Home Assistant Community Add-on: Nginx Proxy Manager

This add-on is provided by the Home Assistant Community Add-ons project.

GitHub Release GitLab CI Project Stage Project Maintenance

Supports armhf Architecture Supports armv7 Architecture Supports aarch64 Architecture Supports amd64 Architecture Supports i386 Architecture

Manage Nginx proxy hosts with a simple, powerful interface.

About


This add-on enables you to easily forward incoming connections to anywhere, including free SSL, without having to know too much about Nginx or Let’s Encrypt.

Forward your domain to your Home Assistant, add-ons, or websites running at home or anywhere else, straight from a simple, powerful interface.

Want to protect the website with a username/password? Well, it can do that too! Enable authentication and create a list of usernames/password that can access that specific application.

For the power users, you can customize the behavior of each host in the Nginx proxy manager by providing additional Nginx directives.

Installation


The installation of this add-on is pretty straightforward and not different in comparison to installing any other add-on.

  1. Ensure you are running the MariaDB add-on. This add-on is required to use the Nginx Proxy Manager add-on as it uses the database services provided.
  2. Search for the “Nginx Proxy Manager” add-on in the add-on store and install it.
  3. Start the “Nginx Proxy Manager” add-on
  4. Check the logs of the “Nginx Proxy Manager” add-on to see if everything went well.
  5. Click the “OPEN WEB UI” button and login using:
    [email protected] / changeme
  6. Forward port 80 and 443 from your router to your Hass.io machine.
  7. Enjoy the add-on!

:books: Please read the documentation for more information about the use and configuration of this add-on.

Support


You can always try to get support from the community here at the Home Assistant community forums, join the conversation!

Questions? You have several options to get them answered:

You could also open an issue on GitHub, in case you ran into a bug, or maybe you have an idea on improving the addon:

:information_source: At this moment our Home Assistant Community Add-ons Discord chat server and GitHub are our only official support channels. All others rely on community effort.

Repository on GitHub


Looking for more add-ons?


The primary goal of our add-ons project is to provide you (as a Home Assistant user) with additional, high quality, add-ons that allow you to take your automated home to the next level.

Check out some of our other add-ons in our Home Assistant Community Add-ons project.

18 Likes

About the author of this add-on

Hi there!

I am Franck Nijhof, and I have 30 years of programming experience, in many languages. I am using this experience to work on the Home Assistant project by giving back my knowledge and time to the open source community.

The add-on you are currently looking at right now was developed/packaged by me. It is not the only add-on I have created; there are many many more :wink:

However, I have a problem… I am an addict. A :coffee: addict that is. Lucky for you, I turn that C8H10N4O2 (caffeine molecule) into code (and add-ons)!

If you want to show your appreciation, consider supporting me for buying a cup of high octane wakey juice via one of the platforms below! :heart:

Sponsor Frenck via GitHub Sponsors

Support Frenck on Patreon

Enjoy your add-on, while I enjoy the brain juice. :coffee:

Thanks for all the :two_hearts:

…/Frenck

Join our Discord server Follow me on Twitter Flollow me on Instragram Follow me on GitHub Follow me on YouTube Follow me on Twitch patreon-icon

P.S.: In case you want to ask me a question: AMA (Ask Me Anything). Most of the time I am online at the Discord chat. (I go by @Frenck in there as well).

Oh man… this is fantastic!

I LOVE you :smiley: :heart: :heart: :heart: :heart: :heart:

I saw the project here:

I have been battling to get the NGINX official addon or Caddy working and it has been nothing but nightmares!

This solves it all, even a baby could do reverse proxy + SSL now! :heart_eyes:

If I could I would give you a expresso machine! :cupid:

