Home Assistant Community Add-on: Nginx Proxy Manager

At this point I’d like to re-iterate my recommendations from 2 days ago:

  1. Uninstall this NPM add-on
  2. Install Duck DNS add-on, and set it up accordingly, to get your Dynamic DNS with Let’s Encrypt certification
  3. Install the (other) NGINX Home Assistant SSL proxy add-on, and set it up accordingly
  4. Update your http block in your configuration.yaml to something like this.
  ip_ban_enabled: true
  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  login_attempts_threshold: 5
  use_x_forwarded_for: true
    - ::1
  1. Update your router, point your external port to the 192.xxx.xxx.73 (IP of the HAOS), and to the port per the configuration inside your NGINX Home Assistant SSL proxy add-on
  2. Use https and the DuckDNS domain name to connect to HA, for when you are outside,
  3. Use http and the .73 IP and port 8123 to connect to HA if you and HA are on the same LAN.
  4. And then follow your Google Home setup guide, which is outside of the scope of this thread.

Edit: adding step 6 - 8 above.

I’d recommend this, because of the intension you outlined the other day:

This NPM add-on is probably not a good fit for you / your setup.

I know what you said, but if nothing works, would seriously recommend Nabu Casa.

1 Like

Will give this a go. Just wanted to see if I messed something up w npm initial setup.

Can I still use the DuckDNS add-on in conjunction with this? I want the DuckDNS add-on to keep my public IP up-to-date on duckdns.org. The DuckDNS add-on also generates Let’s Encrypt certs, but it appears I don’t need those with NGINX Proxy Manager?

Is it possible to point NGINX Proxy Manager to the same certs generated by the DuckDNS add-on?
Or, if not using the DuckDNS add-on certs, how do I set up NGINX Proxy Manager to auto-renew expiring certs like the DuckDNS add-on? Does it even have that capability?

I’m asking all this because I recently started getting emails that my Let’s Encrypt certs are expiring in a few days… so I checked the DuckDNS add-on and those certs indicate they are good until April… then I checked the certs for NGINX Proxy Manager and, based on the dates, all of them are expired as of a few months ago… However, I haven’t had any issues accessing the sites/services… so I’m not understanding what certs NGINX Proxy Manager is even using.

This is a great add-on.
Question - is there a reason why the “streams” host option is not available, unlike the docker version?
I am hoping to configure TCP & UDP port forwarding for a game server in NPM instead of in my router.

Screenshot of the dashboard at nginxproxymanager .com:


is there a explanation of how to troubleshoot the NGINX Home Assistant SSL Proxy ?

im running HA OS 7.5 with LETS encrypt and NGINX add-ons installed.

i cant seem to get it to proxy incoming 80 or 43 traffic to the ha instance on 8123.

my HA works internally over 8123 (on http no encryption) - just want to enable remote on SSL.

my configuration.yaml includes…

ip_ban_enabled: true
login_attempts_threshold: 5
use_x_forwarded_for: true
- ::1

and nginx config :
certfile: fullchain.pem
cloudflare: false
active: false
default: nginx_proxy_default*.conf
servers: nginx_proxy/*.conf
domain: mydomain
hsts: max-age=31536000; includeSubDomains
keyfile: privkey.pem

I have a feeling that you are at the wrong place. This thread is about the community add-on Nginx Proxy Manager, and what you discribed above is about the official add-on NGINX Home Assistant SSL proxy. These 2 add-ons both use NGINX, but vastly different.

Regarding your issue, recommended you start a different thread, check the logs on both Lets encrypt and NGINX Home Assistant SSL Proxy

this is because the HASS IO addon is not up to date. It is from May 2021.

Hey guys how can I get the SSL files from NPM in order to use them for other add-ons (like MQTT, etc)?


Any possibility of increasing the limit on the 4 allow/deny fields in the access lists? I’ve got like 10 that I need to add.

is there a way to set the proxy_ssl_server_name variable for a specific domain within the proxy manager?

Hello all,
there are regular security updates for Nginx. The addon itself has not been updated for a while. Does this mean that the NGINX version of the addon is also outdated and has security vulnerabilities? How can I manually update the nginx component?

Hey @frenck, the login data inside my mariadb instance is corrupted making it impossible for me change the password (and other weird behaviour). I’ve hit the “reset” toggle for the addon which clears all my settings with the exclusion of the login details.

Are you able to extend the “reset” functionality to clear all NGINX Proxy Manager settings inside MARIADB including the login details.

As far as I’ve progressed I am clueless on how to fully wipe the mariadb and start from scratch…

Ignore the above, I just found this thread and it’s given me what I need incase it helps anyone else: Home Assistant Community Add-on: Nginx Proxy Manager - #525 by Petrica “phpMyAdmin” addon to view and edit the MariaDB

In case anyone else has been running into problems with renewals failing with Cloudflare DNS challenge, there is an issue on GH here: https://github.com/hassio-addons/addon-nginx-proxy-manager/issues/258

I found a workaround to let the renewal process work but which only lasts until the add-on is restarted (and thus is not an actual fix). You’ll still have to do this every 3 months, but it beats having to nuke your entire SSL setup and re-do every cert and every proxy host every 3 months.

  1. Console into the addon_1234abcd_nginxproxymanager container as root, I use portainer to allow me to do this. The Home Assistant devs have bent over backwards to try and prevent you from accessing normal container controls which doesn’t seem like a great use of anyone’s time. You’ll have to sort out how to make that happen for you, and the result will likely be a hilarious “unsupported installation” message for your efforts.
  2. Kill the stuck certbot instance that ran at container start and won’t complete due to the change required below: pkill certbot
  3. Remove the offending line from letsencrypt.ini: sed -i 's/authenticator = webroot//' /etc/letsencrypt.ini

And that’s it! CF renewals will now work until you restart the container. This has been fixed in the upstream project for over a year now, hopefully we’ll see some of those fixes make their way into the Home Assistant add-on some day.

