Home Assistant Community Add-on: Nginx Proxy Manager

Yes, you can also see the subnet in your initial post. Since the nginx container might have a different IP the ip range is added as trusted proxy.

Oh didnt notice, my bad sorry.
Thank you, solved!
SoL

I apologize, I am relatively new to this. Is there a way to add the required config changes in the WebUI of Nginx Proxy Manager?

no they are added to your configuration.yaml file in home assistant.

1 Like

What I should change after the upgrade to 2021.7 if I am using ha and Nginx proxy manger in docker? Now I am seeing only text “400: Bad Request” when accessing the HTTPS webpage. Adding the:

http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24
- 192.168.0.0/24

to the configuration file is also not helping…

Please review my docker-compose files.


version: “3.7”
services:
home-assistant:
image: homeassistant/home-assistant
network_mode: host
container_name: home-assistant
environment:
- USER_ID=1001
- GROUP_ID=100
- TZ=Europe/Warsaw
volumes:
- /hass/home-assistant:/config
- /var/run/docker.sock:/var/run/docker.sock
restart: always


version: ‘3’
services:

ngnix:
image: ‘jc21/nginx-proxy-manager:latest’
container_name: nginx
restart: unless-stopped
ports:
- ‘83:81’ #Dashboard Port
- ‘447:443’ #HTTPS Traffic
- ‘89:80’ #HTTP Traffic
volumes:
- /nginx/config.json:/app/config/production.json
- /nginx/data:/data
- /nginx/letsencrypt:/etc/letsencrypt

db:
image: ‘jc21/mariadb-aria:10.4’
container_name: nginx_db
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD:’ XXX’
MYSQL_DATABASE: ‘XXX’
MYSQL_USER: ‘docker’
MYSQL_PASSWORD: XXX’
volumes:
- /nginx/db/data/mysql:/var/lib/mysql

See the config notes in the linked post from @cmille34 who got it working Nginx Reverse Proxy Set Up Guide – Docker - #298 by cmille34

When I restart NPM I see this error:

[Client 192.168.100.1] [Length 947] [Gzip -] [Sent-to 192.168.100.25] "python-requests/2.25.1" "-"
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0

What can I do to solve this?

Has anyone got Vaultwarden running with this and cloudflare?

I have my subdomain setup, I have my host ip and port set in NPM , if i use http i get the error “The plain HTTP request was sent to HTTPS port” and if i set to https i get a bad gateway error message from cloudflare

i also saw this error “2021/08/08 06:56:23 [error] 705#705: *201 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream”

I have bought a secondary router to improve the Wi-Fi connection at home and not use the company router.
I have it connected to the WAN of the main router, the problem is that I cannot access my home assistant from the outside through the duckdns link, I have all the ports open on both the main and secondary router. It only affects the links that I have with the NGINX proxy.

How should I configure the router to be able to access from the outside with the reverse proxy?

In Nginx Proxy:
Resource is “XXXXXXX.duckdns.org
Destination is “http://IP_HOME_ASSISTANT_ON_SECUNDARY_ROUTER:8123”

In both routers I have open ports 443 and 80 directed to the raspberry pi and the secondary router

You don’t need to forward port 8123 (theoretically only port 443 should be forwarded; however, if you don’t want to manually renew Let’s encrypt certificate or you don’t have the DNS challenge option set, then you also need port 80 forwarded).

Destination should be the address of HA (not your secondary router).

I think you meant a LAN port; anyway, if you only need to improve coverage of your wifi signal you don’t need to set it as a router but as an AP (with NAT functions disabled) because routing would be a nightmare between the two subnets. Or, are you trying to say that you want to completely replace wifi from the ISP’s provided router (thus have all devices connected to your personal router)?

Yes, I wanna replace completely wifi from the ISP’s provided router. I bought a TP-Link Router Mesh.

I don’t have forwarded port 8123, just port 433 and 80 on both routers.
The destination is already the ip of Home Assistant.

