Home Assistant Community Add-on: Nginx Proxy Manager

NAT mode marks all network activity as if coming from Unraid, even if the VM can access external resources.
Bridge mode attaches a node to the physical network and VM gets it’s own ip (if DHCP server is enabled).

You have forwarded port 80 in your router to a host in your lan (probably 192.168.x.y or something similar). When trying to access both http://192.168.x.y and https://192.168.x.y what do you get? Do both of them reach NPM?

Also, what port are you using now to access the router since you forwarded port 80? Is it still 80 (meaning http://192.168.x.1, which shows that port forwarding didn’t worked) or is something else (like http://192.168.x.1:8080)?

Go to your unraid, and then to the HA VM, and right click and open the “VNC Remove” session to see the local console of this VM. After booting up you should be able to see an IP address in that console.

• What is the IP of your HA VM?
• Is the IP different from the IP of your unraid server, but under the same subnet?
• Did you use that IP to connect to your HA from another PC on your LAN, under the same subnet?
• Did you use that same IP on Google wifi port management?

so when i go into HA VM

My IPV4 address is 192.XXX.XX.73/24
My IPV6 address is fe80::aXXX:6XXX:aXXX:37XX/64

my home assistant url is http://homeassistant.local:8123
my observer URL: is http://homeassistant.local:4357

My unraid server is the same IP as my home assistant IPV address except for the last 2 digits: 192.XXX.XX.43

I connect to my ha instance from my primary pc which has the same local IP but ends in 92. Also use my phones.

On Google Wifi’s port management page, i use the home assistant 73 local iP seen here:

[Album] imgur.com

The imgur image above didn’t say much… is there supposed to be a 2nd and 3rd page?

Also going back to your comments a couple days ago:

What does it mean “doesn’t open the port”? How do you check open / no open exactly? What was the error message?

This likely means your HA is working, and your google wifi is working. Which likely means your NPM is not configured properly. But again, How exactly did you check this?

So the logical next step of troubleshooting being, what is your NPM config look like? Also what is your http block of your HA configuration yaml look like?

Also… I should ask this first: what are the thing you are trying to achieve with this NPM add-on?

sorry, that’s just what google wifi’s port management page looks like, has me choose an port, tcp/udp, internal and external port.

I’m checking my ports via Port Scanners / WhatsMyIP.org

When i forward internal port 8123 to external 80, it shows that 80 is open via this site. same for 8123–>443. If i do 80 to 80 or 443 to 443, it won’t open.

here is my ngm settings after installing mariadb:

domain name is my duckdns url without http or https
scheme: http
forward host is my ha ip 192.XXX.XX.73
forward port is 8123
websockets support enabled
publicly accessible

Under the SSL tab:
request new ssl certificate
Force ssl enabled

When i try doing this w/my ports 80 and 443 open, I get an internal error when i try to save it.

edit: just realized i forgot to put the /24 at the end of my local ha ip which is on the supervisor tab.

When i did this (w/8123–>80, and 8123–>443), i was able to save it and avoid the internal error, but when i clicked the remote access duckdns website, i would get a500 internal server error. If i switched the scheme to https in nginx, i could access my instance, but it did not have a secure certificate.

my config yaml http block is:
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
ip_ban_enabled: true
login_attempts_threshold: 5

The reason i want to setup nginx proxy manager is because i want remote access and google home integration for home assistant, and would like to do it w/o paying for nabu casa.

Do you have the setting for proxies (use_x_forward, trusted_proxies etc) setup in your home assistant config?

HA Http

That would be in the html part of my config.yaml, right?

I listed that part of my config in the prior post.

I originally set up remote access w/the duckdns addon. I’ve since uninstalled it bc I’ve heard a reverse proxy is more secure.

Wondering if some of my issues stem from the prior add-on…

Yes. Without it home assistant will be rejecting any connections from the reverse proxy.

I have two reverse proxies in my config. One using the HA nginx and the other using NPM.

You will need the line enabling it and the line with the acceptable up address.

Also your ask certificates should be managed by NPM now. You need to make sure your HA instance is accepting http.

I would challenge this perception. Reverse proxies can open up a whole lot more attack surface if you get them wrong. Given they are more complex to setup there is far more opportunities to get it wrong.
The managed duckdns addon is simple and works. If there was an issue someone would likely find it and patch it. There is little room for screwing it up and opening up your network for attack.

