Home Assistant Community Add-on: Nginx Proxy Manager

Ola preciso de ajuda,
Estou instalando o Nginx e criando os hosts. Fiz a criação do HTTP e foi sucesso, porem quando edito para criar o SSL, ao salvar ele gera um Internal Error e no log do Nginx vejo a mensagem abaixo.
As portas ja estao liberadas no houter.

[5/5/2020] [7:03:13 PM] [Nginx ] › info Reloading Nginx
[5/5/2020] [7:03:13 PM] [SSL ] › info Requesting Let’sEncrypt certificates for Cert #5: xxxx.duckdns.org
[5/5/2020] [7:03:32 PM] [Nginx ] › info Reloading Nginx
[5/5/2020] [7:03:32 PM] [Express ] › warning Command failed: /usr/bin/certbot certonly --non-interactive --config “/etc/letsencrypt.ini” --cert-name “npm-5” --agree-tos --email “[email protected]” --preferred-challenges “dns,http” --webroot --domains “xxxx.duckdns.org”
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxx.duckdns.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification…
Challenge failed for domain xxxxx.duckdns.org
http-01 challenge for xxxx.duckdns.org
Cleaning up challenges
Some challenges have failed.

Has anyone used this addon to also make use of NGINX’s load balancer functions? I think it might be possible if I edit some of the config files manually…?

Is it possible to add the homeassistant directory to the image on boot?
I would like to write the logs of one instance to one of this directory to track my weather station

br
manzn

Hi, and thank you for this add-on, among many others!

In regards to the mandatory prerequisite for mariadb, can somebody clarify if the add-on supports connection to an external mariadb instance? And how to configure it?

Many Thanks,
-a

can I only use port 443 for this? I don’t want to open port 443 to the outside world

I think you meant “I don’t want to open port 80 to the outside world”.

Port 443 is needed for accessing the services from outside the network. Port 80 needs to be accessible for renewing the certificate (thus is not required to be forwarded all the time).

Here’s an idea if you have a router capable of fiddling with firewall rules through command line (ie. DD-WRT, Tomato, OpenWrt, Asus Merlin):

• set a sensor to measure remaining time until certificate is up for renewal;
• create an automation running a script that adds port 80 to the FORWARDING chain on the router;
• have the above automation set to trigger when the certificate is up for renewal;
• automate monitoring of the certificate renewal;
• create another automation to delete the rule for the port 80 forwarding after the certificate has been successfully renewed.

However, things complicate when you have multiple certificates to be renewed at different moments in time as you need to follow multiple sensors (and set the automations to rerun case the renewal process failed). In the end, it might be easier to just leave port 80 forwarded all the time.

So far as I know there s no requirement to use port 443 in nginx and also I believe nginx will use a dns challenge for certificates instead of http on port 80. I don’t use nginx myself I use caddy and it certainly facilitates both those features.

Hi @oriolism @frenck , is there a solution to this issue?

I transitioned from core addon of ngnix proxy, to the community addon for ngnix proxy manager.
Now ipban captures and bans the docker ip of this addon, instead of real ip.

Not sure what else should be changed on the HA side and I’m confused on some aspects, for example:

• Let’s encrypt container still required on the Home assistant side?
  Actually, i’m almost sure it’s not required, since port 80 should be now used only by the ngnix proxy manager container - but if i remove this container, how to regenerate the /ssl files on HA, without let’s encrypt?

• base_url - should I continue to set it to the xyz.duckdns.org?

thanks,
-a

thank you. I managed it-
I just need to forward the port that I want in my router to 443 on my raspberry and everything works fine

I had the same problem , the resolution was enabling websockets support in NPM.

addon-nginx-proxy-manager/images/screenshot.gif at b3e7ab67f237d75fa26e60b1de1c6e1efe321e70 · hassio-addons/addon-nginx-proxy-manager · GitHub

Thanks @antimage, but I already have webockets enabled.

To answer your second question,
I have the base url set like this.

http:
  base_url: https://sub1.mydomain.duckdns.org

I dont have an ssl folder anymore, so i don’t think you would require it.
hope it helps.

Thanks @antimage

I upgraded HA to 0.110.1, removed the base_url (now it’s deprecated) and commented out the ssl cert/key in the configuration.yaml.
I filled the internal url and left empty the external url (these are new configuration features since this version).

Also I modified the duckdns addon config, to not accept the let’s encrypt T&C.

lets_encrypt:
  accept_terms: false
  certfile: fullchain.pem
  keyfile: privkey.pem

I did this because I removed the let’s encrypt addon (now certs are handled in the NPM addon), and I don’t know what else can be done to avoid duckdns addon calling let’s encrypt (I cannot remove these config options from duckdns addon).

I also renamed the ssl files under /ssl dir, so they are not used anymore.

Now my instance seems it’s http only.

So I updated also the HA host in NGNIX Proxy Manager, to work with http scheme (was previously https).

Also the HA Companion android app works now with the internal url, whenever I am connected to my defined home network, which is good…

Is this the correct way? Any further recommendations or words of advice?

Thanks a lot!
-a

What’s the proper way of re-using certs generated by Nginx Proxy Manager addon in other addons?
Right now I declare:

certfile: /nginxproxymanager/live/npm-17/fullchain.pem
keyfile: /nginxproxymanager/live/npm-17/privkey.pem

but, every time cert is regenerated, I have to change to new value (i.e. npm-18).
I would rather like to set certfile: fullchain.pem (so leave it as default).

Anyone who managed to use the accesslist with IP-addresses?
When I set an IP-range or IP-address as allow it stops working for any IP, even when not in the same subnet.

Thanks for this add-on, clean and easy set-up and relpaced my duckdns lets encrypt with no issues!

I was hoping to achieve two items:

1. Replace DuckDNS for managing my certs to a proper reverse proxy
2. Use a reverse proxy to enable me to access other features (e.g. Sickchill, Heimdall, TasmoAdmin) via an iFrame within Home Assistant front-end

I’ve read this thread top-to-bottom and was able to set-up unique subdomains e.g. mydomain1.duckdns.org, mydomain2.duckdns.org etc. to access my services above - they work perfectly

My preference was to have mydomain.duckdns.org/sickchill act as a redirect using “Custom Locations”.

I added the following:

Location: /heimdall
scheme: http
Forward Hostname: 1928.168.X.X/
Port: XXXX
Advanced:  rewrite /heimdall/(.*) /$1 break;

The page loads but it is the text only (e.g. no files seem to be accessible), it seems like it can’t access the source files for the page to load correctly.

I’d assuemd the rewrite would be all that is required to update the links. I looked at the PiHole examples and am unsure why the custom locations aren’t working as expected.

Any help would be awesome

Did you get this figured out? Im having the same problem, I want to access my NAS, transmission etc.

Still hoping someone can assist here, I’ve not used a reverse proxy before but i’ve done a lot with redirects in the past and am stumped as to why the rewrite isn’t working.

So imjust having a play around and can access my NAS!!! I cant access anything over http though

I had to add the slash at the end of nas

Did you ever get an answer to your question about Access Lists? I know this is an old post but I am having this problem and I can’t find any answers anywhere.