For example.

  • In Secundary router wich ip is 192.168.0.1:
    IP of HA: 192.168.0.55 → I forward ports 433 and 80

  • In Main router wich ip is 192.168.1.1:
    IP of Secondary router: 192.168.1.120 → I forward ports 433 and 80

First you can use something like https://canyouseeme.org/ to check if the ports 443 and 80 are correctly forwarded between the two routers.

It should be mentioned that the secondary router should have a wan static address otherwise the primary router might lease a new IP and the port forwarding will then fail (basically in the above you need to ensure that (1) the wan IP of the secondary router (you didn’t mentioned this) and (2) the IP to which the two ports are forwarded (192.168.1.120) coincide).

Case the above test is passed then you might need to check the DNS record of the “XXXXXXX.duckdns.org” if you don’t have a static IP from your ISP. I also use DuckDNS addon with xxx.duckdns.org and defined aaa.xxx.duckdns.org, bbb.xxx.duckdns.org, etc. for the hosts I needed so I would not need too many records updated when the public IP changes.

Just had to recreate my HA due to an issue on another server (hypervm). All works fine but cannot get nginx proxy to set up the ssl for my duckdns.
internal error when I try to renew the certificate through the nginx proxy manager.

Any suggestions? Router has 80/443 pointing to my IP address of homeassistant fine.

Was working fine on the other server before it broke. What could I be missing? Possibly a hyperv vm setting blocking it?

You were trying to renew a certificate that was previously issued to another machine, right?

Can you try issuing a certificate for a domain that was not used before?

Managed to get my old server back up and running on the same ip.
renewed the duckdns cert and added that to the addon.
Still no luck.

internal error when trying to add a new host in the nginx proxy manager gui.

hmmm

I wonder if this has anything to do with it:

Another instance of Certbot is already running.

UPDATE: Finally. Removed the old nginx folder created from the snapshot restore. Reinstalled the addon and then came back to life. Some conflict with the old configs even though I unsintalled it before it held onto the repo.

1 Like

Thanks @bg1000
I followed your instructions. Now I hope that you can help me (proxy noob):

What I’ve had so far:
External access with the addons let’s encrypt and duckdns including port forwarding 8123, 80 443.

What have I done:

  1. let’s encript addon uninstalled
  2. uninstalled duckdns addon
  3. http: section disabled in yaml
  4. disable portforwarding 8123
  5. reboot HA
  6. duckdns addon installed and configured like that:
lets_encrypt:
  accept_terms: false
  certfile: fullchain.pem
  keyfile: privkey.pem
token: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
domains:
  - xxxxxxx.duckdns.org
aliases: []
seconds: 300
  1. Now the error message KO comes in the duckdns addon logs
  2. Couldn’t fix that, so I installed and configured the Nginx Proxy Manager addon. There the state shows in green.

Problem:
If I now try my url (xxx.duckdns.org without port 8123) the following appears: ERR_EMPTY_RESPONSE :see_no_evil:

what did I do wrong? Thank you for your support

.


Edit:

In reason of the change (reverse proxy breaking change in 2021.7) I also tried this:

http:
#   ssl_certificate: /ssl/fullchain.pem
#   ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - xxx.xxx.xxx.0/24

Unfortunately also without success (and the same error message)

I haven’t actually used that addon in a couple of years but I’m happy to try to help. Here are couple of things you might try:

  1. If homeassistant is blocking the traffic there will be a message in the log about an untrusted proxy. So I would start by looking for that.
  2. Try picking another add on with a web interface and setting up a proxy host for that. This will allow you to confirm that the addon is working properly and that you know how to configure it.