I issued a PR for the problem described above which is now in the current release of the add-on.

I’m currently using traefik on an external vm and thinking of switching to this. the only thing stoping me is tcp routes.
In my setup traefik handles the certs for mqtt as well (native port not websockets), how can i replicate it with NPM as it does not support tcp :thinking:

any help or thoughts?

Well unfortunately it looks like it still isn’t fixed in the latest release. Trying to renew gives me:

And the log only gives:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/00-banner.sh
 Add-on: Nginx Proxy Manager
 Manage Nginx proxy hosts with a simple, powerful interface
 Add-on version: 0.12.1
 You are running the latest version of this add-on.
 System: Home Assistant OS 8.2  (aarch64 / raspberrypi4-64)
 Home Assistant Core: 2022.6.5
 Home Assistant Supervisor: 2022.07.0
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
cont-init: info: /etc/cont-init.d/00-banner.sh exited 0
cont-init: info: running /etc/cont-init.d/01-log-level.sh
Log level is set to INFO
cont-init: info: /etc/cont-init.d/01-log-level.sh exited 0
cont-init: info: running /etc/cont-init.d/mysql.sh
cont-init: info: /etc/cont-init.d/mysql.sh exited 0
cont-init: info: running /etc/cont-init.d/nginx.sh
cont-init: info: /etc/cont-init.d/nginx.sh exited 0
cont-init: info: running /etc/cont-init.d/npm.sh
cont-init: info: /etc/cont-init.d/npm.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun manager (no readiness notification)
services-up: info: copying legacy longrun nginx (no readiness notification)
s6-rc: info: service legacy-services successfully started
[22:30:24] INFO: Starting the Manager...
[22:30:24] INFO: Starting NGinx...
[7/25/2022] [10:30:25 PM] [Global   ] › ℹ  info      Manual db configuration already exists, skipping config creation from environment variables
[7/25/2022] [10:30:29 PM] [Migrate  ] › ℹ  info      Current database version: 20211108145214
[7/25/2022] [10:30:43 PM] [Setup    ] › ℹ  info      Added Certbot plugins certbot-dns-cloudflare==$(certbot --version | grep -Eo '[0-9](\.[0-9]+)+') cloudflare
[7/25/2022] [10:30:43 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized
[7/25/2022] [10:30:44 PM] [Setup    ] › ℹ  info      Logrotate completed.
[7/25/2022] [10:30:44 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[7/25/2022] [10:30:44 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[7/25/2022] [10:30:44 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[7/25/2022] [10:30:44 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[7/25/2022] [10:30:44 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[7/25/2022] [10:30:44 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[7/25/2022] [10:30:44 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[7/25/2022] [10:30:44 PM] [Global   ] › ℹ  info      Backend PID 267 listening on port 3000 ...
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
Model#$omit is deprected and will be removed in 3.0.
[25/Jul/2022:22:32:44 +0200] - 502 502 - GET https domain.com "/" [Client] [Length 150] [Gzip -] [Sent-to] "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" "-"
[25/Jul/2022:22:33:01 +0200] - 502 502 - POST https bitwarden.domain.com "/identity/connect/token" [Client] [Length 552] [Gzip -] [Sent-to] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.71" "-"
[25/Jul/2022:22:33:03 +0200] - 405 405 - HEAD https home.domain.com "/" [Client] [Length 0] [Gzip -] [Sent-to] "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)" "https://home.domain.com"
[25/Jul/2022:22:33:23 +0200] - 200 200 - GET https home.domain.com "/" [Client] [Length 9551] [Gzip -] [Sent-to] "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)" "https://home.domain.com"
[7/25/2022] [10:33:29 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates via Cloudflare for Cert #2: *.domain.com, domain.com
[7/25/2022] [10:33:29 PM] [SSL      ] › ℹ  info      Command: certbot renew --config "/etc/letsencrypt.ini" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew 
[7/25/2022] [10:33:33 PM] [Express  ] › ⚠  warning   Command failed: certbot renew --config "/etc/letsencrypt.ini" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew 
Another instance of Certbot is already running.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmpqdornppd/log or re-run Certbot with -v for more details.

Hello, everyone. I installed and set up the Nginx Proxy Manager with Home Assistant.
So far everything works, if I call the xxx.duckdns.org address, the login window comes from the access
After I entered the access data. Am I on my Home Assistant page.

Problem 1: As soon as I make a few clicks, he immediately wants me to log in again (Access List Nginx Proxy Manager).

Problem 2:
When I switch to the Settings/Integrations page and want to set up Octoprint, for example, I get the following error:

If I remove the access list in the Nginx Proxy Manager, everything works fine. With Access List this error occurs every few minutes. It makes no difference whether I use the Homeassistant Android app or the Chrome browser on my cell phone or computer.

Does anyone have a solution for me?


The address with https://xxxx.duckdns.org:8111 seems strange to me!

With nginx Proxy manager my external address for HA is https://yyy.xxx.duckdns.org
There is an additional subdomain in front and the port is not neccessary!

Hello Cartsen, unfortunately exactly the same error after the changeover.

For everyone who is running into the INTERNAL ERROR issue, just choose “use DNS challenge” and put your DuckDNS token in, takes me several days to find out.
hope this will save your time :wink:

1 Like