Home Assistant Community Add-on: Nginx Proxy Manager

The entire location block is included in the advanced tab (see below an example for Booksonic)
image

No, I don’t use Alexa

Thank you, I have been trying to insert different lines under advanced, but I’m not sure what the proper formatting is.

How would I format this exactly?

proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;

In your example you have “/booksonic” following location. For Home Assistant, how do I determine what I place after “location”?

If there isn’t any special requirement for api then “/”

location / {
        proxy_pass              http://192.168.0.x:8123;
        proxy_set_header        Host            $host;
        proxy_redirect          http://         https://;
        proxy_set_header        Authorization   $http_authorization;
        proxy_pass_header       Authorization;
        }

That’s it, thank you!! I’ve been trying to figure this out the whole last day.

Placing that code in the advanced box got AWS communicating with HA, I can now see and control my entities from Alexa.

You’re welcome!

I didn’t realize that after I added the location code, that I couldn’t actually login after entering my my username/password. I had to add two more lines to get that working, so these are my final settings for the advanced tab:

location / {
        proxy_pass              http://192.168.0.x:8123;
        proxy_set_header        Host            $host;
        proxy_redirect          http://         https://;
        proxy_set_header        Authorization   $http_authorization;
        proxy_pass_header       Authorization;
        proxy_set_header        Upgrade         $http_upgrade;
        proxy_set_header        Connection      "upgrade";
        }

One consequence of passing the authorization header seems to be that incorrect logins are shown and logged in HomeAssistant as the IP of Nginx Proxy Manager, rather than the origin IP address. This makes the banlist useless. Is there a way to get HomeAssistant to keep reporting the orgin IP and pass the authorization header?

Alright got remote IP logging and Alexa AWS token authentication working. This is my final advanced config if it helps anyone else:

location / {
        proxy_pass              http://192.168.0.x:8123;                  #local IP of my HA server
        proxy_set_header        Host                   $host;               
        proxy_pass_header       Authorization;                            #needed to pass HA token from AWS Alexa to HA 
        proxy_set_header        Upgrade                $http_upgrade;     #needed for HA user login
        proxy_set_header        Connection             "upgrade";         #needed for HA user login
        proxy_set_header        X-Forwarded-For        $remote_addr;      #needed so that HA sees the remote IP making a connection rather that the IP for NGINX
        }

HA configuration yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1                          #may not be required?
    - 172.30.33.10                     #just the IP of NginX Manager, different from HA IP
  ip_ban_enabled: true
  login_attempts_threshold: 5

You don’t need to add an entire block of IPs to trusted proxies. NginX Manager automatically selects one static IP for each proxy host (each URL source you add in the NginX add-on).

4 Likes

@JasonLee Worked like a charm. Thank you!

1 Like

I think when I did this NGINX moved around IP, so I just did 172.30.33.0/24

Mines stayed static for the last 3 weeks since I started using NginX Manager. I’ve probably reset my HA 20 times in that period playing with other things. Router a few times too.

I did notice that if you delete/add a new URL for NginX Manager to redirect, a new IP is used.

Covering the entire block of IPs (172.30.33.0/24) will of course work too, but it is also less secure.

If you are paranoid like me, try restricting it to just the one IP. Maybe NginX Manager changed IPs on a previous version.

Is there any documented way to migrate an existing NPM config (that’s running on a separate Docker server), to the NPM add-on?

Alongside /data and /etc/letsencrypt you also need the DB (which depends on your current installation as it might not use MariaDB) to be able to access the interface.

Guys, gonna start with nginx too
but whats the difference between the official add-on and the community add-on?

I haven’t looked at the official one in a long time…
The community one is easier as far as I recall. You only need the manager, no duckdns or let’s encrypt add-ons required, as let’s encrypt is rolled into the manager.

There is still abit of yaml needed for the trusted proxies part.

You also still need a domain from duckdns or similar.

It was mostly just an easier all in one GUI interface.

1 Like

The official one is dead simple and only for you to connect to your HA.
The community one (this one) has GUI, can config more things, can let you connect to multiple services in your network from outside, and thus more complex and powerful.

Edit: Fixing typos and minor edits

I used the simple one , it was indeed simple and more then enough for my setup :slight_smile:

Hey, i have some issues. The Plugin was working fine. But then it just stopped working and the only error i can see is that when i try to access HA i get the information that it can’t connect.

No other error in any logs i could find. checked my setting but this seems fine and i didn’t changed anything. I know thats not much. But don’t have more :wink: i removed the proxy and added a new one with new cert then it worked again for a few minutes till i couldn’t connect anymore…

Those are my setting:

The only other strange observation was. if i hit CTRL+F5 to reload the site without cache i get the following:

and this for what ever reason my unifi gateway presenting the cert and i get a 302 redirect to my unfi controller…

I’m out of ideas. Anyone? :wink:
Thanks

Are there (advanced) settings for NPM that could make it equivalent to the setup created by the official addon (NGINX Home Assistant SSL proxy). Would the Websockets + Force SSL be enough to be identical to other option?

Have you checked the requirements for adding trusted proxies in HA?

The default settings for the two create similar setup from HA’s point of view.

You might also want to enable “Block Common Exploits” in NPM