Home Assistant Community Add-on: Nginx Proxy Manager

arink · October 18, 2021, 6:15am

Hi,

i use the add-on for the ssl Integration. My config:
HA Core 2021.10.5 on IntelNuc. Installed DNSMasq as an internal DNS Server.
I have a internal DNS Record pointing to the local IP of HA. This DNS record is also configured external(i have my own Domain).

Setting up a Proxy Host worked Fine means http Access was successful with the fqdn.

Now i wanted to set up SSL. Issuing an certificate with Lets Encrypt run smoothly (Opening ports on the firewall etc).

But Accessing HA with https showed me a 502/Bad Gateway(nginx). I set the config for the http in configuration.yaml as described but on Chance.
Looking the logs i got the error that there was a ssl version missmatch.

I checked the DNS records and the DNS record was resolving to the internal ip of HA.

Is there anything else to consider?

RuSpray · October 21, 2021, 5:46pm

it repeats
after host reboot
no access from outside
I see in the line mydomen duckdns org / lovelace
and constantly revolving logo “Loading data”

henrikrox · October 22, 2021, 10:27am

can’t get this to work, just get internal error when trying ssl

First I thought port 80 was used forsomethingo else, like the warning here says. But firewall is not disabled and port 80 seems not to be in use.

Performing the following challenges:
http-01 challenge for requests.henriktv.com
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain mydomain.com
http-01 challenge for mydomain.com
Cleaning up challenges
Some challenges have failed.

    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:315:20)
    at maybeClose (internal/child_process.js:1048:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:288:5)

Screenshot 2021-10-22 at 12.26.48

Petrica · October 22, 2021, 3:40pm

Do you have anything connecting to internet in front of your Asus router (xdsl/ont/3g)?
What OS are you using (since you also have qbittorrent running on the same machine to which you forwarded ports 443 and 80 I assume you do not have HAOS)?
Have you updated router’s firmware? There is a slight difference in the menu compared to yours.

image833×343 12.1 KB

pergola.fabio · October 29, 2021, 7:24am

guys, i’m tryng to understand this nginx add-on, why do you use it? whats different with lets encrypt?
i want to buy a google domain, to easy access my HA instance with valid ssl, i also need the ssl for other things

can i also use nginx? do i also need to port forwarding? do i need to buy a domain? any more info is welcome

i had a look at this site : The easiest way to secure Home Assistant with HTTPS | dummylabs.com
seems forwarding on router 8123 is also needed? so why do you guys use this addon? what benefit does it have againts a normal lets encrypt addon?

thnx

carsten_h · October 29, 2021, 9:47am

With the let’s encrypt addon you will only have https access to Home Assistant. So when you contact it from outside everything is fine. But when you try to access it locally Home Assistant doesn’t react anymore on http, so you have to use https together with the IP-address which is not really possibly as many browsers don’t let you do it. The ssl-certificate is only for the name and can not be for the IP-address which is clear.

If you use Nginx you can have the outside traffic via https and the inside traffic with http. This was the main reason for me to use it.
Also you only have one port forwarded via your browser and Nginx handles the names to forward them to the different devices in you local network. And you only need to remember the names and not any port from outside.
So you can have:
ha.bla.blubb.wherever for your Home Assistant
nas.bla.blubb.wherever for your NAS.
mac.bla.blubb.wherever for your Mac.
pc.bla.blubb.whereever for your PC.
lms.bla.blubb.wherever for your Logitech Media Server
etc.

pergola.fabio · October 29, 2021, 9:51am

ok, that makes more sense, but why do you want http for local, why not just https for both external and internal?

carsten_h · October 29, 2021, 10:05am

Because it can not work correctly as I wrote above!
A SSL certificate is only for the full qualified name of the device, not for the IP-address.

If you eg. use the Home Assistant Companion app for iOS/iPadOS/macOS you can’t get the internal https with the IP-address to work.
Every browser will tell you that it is insecure as the ssl certificate is not valid.

pergola.fabio · October 29, 2021, 10:21am

yeah , i get that, but why do you still want to use the IP address for local access, why not just use the https with fqdn for internal access? isnt the router aware that its actually a local device?

edit: and btw, thnx for feedback, appreciated

carsten_h · October 29, 2021, 10:44am

I don’t know if this works.

DavidFW1960 · October 29, 2021, 10:46am

You can use the domain for both internal and external as long as your router supports NAT loopback

pergola.fabio · October 29, 2021, 10:53am

Ok, then just let’s encrypt is fine for me, then I don’t need nginx

DavidFW1960 · October 29, 2021, 9:43pm

It also provides an additional level of security with the reverse proxy and you only need 1 port for everything opened. (you also don’t need port 80 for certificate renewal) Personally I use Caddy as I actually understand what it does and how it works whereas NGINX is like voodoo and I don’t understand it and would rather not blindly follow guides.

EDIT: If you are exposing your HA to the internet this would be the minimum level of security you should consider.

pergola.fabio · October 30, 2021, 6:16am

Perfect, thnx for all feedback, gonna buy a Google domain and use let’s encrypt based on DNS… No port 80 needed then for renewal

Devqon · November 2, 2021, 2:47pm

Is it possible to expose the configured proxies in NPM through switches in Home Assistant? So I can automate for example the exposure of some of my services when I’m leaving/coming home?
Concrete use-case: a password manager that is only needed to expose when I’m outside my home, not when I am home.

Petrica · November 3, 2021, 7:42pm

I don’t think it is possible to control individual hosts however you can set a command line switch in HA to reload nginx with a different config.

poudenes · November 11, 2021, 6:54pm

Hi All,

Can someone tell me if it is possible to connect NPM to a external MariaDB server?
I want make use of a external server and connect NPM to it.

In the documentation it says: You need install mariadb add-on…

Petrica · November 16, 2021, 2:12pm

Probably not what you wanted but you can have NPM installed on a regular Docker and with manual DB connection instead of HA addon.

bphillips921 · November 23, 2021, 6:04am

I’m trying to use Nginx Proxy Manager to create a connection to my Blue Iris server. I have followed this tutorial to a “T” but am still having issues that I think are caused by Nginx Proxy Manager.

I have NGINX Proxy Manager installed and have both certificates in there and proxys

When creating the certificates, the guide told me to create a custom certificate and use my certificate key files from HA. I got those from the folder MyHA internal IP Address\ssl

If I go to https://myha.duckdns.org everything works and I see the login page for Home Assistant as I would expect. But, if I go to https://mycams.duckdns.org I’m also redirected to the Home Assistant login page and not the Blue Iris login. That seems to tell me that the Nginx proxy manager isn’t doing it’s job. Is that correct? I can get to my Blue Iris server using http://myha.duckdns.org:8081

I have these ports forwarded (192.168.1.100 is my HA, 192.168.1.99 is Blue Iris)

Any ideas how to fix this?

Petrica · November 23, 2021, 6:23am

Ports 443 and 80 should be forwarded to 443 and 80 of the 192.168.1.100 host (the one that runs NPM; it also runs HA, but that’s beside the point). Port 81 does not need to be forwarded.