i am getting this error
[08:49:22] INFO: Starting MySQL database server…
Warning: World-writable config file ‘/etc/my.cnf’ is ignored
2019-04-19 8:49:22 0 [Note] /usr/bin/mysqld (mysqld 10.3.13-MariaDB) starting as process 2279 …
2019-04-19 8:49:23 0 [Note] InnoDB: Using Linux native AIO
2019-04-19 8:49:23 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2019-04-19 8:49:23 0 [Note] InnoDB: Uses event mutexes
2019-04-19 8:49:23 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
2019-04-19 8:49:23 0 [Note] InnoDB: Number of pools: 1
2019-04-19 8:49:23 0 [Note] InnoDB: Using generic crc32 instructions
2019-04-19 8:49:23 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
2019-04-19 8:49:23 0 [Note] InnoDB: Completed initialization of buffer pool
2019-04-19 8:49:23 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2019-04-19 8:49:23 0 [Note] InnoDB: Starting crash recovery from checkpoint LSN=1614509
2019-04-19 8:49:23 0 [Note] InnoDB: Starting final batch to recover 15 pages from redo log.
2019-04-19 8:49:23 0 [Note] InnoDB: 128 out of 128 rollback segments are active.
2019-04-19 8:49:23 0 [Note] InnoDB: Removed temporary tablespace data file: “ibtmp1”
2019-04-19 8:49:23 0 [Note] InnoDB: Creating shared tablespace for temporary tables
2019-04-19 8:49:23 0 [Note] InnoDB: Setting file ‘./ibtmp1’ size to 12 MB. Physically writing the file full; Please wait …
2019-04-19 8:49:23 0 [Note] InnoDB: File ‘./ibtmp1’ size is now 12 MB.
2019-04-19 8:49:23 0 [Note] InnoDB: Waiting for purge to start
2019-04-19 8:49:23 0 [Note] InnoDB: 10.3.13 started; log sequence number 1632083; transaction id 15
2019-04-19 8:49:23 0 [Note] InnoDB: Loading buffer pool(s) from /data/mysql/ib_buffer_pool
2019-04-19 8:49:23 0 [Note] InnoDB: Cannot open ‘/data/mysql/ib_buffer_pool’ for reading: No such file or directory
2019-04-19 8:49:24 0 [Note] Plugin ‘FEEDBACK’ is disabled.
2019-04-19 8:49:24 0 [Note] Recovering after a crash using tc.log
2019-04-19 8:49:24 0 [Note] Starting crash recovery…
2019-04-19 8:49:24 0 [Note] Crash recovery finished.
2019-04-19 8:49:24 0 [Note] Server socket created on IP: ‘::’.
2019-04-19 8:49:24 0 [ERROR] Fatal error: Can’t open and lock privilege tables: Can’t find file: ‘./mysql/proxies_priv.MYI’ (errno: 2 “No such file or directory”)

This looks pretty choice! I use Caddy but this is great!

1 Like

Is there any documentation on the options within the GUI @frenck?

2 Likes

I would really love to have some more documentation as well on how to use locations or Access Lists with common add ons or in common scenarios in Homeassistant. At least with an example or two just like most addons. :slight_smile:

I can see it’s still a piece of work in progress( as per below :face_with_hand_over_mouth:), but I am so happy it has been released already. It is completely functional!

I’ve had a play around with some, here’s one I use for pihole:

57

And another for directing to a location on a separate host, including advanced settings which were required in this instance:

43

1 Like

I believe that’s a “todo” note from the base image, and isnt something that Frenck can add or change, though I could be wrong.

Is there something specific you want to know more about, or are having trouble with?

I just installed it today (never used Nginx before) and got it working nicely with subdomains for all sorts of things (grafana, glances, tautulli, etc), with SSL certs for each subdomain.

There are still some questions I have myself, mainly concerning getting the original IPs forwarded, but I think I got it working by adding the below code to the “Custom Nginx Configuration” box in the “Advanced” tab. Though I don’t fully understand what it does, so any additional pointers would be nice. :smiley:


proxy_set_header  X-Real-IP $remote_addr;
proxy_set_header  X-Forwarded-For $remote_addr;
proxy_set_header  X-Forwarded-Host $remote_addr;
real_ip_header X-Real-IP;
real_ip_recursive on;

1 Like

I am having issues displaying Pi-Hole in the iFrame. So I have a subdomain for HA as follows

home.mydomain.com

This works perfectly (Forwarded IP is 192.168.0.10 Port 8321 which is my Hassio).

So for PiHole I added a subdomain named pihole.mydomain.com and added the proxy host as follows

Domain name:
pihole.mydomain.com
Forward: 192.168.0.20 (PiHole on different host running Raspbian), port 80

On iFrame I added:

panel_iframe:
  plexserver:
    title: PiHole
    icon: mdi:server
    url: 'https://pihole.mydomain.com/admin'

It works if I go directly to https://pihole.mydomain.com/admin but when embedded into the iframe I get a Connection Refused.

