Home Assistant Community Add-on: Nginx Proxy Manager

Sorry, I don’t understand what you mean by “as I’m running Home Assistant OS I don’t think I can”.
You mean you can’t exec to the addon container?
Why? In case you are afraid to do that or you think it is not allowed, then don’t worry. There are multiple ways how to do that and it is not prohibited.
Either use ssh access and do it from command line or use Portainer.

I mean I know how to do with a HA install using docker but I’m on home assistant OS, so I’m using the add-on, I found a portainer add-on but when I run it it’s don’t detect the other add-on (zero container) Screenshot-2021-05-15-at-10-10-26 — ImgBB

Update : I though the SSL was so limited on HAOS that I give up on it, I’ll try this thank you !

I’ve been happily using this with duckdns and several sub domains for sometime but was considering moving to cloud flare for the extra security

Does anyone have a guide for setting this up?

There is a few guide onlinem( you do require a domain though), Securing Home Assistant with Cloudflare is not too bad but this doesn’t cover Cloudflare Access, Cloudflare Argo : Home Assistant Remote Access with Cloudflare Argo · David Noren and other guides : Secure Home Assistant Access with Cloudflare and Ubiquiti Dream Machine | Savjee.be https://www.paolotagliaferri.com/home-assistant-google-assistant-cloudflare/

Hello, I have Unifi System too and having I think the same issue, how do you fix it?..any help about this will be appreciate !!! thank you. :sob:

Home Assistant at Hyper-V VM, MariaDb with Nginx PM. Dyndns Service

Port Forwarding from 80 to 192.168.1.240:80, 443 to 192.168.1.240:443

Setting:

  • NPM MESSAGES

INTERNAL ERROR

Error: Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-30" --agree-tos --email "j**********[email protected]" --preferred-challenges "dns,http" --domains "homeassistant.h*****s.org" 
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for homeassistant.h*****s.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain homeassistant.h*****s.org
http-01 challenge for homeassistant.h*****s.org
Cleaning up challenges
Some challenges have failed.

    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:315:20)
    at maybeClose (internal/child_process.js:1048:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:288:5)
  • HA NPM Reg
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] permissions: applying... 
[fix-attrs.d] permissions: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing... 
-----------------------------------------------------------
 Add-on: Nginx Proxy Manager
 Manage Nginx proxy hosts with a simple, powerful interface
-----------------------------------------------------------
 Add-on version: 0.11.0
 You are running the latest version of this add-on.
 System: Home Assistant OS 5.13  (amd64 / qemux86-64)
 Home Assistant Core: 2021.5.5
 Home Assistant Supervisor: 2021.04.3
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] mysql.sh: executing... 
[cont-init.d] mysql.sh: exited 0.
[cont-init.d] nginx.sh: executing... 
[cont-init.d] nginx.sh: exited 0.
[cont-init.d] npm.sh: executing... 
[cont-init.d] npm.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[17:53:41] INFO: Starting NGinx...
[17:53:41] INFO: Starting the Manager...
[5/21/2021] [5:53:42 PM] [Migrate  ] › ℹ  info      Current database version: 20210210154703
[5/21/2021] [5:53:42 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[5/21/2021] [5:53:42 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[5/21/2021] [5:53:43 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[5/21/2021] [5:53:43 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[5/21/2021] [5:53:43 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[5/21/2021] [5:53:43 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[5/21/2021] [5:53:43 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[5/21/2021] [5:53:43 PM] [Global   ] › ℹ  info      Backend PID 537 listening on port 3000 ...
[5/21/2021] [5:53:44 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[5/21/2021] [5:53:44 PM] [SSL      ] › ℹ  info      Renew Complete
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
[5/21/2021] [5:54:50 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[5/21/2021] [5:54:50 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #31: homeassistant.h*****s.org
[5/21/2021] [5:54:56 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[5/21/2021] [5:54:56 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-31" --agree-tos --email "j**********[email protected]" --preferred-challenges "dns,http" --domains "homeassistant.h*****s.org" 
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for homeassistant.h*****s.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain homeassistant.h*****s.org
http-01 challenge for homeassistant.h*****s.org
Cleaning up challenges
Some challenges have failed.

Any idea ?? :pray:

Your settings look the same as mine. The problem I mentioned earlier was only fixed by doing a factory reset on my UDM Pro. Of course, that might not work for you. Hope that helps.

Did you figure it out? There are guides how to configure Portainer to display all docker containers as by default it doesn’t by purpose (safety).
You can also use docker from command line, but I use Portainer more often. I just already forgot what I did to make is show all containers :slight_smile:

For Portainer, somehow I couldn’t unhide the containers but after uninstalling and removing the add-on a few time it was finally working.
I also managed to access a containers using the SSH add-on (I was using the “wrong” SSH add-on)

Regarding the certificate it’s self, I will try to take some time tomorrow, to do it, and to make sure I put it at the right place.

thank again.

still stuck !!! Any help will be appreciated. thank you.

I’ve been trying to use this addon but only returns the urls with a wrong certificate.
I’m using cloudflare, so a generated a ssl certificate and i’m using it.
Even when i try to use a let’s encrypt certificate i get the same error.

[01/Jun/2021:15:21:01 -0300] 444 - GET https xxxx.xyz “/” [Client 1xx.xx.24.96] [Length 0] [Gzip -] “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36” “http://192.168.1.102:81/
It returns a “localhost” certificate. I’ve even deleted the dummy files, but they were generated again.

