Home Assistant Community Add-on: Nginx Proxy Manager

You can ssh into the addon from Portainer, but you might break things.

Have you tried uninstalling and reinstalling NPM?

My ideal goal was to utilise the auth system of Home Assistant with the power of a reverse proxy to let me access my files via HASS iFrames.

Thanks to you, i’ve got my iFrames fully functional within HASS (and working a treat), i know what i need in my .htaccess:

order deny,allow
deny from all
allow from 192.168.86.0/24

But i don’t know how to do this on a location by location example (i still want x.duckdns.org to point to my home assistant instance externally which this blocks).

How do i apply htaccess rules on a location by location basis?

Sorry, I don’t have a full understanding of the .htaccess and might lead you to an inappropriate solution

You can, however, point HA iframes to the external addresses of the services both on lan and wan.(for example https://x.duckdns.org/sonarr/ ; https://x.duckdns.org/radarr/ ; https://x.duckdns.org/transmission/werb/ from either lan or wan would show the NGINX authentication screen but this would be a minor annoyance since the browser can save the login details and it would only show once per session).

I’m not a big fan of iframes since the real estate in HA is quite limited and I want the links to open in a different tab.

I tried setting up a bookmarks page in AppDaemon (would be perfect but it is not opening links in new tab), Muximux, then Organizr and I ended up setting a home page with Heimdall and pointing to both internet sites (email, Youtube, Netflix, Reddit, news sites, etc) and internal lan resources. Some of the internal sites (Transmission, Tautulli, the rr suite) also have api integration and you can see, at a glance, a lot of information without accessing them.

Thanks Petrica, and appreciate you keeping me safe!

I might run with your path and re-add auth to my ngingx to be safe. I’m also using heimdall but was disapointed it only supports subdomains (e.g. heimdall.duckdns.org/) and not a sub-folder (e.g. x.duckdns.org/heimdall (unless i misunderstood when i was reading the git for my container: https://github.com/linuxserver/Heimdall)

However, since you’re using NPM for reverse proxying and/or authentication, I don’t think it is such a big problem (anyway, neither HA, as a starting page for iframes can be reverse proxyed as a subfolder). In order to use Heimdall as a subdomain (https://heimdall.x.duckdns.org) add APP_URL=https://heimdall.x.duckdns.org to /www/.env config file (location might depend on your installation type).

Then, Heimdall can be used to point to any address for which reverse proxying is used (be it subdomain or subfolder) and it would work both from lan and from wan.

OK, thanks.
I never used Portainer before. I’ll check it out.

Won’t uninstalling and reinstalling delete all my proxy hosts?

I think so (my understanding was that none of the proxy hosts works, anyway).

No, that’s true. I just hoped I could save my configuration somehow.
I’ll try portainer and if that doesnt work I’ll reinstall.

I tried out Portainer and renamed the file 34.conf to 34.old. NPM is now starting again.

Thank you for your help!

You’re welcome!

so I have NPM running fine, but just wondering how can I set it up to run side by side with emulated hue (amazon echo) on port 80.

the issue here is when the port 80 is occupied (by echo), the cert renewal via NPM keeps failing.
NPM has open port of 443 only

Is there a trick to make this work?

im suddenly getting the error:

[7/6/2020] [9:32:49 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #69: ysf.rei.moe [7/6/2020] [9:32:50 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-69" --preferred-challenges "dns,http" --disable-hook-validation Another instance of Certbot is already running.

All the time… I have tried connecting into the container and running:

find / -type f -name ".certbot.lock"

which did indeed find some lock files, and so I tried removing them with:

find / -type f -name ".certbot.lock" -exec rm {} \;

I am at a lott on what else to try I am unable to renew or request any new certs

Edit: Nevermind! Running those two above commands a second time and giving it a few minutes and it works !

Would be great with an update on this addon, the access list is not working and is fixed in the latest version of the container.

Looking for some help…(let me preface this by stating my Ubuntu proficiency/understanding is shaky, hence the post)

I switched from the official NGINX add-on to this add-on a few months ago. Ever since HA will not restart after a reboot. I would go into Portainer and try to START NGINX Proxy Manager and I get a “port 80 already in use error”. From some research I figured out how to find out what was running on port 80 by running:

sudo netstat -tulpn | grep :80

and in part get back:

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1460/nginx: master

Then, in this case, I kill the PID 1460, open portainer, the NGINX proxy manager container status will be “Created”, I open the process link and click START. HA will now start.
So, after doing this for a couple of months it’s getting old. Hoping someone can tell me how to remedy this problem.
Thanks in advance!!