All the proxy host have the proper SSL certificate, show as online and work correctly. I was able to add iframe to Plex server (a different host), for Tranmission, Cloud9 and a Nextcloud instance. They all work fine except PiHole Admin Interface. If I use location as you did I have a different issue:

Location: /pihole
But when I click on it it rewrites the URL from:
https://home.mydomain.com/pihole
To:
https://home.mydomain.com/admin

I believe this is because Pi-Hole interface sits on /admin location. I tried the rewrite but it still rewrites the URL when I click on it.

What’s the scheme for both of those hosts? HTTP or HTTPS? I encountered some weird things when I had one HTTPS domain (with the server running SSL, with it’s own cert) trying to display another host (also running SSL, with Its own cert) in an iframe.

My final solution for that was to disable SSL on all the internal devices, set the scheme in Nginx to HTTP, and then in the SSL tab of proxy manager set it to get a new cert for each specific domain, and force SSL.

That seemed to fix things, where pages won’t load as iframes inside each other when they had separate certs and were running SSL themselves.

I’m not sure if that’s what’s causing your issues, but those are my 2-cents.

I edited my post and added some extra info. Everything inside my LAN is HTTP as I also had issues with HTTPS. So Pi-Hole uses standard HTTP (internal LAN), no problem with this as I can access it on http://192.168.0.20/admin.

I did also do the same thing with SSL and Force SSL options for everything under my NGINX. My domain and DNS is in Cloudflare and I have set to enforces HTTPS to my domain and also Strict Encryption.

Hmmmm,

Well, I can say that in my setup, I have tautulli set as HTTP, and home assistant as HTTP. Both of them have their own subdomain in this proxy manager (home.xxxx.com and plex.xxxx.com)

Inside home assistant, I have the base url set to home.xxxx.com. I also have a panel_ifame set to:

  tautulli:
    title: Tautulli
    icon: mdi:filmstrip
    url: https://plex.xxxx.com

And that works just fine as an iframe. Tautulli’s setup in proxy manager is just an ip and port, no subdirectory.

Maybe instead of using just “192.168.0.20” as your host, with the port, can you set the forward host to “192.168.0.20/admin” and the port?

Tried that, this is what I get now, kinda progress:

And I removed the /admin from the URL in the iframe config, I also tried with it but same issue:

panel_iframe:
  pihole:
    title: Pi-Hole
    icon: mdi:security-network
    url: 'https://pihole.mydomain.com/'

Even directly accessing https://pihole.mydomain.com/admin (or even without /admin) breaks with the same broken page above.
Once I remove the /admin from Forward Host then it works fine but then I have to use https://pihole.mydomain.com/admin

I did remove the Base URL in my config when setting NGINX… I will try that.

Also is there any way we can bypass the password for the embedded iFrames like for cloud9, Tautalli, Tranmission, etc? I get the standard authentication popups for these:

Is there a way to pass the authentication based on the iFrame URL? I.e.:

https://user:[email protected]/
https://cloud9.mydomain.com/?username=user&password=password

This would be quite neat as we still don’t have Ingress yet for all addons and the current ones can not be added to iFrame (or you get two HomeAssistant sidebards).

dear,
dont know much about implementing it without authentication,
but in 0.92 most probably
ingress addon means whatever addons available under ingress will available under iframe.
so better wait for 0.92.

I suspect this is not the case. I have a feeling that the ingress addition as an iframe is much the same as the custom panel “hack” we’re using now, which means that it will still be protected by the standard HA auth, so if you are accessing it outside of HA, you will still need to log in.

I was thinking on removing the password from my addons and using the NGINX access list.

##### What is an Access List?
Access Lists provide authentication for the Proxy Hosts via Basic HTTP Authentication.
You can configure multiple usernames and passwords for a single Access List and then apply that to a Proxy Host.
This is most useful for forwarded web services that do not have authentication mechanisms built in.

So it does work, I can do the authentication on NGINX when accessing externally and leave the door open for the addons on my LAN. Now I am still trying to figure out how to pass the username and password in the URL as per my last post. Any ideas on how to achieve this? Apparently this can be added in the options of web server used for NGINX but I have no idea where to start.

dear,
thats true if u want to access outside of HA than there must be requred authentication.
else, according to frenk the maker of hassio addons, this are going to be imply as iframe.
let see what comes next.