Alright got remote IP logging and Alexa AWS token authentication working. This is my final advanced config if it helps anyone else:
location / {
proxy_pass http://192.168.0.x:8123; #local IP of my HA server
proxy_set_header Host $host;
proxy_pass_header Authorization; #needed to pass HA token from AWS Alexa to HA
proxy_set_header Upgrade $http_upgrade; #needed for HA user login
proxy_set_header Connection "upgrade"; #needed for HA user login
proxy_set_header X-Forwarded-For $remote_addr; #needed so that HA sees the remote IP making a connection rather that the IP for NGINX
}
HA configuration yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1 #may not be required?
- 172.30.33.10 #just the IP of NginX Manager, different from HA IP
ip_ban_enabled: true
login_attempts_threshold: 5
You don’t need to add an entire block of IPs to trusted proxies. NginX Manager automatically selects one static IP for each proxy host (each URL source you add in the NginX add-on).
Mines stayed static for the last 3 weeks since I started using NginX Manager. I’ve probably reset my HA 20 times in that period playing with other things. Router a few times too.
I did notice that if you delete/add a new URL for NginX Manager to redirect, a new IP is used.
Covering the entire block of IPs (172.30.33.0/24) will of course work too, but it is also less secure.
If you are paranoid like me, try restricting it to just the one IP. Maybe NginX Manager changed IPs on a previous version.
Alongside /data and /etc/letsencrypt you also need the DB (which depends on your current installation as it might not use MariaDB) to be able to access the interface.
I haven’t looked at the official one in a long time…
The community one is easier as far as I recall. You only need the manager, no duckdns or let’s encrypt add-ons required, as let’s encrypt is rolled into the manager.
There is still abit of yaml needed for the trusted proxies part.
You also still need a domain from duckdns or similar.
It was mostly just an easier all in one GUI interface.
The official one is dead simple and only for you to connect to your HA.
The community one (this one) has GUI, can config more things, can let you connect to multiple services in your network from outside, and thus more complex and powerful.
Hey, i have some issues. The Plugin was working fine. But then it just stopped working and the only error i can see is that when i try to access HA i get the information that it can’t connect.
No other error in any logs i could find. checked my setting but this seems fine and i didn’t changed anything. I know thats not much. But don’t have more i removed the proxy and added a new one with new cert then it worked again for a few minutes till i couldn’t connect anymore…
Are there (advanced) settings for NPM that could make it equivalent to the setup created by the official addon (NGINX Home Assistant SSL proxy). Would the Websockets + Force SSL be enough to be identical to other option?
Would love to see this up w/my Google wifi router.
My home assistant instance is using a VM on my unRAID server. I utilize port 8123.
When I go to port management on my router setting internal port 80 to external port 80, doesn’t open the port. But when I set internal 8123 to external 80, the port is open. Same can be said for port 443.
I contacted my isp (FiOS) and they do not block opening ports.
When I follow the nginx add-on instructions and click on my duckdns subdomain I’m trying to link, I get a bad request error.
What am I doing wrong? Any and all help is much appreciated.
Don’t have any experience with either Google wifi or Unraid but probably port 80 is not reaching the VM that hosts NPM addon since you mentioned you managed to forward the port 443 directly and port 80 from router gets to 8123 of HA.
A couple of ideas: have you setup the VM in NAT (in which case port 80 is probably going to the web interface of Unraid) or Bridge mode? Also, are you using HAOS?
My ISP in Australia blocks ports 80 and 443 along with some other common ports for domestic customers.
From what I can tell many ISPs do this.
It was frustrating until I finally figured it out, they also had some info buried on their website. It didn’t impact me in the long run as I use a cloudflare tunnel and certificate and then use a port that isn’t on the block list.
NAT mode marks all network activity as if coming from Unraid, even if the VM can access external resources.
Bridge mode attaches a node to the physical network and VM gets it’s own ip (if DHCP server is enabled).
You have forwarded port 80 in your router to a host in your lan (probably 192.168.x.y or something similar). When trying to access both http://192.168.x.y and https://192.168.x.y what do you get? Do both of them reach NPM?
Also, what port are you using now to access the router since you forwarded port 80? Is it still 80 (meaning http://192.168.x.1, which shows that port forwarding didn’t worked) or is something else (like http://192.168.x.1:8080)?
Go to your unraid, and then to the HA VM, and right click and open the “VNC Remove” session to see the local console of this VM. After booting up you should be able to see an IP address in that console.
What is the IP of your HA VM?
Is the IP different from the IP of your unraid server, but under the same subnet?
Did you use that IP to connect to your HA from another PC on your LAN, under the same subnet?
Did you use that same IP on Google wifi port management?
i removed the proxy and added a new one with new cert then it worked again for a few minutes till i couldn’t connect anymore…
