checked out caddy and decided to go with NPM first.

There I can also use the certbot DNS challenge to obtain the certs from Let’s Encrypt.

Same here, I have a Pi-Hole in place for local DNS resolution which works great!

Do you have an advise how to configure the proxy in terms of connectivity? Because I read a lot about issues when trying to create automations or that the sessions won’t stay logged in etc.

Thanks in advance!

tmjpugh · November 4, 2025, 2:28pm

Proxy is not my specialty

I have never had issue with connectivity in nginx
Caddy basically auto configures. No issues there.

Penny30 · November 4, 2025, 5:21pm

Hmm okay. Could you maybe share the configuration caddy applied? Just that I see all the headers I need to configure manually in NPM.

tmjpugh · November 4, 2025, 11:05pm

You can create manual config in caddy or just do what i have below. There is not much config to be had and I know of no method for seeing this although Im sure there may be. Internal so at the moment havent had concern to check


{
# Global options
    admin localhost:2019
    email [email protected]


https://homeassistant.myhome.com {
    tls {
        dns cloudflare {
          zone_token {env.CF_ZONE_TOKEN}
          api_token {env.CF_API_TOKEN}
        }
        resolvers 1.1.1.1
    }
  reverse_proxy http://homeassistant:8123
  }

SJ20035 · November 5, 2025, 10:01am

See here Reverse proxy using NGINX - Community Guides - Home Assistant Community

Penny30 · November 6, 2025, 7:43am

Thanks for sharing both, the config & community guide. This should help to configure my NPM accordingly

I’ll close this as soon as everything is workin as expected