@bg1000
Bob, I greatly appreciate your article. Would you please elaborate on setting up DNSMasq? I am trying to recreate your ‘tasmobackup.home’ proxy host example and it is not working for me. I set the DNSMasq machine’s LAN IP as the #1 DNS server on my router.
DNSMasq includes lines:

forwards:
  - domain: ui.home
    server: 192.168.0.100

I included a forward of ui.home with a server with IP of the NGINX Proxy Manager LAN IP. And I set up the NGINX Proxy Host precisely how your photo shows it. It simply is not working though.

I tried doing a nslookup and the server default is openDNS ipv6 instead of DNSMasq. I tried nslookup specifying the IP of DNSMasq as the server but that just timed out.

Any help is greatly appreciated!

I run DNSMasq on my router so once I enable it DNS traffic gets automatically routed there without any extra setup as long as I have the adapter set to use DHCP. I’m not sure what your setup is like. In terms of basic troubleshooting I might start with:

1. Is the network adapter setup to use DHCP to get its configuration and is it getting it’s ip address from your router? If the adapter has a local setup your router settings wouldn’t get used.
2. f you are running a linux distro that uses systemd you can use the command “systemd-resolve --status” . At the bottom of the listing you should see the current DNS server as well as the list of configured DNS servers. If 192.168.0.100 isn’t there that points to a possible configuration problem.
3. Is DNSMasq actually up and running on the address you specified? You should be able to verify this using the dig command with something like “dig @192.168.0.10 google.com”. This tells dig to query the DNS server at 192.168.0.10.

Hope this helps.

Thanks this is a useful start. The ethernet adapter was on manual for some reason. I changed it to DHCP. But the problem seems to be in the DNSMasq setup. I tried to dig (didn’t have Linux but installed ubuntu within my win 10 machine). It timed out.

Is there a way to query the DNSMasq DNS server to show me all of its registered IP/Name combinations?

I have Nextcloud running on another RPi server. Everything works except when I go to the address, I get the log in screen but when you press the log in button nothing happens. I can wait for a minute and press refresh and the proper screen comes up. For some reason it’s not moving past the log in screen. I’m pretty sure it’s something to do with the way this Proxy Manager handles the log in because if I go to the server through my internal network everything works correctly.

I have tried all the extra setting and Custom Locations people have talked about in this topic and none of them seem to help. Any suggestions?

1. I set the network adapter to use DHCP
2. I’m running “Home Assistant” inside HyperV in windows 10.
3. I think you can do the same thing with NSLookup right?
   –>If I set up the server and domain in Forwards, I get timed out.
   –>If I set up a host and IP under Hosts, I can get the correct IP, but it still wont work in a browser window after IPConfig /release, /flushdns, /renew.

I guess I am having trouble visualizing what is happening behind the curtains.

1. DNSMasq sees your request to go to ui.home and spits out 192.168.0.100 as the IP.
2. Your browser then tries to go to 192.168.0.100 instead of ui.home.
   –>How does NGINX know what to do or even to get involved then?
   –>Is it a problem that the DNS and NGINX are on the same IP address??

DNSMasq should be configured to redirect ui.home to the ip address of the proxy server not the address where the actual service runs (unless they happen to be the same).

If you type “ping ui,home” the reply should come from the ip address where nginx is running. If it doesn’t you need to fix that as a first step. DNSMasq needs to be up and running, configured, and the network adapter needs to be configured to use it as a DNS server.

I’m happy to try to help with this but I don’t really understand your environment. It would help if you explained what host OS your using, what you’re doing with VM’s, how are you running Home Assistant, etc.

I’m not sure what is running at 192.168.0.100 on your network.

Let’s just say (as an example) your proxy server is running at 192.168.1.2 and the service you are interested in is listening on port 8080 at 192.168.1.3

When you type “http://ui.home” in your browser this gets translated to http://192.168.1.2:80. The ip address comes from DNSMasq. Port 80 is the default http port and will get used unless you specify a different one in the browser. Nginx is configured to listen on port 80. It sees the request for ui.home and redirects it to 192.168.1.3:8080.

Does that help?