Home Assistant Community Add-on: Nginx Proxy Manager

Hi,

i use the add-on for the ssl Integration. My config:
HA Core 2021.10.5 on IntelNuc. Installed DNSMasq as an internal DNS Server.
I have a internal DNS Record pointing to the local IP of HA. This DNS record is also configured external(i have my own Domain).

Setting up a Proxy Host worked Fine means http Access was successful with the fqdn.

Now i wanted to set up SSL. Issuing an certificate with Lets Encrypt run smoothly (Opening ports on the firewall etc).

But Accessing HA with https showed me a 502/Bad Gateway(nginx). I set the config for the http in configuration.yaml as described but on Chance.
Looking the logs i got the error that there was a ssl version missmatch.

I checked the DNS records and the DNS record was resolving to the internal ip of HA.

Is there anything else to consider?

it repeats
after host reboot
no access from outside
I see in the line mydomen duckdns org / lovelace
and constantly revolving logo “Loading data”

can’t get this to work, just get internal error when trying ssl

First I thought port 80 was used forsomethingo else, like the warning here says. But firewall is not disabled and port 80 seems not to be in use.


Screenshot 2021-10-22 at 12.22.57

Performing the following challenges:
http-01 challenge for requests.henriktv.com
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain mydomain.com
http-01 challenge for mydomain.com
Cleaning up challenges
Some challenges have failed.

    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:315:20)
    at maybeClose (internal/child_process.js:1048:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:288:5)

Screenshot 2021-10-22 at 12.26.48

  1. Do you have anything connecting to internet in front of your Asus router (xdsl/ont/3g)?
  2. What OS are you using (since you also have qbittorrent running on the same machine to which you forwarded ports 443 and 80 I assume you do not have HAOS)?
  3. Have you updated router’s firmware? There is a slight difference in the menu compared to yours.

guys, i’m tryng to understand this nginx add-on, why do you use it? whats different with lets encrypt?
i want to buy a google domain, to easy access my HA instance with valid ssl, i also need the ssl for other things

can i also use nginx? do i also need to port forwarding? do i need to buy a domain? any more info is welcome

i had a look at this site : The easiest way to secure Home Assistant with HTTPS | dummylabs.com
seems forwarding on router 8123 is also needed? so why do you guys use this addon? what benefit does it have againts a normal lets encrypt addon?

thnx

With the let’s encrypt addon you will only have https access to Home Assistant. So when you contact it from outside everything is fine. But when you try to access it locally Home Assistant doesn’t react anymore on http, so you have to use https together with the IP-address which is not really possibly as many browsers don’t let you do it. The ssl-certificate is only for the name and can not be for the IP-address which is clear.

If you use Nginx you can have the outside traffic via https and the inside traffic with http. This was the main reason for me to use it.
Also you only have one port forwarded via your browser and Nginx handles the names to forward them to the different devices in you local network. And you only need to remember the names and not any port from outside.
So you can have:
ha.bla.blubb.wherever for your Home Assistant
nas.bla.blubb.wherever for your NAS.
mac.bla.blubb.wherever for your Mac.
pc.bla.blubb.whereever for your PC.
lms.bla.blubb.wherever for your Logitech Media Server
etc.

ok, that makes more sense, but why do you want http for local, why not just https for both external and internal?

Because it can not work correctly as I wrote above!
A SSL certificate is only for the full qualified name of the device, not for the IP-address.

If you eg. use the Home Assistant Companion app for iOS/iPadOS/macOS you can’t get the internal https with the IP-address to work.
Every browser will tell you that it is insecure as the ssl certificate is not valid.

yeah , i get that, but why do you still want to use the IP address for local access, why not just use the https with fqdn for internal access? isnt the router aware that its actually a local device?

edit: and btw, thnx for feedback, appreciated :slight_smile:

I don’t know if this works.

You can use the domain for both internal and external as long as your router supports NAT loopback

Ok, then just let’s encrypt is fine for me, then I don’t need nginx

It also provides an additional level of security with the reverse proxy and you only need 1 port for everything opened. (you also don’t need port 80 for certificate renewal) Personally I use Caddy as I actually understand what it does and how it works whereas NGINX is like voodoo and I don’t understand it and would rather not blindly follow guides.

EDIT: If you are exposing your HA to the internet this would be the minimum level of security you should consider.

Perfect, thnx for all feedback, gonna buy a Google domain and use let’s encrypt based on DNS… No port 80 needed then for renewal

1 Like

Is it possible to expose the configured proxies in NPM through switches in Home Assistant? So I can automate for example the exposure of some of my services when I’m leaving/coming home?
Concrete use-case: a password manager that is only needed to expose when I’m outside my home, not when I am home.

I don’t think it is possible to control individual hosts however you can set a command line switch in HA to reload nginx with a different config.

Hi All,

Can someone tell me if it is possible to connect NPM to a external MariaDB server?
I want make use of a external server and connect NPM to it.

In the documentation it says: You need install mariadb add-on…

Probably not what you wanted but you can have NPM installed on a regular Docker and with manual DB connection instead of HA addon.

I’m trying to use Nginx Proxy Manager to create a connection to my Blue Iris server. I have followed this tutorial to a “T” but am still having issues that I think are caused by Nginx Proxy Manager.

I have NGINX Proxy Manager installed and have both certificates in there and proxys

When creating the certificates, the guide told me to create a custom certificate and use my certificate key files from HA. I got those from the folder MyHA internal IP Address\ssl

If I go to https://myha.duckdns.org everything works and I see the login page for Home Assistant as I would expect. But, if I go to https://mycams.duckdns.org I’m also redirected to the Home Assistant login page and not the Blue Iris login. That seems to tell me that the Nginx proxy manager isn’t doing it’s job. Is that correct? I can get to my Blue Iris server using http://myha.duckdns.org:8081

I have these ports forwarded (192.168.1.100 is my HA, 192.168.1.99 is Blue Iris)

Any ideas how to fix this?

Ports 443 and 80 should be forwarded to 443 and 80 of the 192.168.1.100 host (the one that runs NPM; it also runs HA, but that’s beside the point). Port 81 does not need to be forwarded.