Home Assistant Community Add-on: Nginx Proxy Manager

yes, should suffice

thanks
just out of curiosity is that the container IP then from within HA’s docker network?

Yes, you can also see the subnet in your initial post. Since the nginx container might have a different IP the ip range is added as trusted proxy.

Oh didnt notice, my bad sorry.
Thank you, solved!
SoL

I apologize, I am relatively new to this. Is there a way to add the required config changes in the WebUI of Nginx Proxy Manager?

no they are added to your configuration.yaml file in home assistant.

1 Like

What I should change after the upgrade to 2021.7 if I am using ha and Nginx proxy manger in docker? Now I am seeing only text “400: Bad Request” when accessing the HTTPS webpage. Adding the:

http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24
- 192.168.0.0/24

to the configuration file is also not helping…

Please review my docker-compose files.


version: “3.7”
services:
home-assistant:
image: homeassistant/home-assistant
network_mode: host
container_name: home-assistant
environment:
- USER_ID=1001
- GROUP_ID=100
- TZ=Europe/Warsaw
volumes:
- /hass/home-assistant:/config
- /var/run/docker.sock:/var/run/docker.sock
restart: always


version: ‘3’
services:

ngnix:
image: ‘jc21/nginx-proxy-manager:latest’
container_name: nginx
restart: unless-stopped
ports:
- ‘83:81’ #Dashboard Port
- ‘447:443’ #HTTPS Traffic
- ‘89:80’ #HTTP Traffic
volumes:
- /nginx/config.json:/app/config/production.json
- /nginx/data:/data
- /nginx/letsencrypt:/etc/letsencrypt

db:
image: ‘jc21/mariadb-aria:10.4’
container_name: nginx_db
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD:’ XXX’
MYSQL_DATABASE: ‘XXX’
MYSQL_USER: ‘docker’
MYSQL_PASSWORD: XXX’
volumes:
- /nginx/db/data/mysql:/var/lib/mysql

See the config notes in the linked post from @cmille34 who got it working Nginx Reverse Proxy Set Up Guide – Docker - #298 by cmille34

When I restart NPM I see this error:

[Client 192.168.100.1] [Length 947] [Gzip -] [Sent-to 192.168.100.25] "python-requests/2.25.1" "-"
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0

What can I do to solve this?

Has anyone got Vaultwarden running with this and cloudflare?

I have my subdomain setup, I have my host ip and port set in NPM , if i use http i get the error “The plain HTTP request was sent to HTTPS port” and if i set to https i get a bad gateway error message from cloudflare

i also saw this error “2021/08/08 06:56:23 [error] 705#705: *201 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream”

I have bought a secondary router to improve the Wi-Fi connection at home and not use the company router.
I have it connected to the WAN of the main router, the problem is that I cannot access my home assistant from the outside through the duckdns link, I have all the ports open on both the main and secondary router. It only affects the links that I have with the NGINX proxy.

How should I configure the router to be able to access from the outside with the reverse proxy?

In Nginx Proxy:
Resource is “XXXXXXX.duckdns.org
Destination is “http://IP_HOME_ASSISTANT_ON_SECUNDARY_ROUTER:8123”

In both routers I have open ports 443 and 80 directed to the raspberry pi and the secondary router

You don’t need to forward port 8123 (theoretically only port 443 should be forwarded; however, if you don’t want to manually renew Let’s encrypt certificate or you don’t have the DNS challenge option set, then you also need port 80 forwarded).

Destination should be the address of HA (not your secondary router).

I think you meant a LAN port; anyway, if you only need to improve coverage of your wifi signal you don’t need to set it as a router but as an AP (with NAT functions disabled) because routing would be a nightmare between the two subnets. Or, are you trying to say that you want to completely replace wifi from the ISP’s provided router (thus have all devices connected to your personal router)?

Yes, I wanna replace completely wifi from the ISP’s provided router. I bought a TP-Link Router Mesh.

I don’t have forwarded port 8123, just port 433 and 80 on both routers.
The destination is already the ip of Home Assistant.

For example.

  • In Secundary router wich ip is 192.168.0.1:
    IP of HA: 192.168.0.55 → I forward ports 433 and 80

  • In Main router wich ip is 192.168.1.1:
    IP of Secondary router: 192.168.1.120 → I forward ports 433 and 80

First you can use something like https://canyouseeme.org/ to check if the ports 443 and 80 are correctly forwarded between the two routers.

It should be mentioned that the secondary router should have a wan static address otherwise the primary router might lease a new IP and the port forwarding will then fail (basically in the above you need to ensure that (1) the wan IP of the secondary router (you didn’t mentioned this) and (2) the IP to which the two ports are forwarded (192.168.1.120) coincide).

Case the above test is passed then you might need to check the DNS record of the “XXXXXXX.duckdns.org” if you don’t have a static IP from your ISP. I also use DuckDNS addon with xxx.duckdns.org and defined aaa.xxx.duckdns.org, bbb.xxx.duckdns.org, etc. for the hosts I needed so I would not need too many records updated when the public IP changes.

Just had to recreate my HA due to an issue on another server (hypervm). All works fine but cannot get nginx proxy to set up the ssl for my duckdns.
internal error when I try to renew the certificate through the nginx proxy manager.

Any suggestions? Router has 80/443 pointing to my IP address of homeassistant fine.

Was working fine on the other server before it broke. What could I be missing? Possibly a hyperv vm setting blocking it?

You were trying to renew a certificate that was previously issued to another machine, right?

Can you try issuing a certificate for a domain that was not used before?

Managed to get my old server back up and running on the same ip.
renewed the duckdns cert and added that to the addon.
Still no luck.

internal error when trying to add a new host in the nginx proxy manager gui.

hmmm

I wonder if this has anything to do with it:

Another instance of Certbot is already running.

UPDATE: Finally. Removed the old nginx folder created from the snapshot restore. Reinstalled the addon and then came back to life. Some conflict with the old configs even though I unsintalled it before it held onto the repo.

1 Like

Thanks @bg1000
I followed your instructions. Now I hope that you can help me (proxy noob):

What I’ve had so far:
External access with the addons let’s encrypt and duckdns including port forwarding 8123, 80 443.

What have I done:

  1. let’s encript addon uninstalled
  2. uninstalled duckdns addon
  3. http: section disabled in yaml
  4. disable portforwarding 8123
  5. reboot HA
  6. duckdns addon installed and configured like that:
lets_encrypt:
  accept_terms: false
  certfile: fullchain.pem
  keyfile: privkey.pem
token: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
domains:
  - xxxxxxx.duckdns.org
aliases: []
seconds: 300
  1. Now the error message KO comes in the duckdns addon logs
  2. Couldn’t fix that, so I installed and configured the Nginx Proxy Manager addon. There the state shows in green.

Problem:
If I now try my url (xxx.duckdns.org without port 8123) the following appears: ERR_EMPTY_RESPONSE :see_no_evil:

what did I do wrong? Thank you for your support

.


Edit:

In reason of the change (reverse proxy breaking change in 2021.7) I also tried this:

http:
#   ssl_certificate: /ssl/fullchain.pem
#   ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - xxx.xxx.xxx.0/24

Unfortunately also without success (and the same error message)

I haven’t actually used that addon in a couple of years but I’m happy to try to help. Here are couple of things you might try:

  1. If homeassistant is blocking the traffic there will be a message in the log about an untrusted proxy. So I would start by looking for that.
  2. Try picking another add on with a web interface and setting up a proxy host for that. This will allow you to confirm that the addon is working properly and that you know how to configure it.