Keeping it simple with any form of https to HA is likely to give you a more secure solution.

So when I was installing the duckdns add-on and configuring it, I added the above http section to my configuration.yaml file.

If I delete it, follow the 1st post for npm, and my config is valid, I should be good, right?

When I initially started w/remote access, I was trying to do ports 80 to 80, and 443 to 443.

Npm method didn’t work, so I followed the duckdns add-on method of opening 8123 to 8123 and had some success.

Do you think the duckdns method w/8123 to 8123 is more or less secure than opening 8123 to 80+443 w/nginx?

Follow the suggested config. I no longer use NPM as an addon so don’t have the config to share.

This recent post in this topic shows someone else’s config.

It is less about the ports and more to do with https and if your trust the applications in the process. As we are using HA here I assume we trust that.
nginx is trusted but very flexible to co figure. NPM is newer but is just a config layer to nginx so should be ok.
I think they are all as safe but reverse proxy gives more flexibility but also more opportunities to do it wrong.

I am not a networking expert but this is my understanding after using this stuff for many years.

Not sure where you get the idea from. If you don’t config things correctly, your setup could be (a lot) less secure.

Now,

If this is all what you are after, then there is no need for this NPM add-on. Uninstall this one, and use the combo of Duck DNS addon and the NGINX Home Assistant SSL proxy addon instead.

so cleared out duckdns, and tried to readd npm. can access it as http but no ssl cert issued. everytime i tried to save w/force ssl, i get an internal error.

still getting internal errors and getting this in the log file.

Some challenges have failed.
[2/27/2022] [2:26:04 PM] [Nginx ] › info Reloading Nginx
[2/27/2022] [2:26:40 PM] [Nginx ] › info Reloading Nginx
[2/27/2022] [2:26:40 PM] [SSL ] › info Requesting Let’sEncrypt certificates for Cert #6: example.duckdns.org
[2/27/2022] [2:26:41 PM] [Nginx ] › info Reloading Nginx
[2/27/2022] [2:26:41 PM] [Express ] › warning Command failed: /usr/bin/certbot certonly --non-interactive --config “/etc/letsencrypt.ini” --cert-name “npm-6” --agree-tos --email “[email protected]” --preferred-challenges “dns,http” --domains exampler.duckdns.org"
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Please see the logfiles in /data/logs/letsencrypt for more details.
[2/27/2022] [2:27:42 PM] [Nginx ] › info Reloading Nginx
[2/27/2022] [2:27:42 PM] [SSL ] › info Requesting Let’sEncrypt certificates for Cert #7: example.duckdns.org
[2/27/2022] [2:27:43 PM] [Nginx ] › info Reloading Nginx
[2/27/2022] [2:27:43 PM] [Express ] › warning Command failed: /usr/bin/certbot certonly --non-interactive --config “/etc/letsencrypt.ini” --cert-name “npm-7” --agree-tos --email “[email protected]” --preferred-challenges “dns,http” --domains “example.duckdns.org”
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Please see the logfiles in /data/logs/letsencrypt for more details.
[2/27/2022] [2:28:05 PM] [Nginx ] › info Reloading Nginx
[2/27/2022] [2:28:05 PM] [SSL ] › info Requesting Let’sEncrypt certificates for Cert #8: example.duckdns.org
[2/27/2022] [2:28:06 PM] [Nginx ] › info Reloading Nginx
[2/27/2022] [2:28:06 PM] [Express ] › warning Command failed: /usr/bin/certbot certonly --non-interactive --config “/etc/letsencrypt.ini” --cert-name “npm-8” --agree-tos --email “[email protected]” --preferred-challenges “dns,http” --domains “example.duckdns.org”
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Please see the logfiles in /data/logs/letsencrypt for more details.

I had the same problem yesterday. I resolved it by removing the MariaDB and then reinstalling. Not sure why that worked, but it did.

For my problem?

Yes, for getting internal errors when trying to get a certificate.

Does this happen on initial setup only or have you had to reinstall mariadb on other occasions?

I just started trying to get NPM running in the last couple days. After several failures (Internal Errors) I believe I corrected some things after doing further research. I still got Internal errors until I deleted and then reinstalled MariaDB.

Yeah. Still getting internal errors w reinstall. Im putting a user and pass in the config section if mariadb. Does the password have to be the same for nginx?