The entire location block is included in the advanced tab (see below an example for Booksonic)
No, I don’t use Alexa
Thank you, I have been trying to insert different lines under advanced, but I’m not sure what the proper formatting is.
How would I format this exactly?
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
In your example you have “/booksonic” following location. For Home Assistant, how do I determine what I place after “location”?
If there isn’t any special requirement for api then “/”
location / {
proxy_pass http://192.168.0.x:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
}
That’s it, thank you!! I’ve been trying to figure this out the whole last day.
Placing that code in the advanced box got AWS communicating with HA, I can now see and control my entities from Alexa.
You’re welcome!
I didn’t realize that after I added the location code, that I couldn’t actually login after entering my my username/password. I had to add two more lines to get that working, so these are my final settings for the advanced tab:
location / {
proxy_pass http://192.168.0.x:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
One consequence of passing the authorization header seems to be that incorrect logins are shown and logged in HomeAssistant as the IP of Nginx Proxy Manager, rather than the origin IP address. This makes the banlist useless. Is there a way to get HomeAssistant to keep reporting the orgin IP and pass the authorization header?
3 Likes
Alright got remote IP logging and Alexa AWS token authentication working. This is my final advanced config if it helps anyone else:
location / {
proxy_pass http://192.168.0.x:8123; #local IP of my HA server
proxy_set_header Host $host;
proxy_pass_header Authorization; #needed to pass HA token from AWS Alexa to HA
proxy_set_header Upgrade $http_upgrade; #needed for HA user login
proxy_set_header Connection "upgrade"; #needed for HA user login
proxy_set_header X-Forwarded-For $remote_addr; #needed so that HA sees the remote IP making a connection rather that the IP for NGINX
}
HA configuration yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1 #may not be required?
- 172.30.33.10 #just the IP of NginX Manager, different from HA IP
ip_ban_enabled: true
login_attempts_threshold: 5
You don’t need to add an entire block of IPs to trusted proxies. NginX Manager automatically selects one static IP for each proxy host (each URL source you add in the NginX add-on).
7 Likes
I think when I did this NGINX moved around IP, so I just did 172.30.33.0/24
Mines stayed static for the last 3 weeks since I started using NginX Manager. I’ve probably reset my HA 20 times in that period playing with other things. Router a few times too.
I did notice that if you delete/add a new URL for NginX Manager to redirect, a new IP is used.
Covering the entire block of IPs (172.30.33.0/24) will of course work too, but it is also less secure.
If you are paranoid like me, try restricting it to just the one IP. Maybe NginX Manager changed IPs on a previous version.
Is there any documented way to migrate an existing NPM config (that’s running on a separate Docker server), to the NPM add-on?
Alongside /data and /etc/letsencrypt you also need the DB (which depends on your current installation as it might not use MariaDB) to be able to access the interface.
Guys, gonna start with nginx too
but whats the difference between the official add-on and the community add-on?
I haven’t looked at the official one in a long time…
The community one is easier as far as I recall. You only need the manager, no duckdns or let’s encrypt add-ons required, as let’s encrypt is rolled into the manager.
There is still abit of yaml needed for the trusted proxies part.
You also still need a domain from duckdns or similar.
It was mostly just an easier all in one GUI interface.
1 Like
The official one is dead simple and only for you to connect to your HA.
The community one (this one) has GUI, can config more things, can let you connect to multiple services in your network from outside, and thus more complex and powerful.
Edit: Fixing typos and minor edits
I used the simple one , it was indeed simple and more then enough for my setup 
Hey, i have some issues. The Plugin was working fine. But then it just stopped working and the only error i can see is that when i try to access HA i get the information that it can’t connect.
No other error in any logs i could find. checked my setting but this seems fine and i didn’t changed anything. I know thats not much. But don’t have more 
i removed the proxy and added a new one with new cert then it worked again for a few minutes till i couldn’t connect anymore…
Those are my setting:
The only other strange observation was. if i hit CTRL+F5 to reload the site without cache i get the following:
and this for what ever reason my unifi gateway presenting the cert and i get a 302 redirect to my unfi controller…
I’m out of ideas. Anyone?
Thanks
Are there (advanced) settings for NPM that could make it equivalent to the setup created by the official addon (NGINX Home Assistant SSL proxy). Would the Websockets + Force SSL be enough to be identical to other option?
Have you checked the requirements for adding trusted proxies in HA?
The default settings for the two create similar setup from HA’s point of view.
You might also want to enable “Block Common Exploits” in NPM