It seems I am having problems to update my SSL certificates:

[07/Sep/2021:13:12:19 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/api/webhook/a0a69523ad0240975cf1960414a68d7140e35c4f0fce97333e5e2146b2bc2e7f" [Client 83.135.88.74] [Length 433] [Gzip -] [Sent-to 192.168.178.108] "Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1)" "-"
[07/Sep/2021:13:12:20 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/auth/token" [Client 83.135.88.74] [Length 220] [Gzip -] [Sent-to 192.168.178.108] "Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1) Alamofire/5.4.3" "-"
[07/Sep/2021:13:12:27 +0200] - 101 101 - GET https abcdef.qwertz.duckdns.org "/api/websocket" [Client 83.135.88.74] [Length 189843] [Gzip -] [Sent-to 192.168.178.108] "Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1)" "-"
[07/Sep/2021:13:22:05 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/api/webhook/a0a69523ad0240975cf1960414a68d7140e35c4f0fce97333e5e2146b2bc2e7f" [Client 83.135.88.74] [Length 245] [Gzip -] [Sent-to 192.168.178.108] "Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1)" "-"
[07/Sep/2021:13:22:05 +0200] - 101 101 - GET https abcdef.qwertz.duckdns.org "/api/websocket" [Client 83.135.88.74] [Length 163] [Gzip -] [Sent-to 192.168.178.108] "Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1)" "-"
[9/7/2021] [1:28:32 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[07/Sep/2021:13:30:43 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/api/webhook/77da5ad6e8ce8e93aa59b796f8c0d0714d7e420a0e704d86ad93b0e3544120aa" [Client 83.135.88.74] [Length 42] [Gzip -] [Sent-to 192.168.178.108] "okhttp/4.9.1" "-"
[9/7/2021] [1:36:09 PM] [SSL      ] › ✖  error     Error: Command failed: /usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Challenge failed for domain ghijkl.qwertz.duckdns.org
Failed to renew certificate npm-2 with error: Some challenges have failed.
Challenge failed for domain mnopqrs.qwertz.duckdns.org
Failed to renew certificate npm-4 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-4/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)
    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:315:20)
    at maybeClose (internal/child_process.js:1048:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:288:5)
[07/Sep/2021:13:45:46 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/api/webhook/77da5ad6e8ce8e93aa59b796f8c0d0714d7e420a0e704d86ad93b0e3544120aa" [Client 83.135.88.74] [Length 42] [Gzip -] [Sent-to 192.168.178.108] "okhttp/4.9.1" "-"
[07/Sep/2021:13:45:46 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/api/webhook/77da5ad6e8ce8e93aa59b796f8c0d0714d7e420a0e704d86ad93b0e3544120aa" [Client 83.135.88.74] [Length 42] [Gzip -] [Sent-to 192.168.178.108] "okhttp/4.9.1" "-"
Connection Error: Error: read ECONNRESET
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0

Both certificates (ghijkl.qwertz.duckdns.org, mnopqrs.qwertz.duckdns.org) have been deleted months ago. Why is nginx still trying to update them?
The problem is that because of this my still active certificates are also not updated!

Can someone help me here?

Hi,

These forums have generally been super helpful for me, but so far I haven’t seen anyone describing the exact issue I’m having.

I have Nginx Proxy Manager installed on my homeassistant instance on my raspberry pi. I’ve got it all set up so I can access homeassistant.mydomain.com and it takes me to my homeassistant instance. Excellent!

Now I want to expose other things on my local network using additional subdomains. I go through the same steps to add additional proxy hosts for these new subdomains (which I’ve pointed to my public IP address via my DNS) but when I visit any of the subdomains it takes me to my homeassistant login page instead of the destination IP address I’ve set.

The login page displays:
You’re about to give http://subdomain.mydomain.com/ access to your Home Assistant instance.

I’ve tried doing this to access my synology server, plex server, and even tried to access the Nginx Proxy Manager this way and they all had the same behavior of just routing me to my Home Assistant instance. I’ve played with http vs https, web sockets support enabeld vs not, and am running out of ideas.

I don’t have much background managing networks so a lot of this is new for me, and I’d appreciate any suggestions about what I may be missing!

Thanks,
Dylan