Try to test your settings for the router and NPM on a clean install (perhaps a VM).

Even if you remove NPM addon, you still have MariaDB related data that you need to purge and then might break other stuff with MariaDB.

1 Like

I’m going to move from my HASS NGINX to one that is outside of Home Assistant. How would I do that with minimum downtime related to new SSL certificates?

Thanks, Richard

I’d like to do the same, if at all possible. Did you (or anyone) somehow manage to do something like this, over last 8 months?

I’m having the same problem, Internal error: Fails at challenge. My setup of is ATTUverse router ->pfsense ->HA. Ports 80, 443, 280, 2443 all forwarded to HA IP:8123 on both routers.

Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /data/logs/letsencrypt for more details.
[7/5/2021] [2:11:25 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[7/5/2021] [2:11:25 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #10: [email protected]
[7/5/2021] [2:11:26 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[7/5/2021] [2:11:26 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-10" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "[email protected]" 
Saving debug log to /data/logs/letsencrypt/letsencrypt.log

Probably an easy fix, yet I struggle to identify. I can’t even locate /data/logs/letencrypt/lets… It is not in the HA shell directories.

I’m considering NGINX install on the hypervisor machine that runs pfSense. Has anyone used this setup with success. HA NGINX Proxy Manager not working: Internal Error. I struggle to find a solution and have locked myself out of LetsEncrypt for a week due to request.

Thanks for this add-on.

I have noticed an issue. When I add a custom location to a proxy host with Force SSL enabled, the setting is not applied to the custom location, i.e., the custom location is accessible via http and https rather than auto redirecting to https.

I don’t see an option for applying the Force SSL setting to custom locations?

Hi everyone,
I’m a great user of this addon, thanks for it!

I’ve just upgraded HA core to 2021.7, unfortunately after the update I am not able to access anymore remotely to my HA while I can reach it in local.

This is the log from the addon:

>  Add-on: Nginx Proxy Manager
>  Manage Nginx proxy hosts with a simple, powerful interface
> -----------------------------------------------------------
>  Add-on version: 0.11.0
>  You are running the latest version of this add-on.
>  System: Home Assistant OS 6.1  (amd64 / qemux86-64)
>  Home Assistant Core: 2021.7.0
>  Home Assistant Supervisor: 2021.06.8
> -----------------------------------------------------------
>  Please, share the above information when looking for help
>  or support in, e.g., GitHub, forums or the Discord chat.
> -----------------------------------------------------------
> [cont-init.d] 00-banner.sh: exited 0.
> [cont-init.d] 01-log-level.sh: executing... 
> [cont-init.d] 01-log-level.sh: exited 0.
> [cont-init.d] mysql.sh: executing... 
> [cont-init.d] mysql.sh: exited 0.
> [cont-init.d] nginx.sh: executing... 
> [cont-init.d] nginx.sh: exited 0.
> [cont-init.d] npm.sh: executing... 
> [cont-init.d] npm.sh: exited 0.
> [cont-init.d] done.
> [services.d] starting services
> [10:55:12] INFO: Starting the Manager...
> [services.d] done.
> [10:55:12] INFO: Starting NGinx...
> [7/8/2021] [10:55:13 AM] [Migrate  ] › ℹ  info      Current database version: 20210210154703
> [7/8/2021] [10:55:13 AM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
> [7/8/2021] [10:55:13 AM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
> [7/8/2021] [10:55:13 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
> [7/8/2021] [10:55:13 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
> [7/8/2021] [10:55:13 AM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
> [7/8/2021] [10:55:13 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
> [7/8/2021] [10:55:13 AM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
> [7/8/2021] [10:55:13 AM] [Global   ] › ℹ  info      Backend PID 538 listening on port 3000 ...
> [7/8/2021] [10:55:15 AM] [Nginx    ] › ℹ  info      Reloading Nginx
> [7/8/2021] [10:55:15 AM] [SSL      ] › ℹ  info      Renew Complete
> [7/8/2021] [10:55:15 AM] [SSL      ] › ✖  error     Certificate is not valid (Command failed: openssl x509 -in /etc/letsencrypt/live/npm-3/fullchain.pem -subject -noout
> Can't open /etc/letsencrypt/live/npm-3/fullchain.pem for reading, No such file or directory
> 140176080743240:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/letsencrypt/live/npm-3/fullchain.pem','r')
> 140176080743240:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
> unable to load certificate
> )
> [08/Jul/2021:11:01:15 +0200] 400 - GET http localhost-nginx-proxy-manager "/" [Client 1.......87] [Length 150] [Gzip -] "-" "-"

I checked the admin console and the certificate is goin to expire on 22nd September.

Any help please?

Thank you.
SoL

I’ve been using this add-on for some time now and it works great for me. I’m noticing the below warning in the HA logs, is this related to this add-on? I don’t have a network in my system with a 172.30.33.3 ip address. is this an internal container address?

Logger: homeassistant.components.http.forwarded
Source: components/http/forwarded.py:90
Integration: HTTP (documentation, issues)
First occurred: 10:03:02 (3 occurrences)
Last logged: 10:08:43

A request from a reverse proxy was received from 172.30.33.3, but your HTTP integration is not set-up for reverse proxies; This request will be blocked in Home Assistant 2021.7 unless you configure your HTTP integration to allow this header

cheers
Edd

See reverse proxy breaking change section

1 Like

D’Oh I read this this morning but clearly it was too early :yawning_face:
so I just need to add

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

to my config?