Home Assistant Community Add-on: Nginx Proxy Manager

DNS makes my router, as it can see only the docker ip all container names have the same ip.
But i think i found the problem, it is about my ipv4 / v6 configuration.
Described here

In host mode it is passed. But host mode is only available on Linux.

A special situation is when the docker host is ipv4 and ipv6 (which is quite normal today) and the containers are ipv4 only.
Then clients connecting per ipv4 are connecting the host per ipv4 (host mode/Linux only) and the correct client source address is seen in the container.
But if the client connects with ipv6 it is routed through the docker_gwbridge per ipv4 and the container can only see the IP address of the bridge. MS would say this is a feature :smile:

For a test i disabled ipv6 on my machine connecting to ha. And voila, the logs show my external ip (the one from my provider). Enabled v6 again, and it reverted to 172.30.32.1. So nginx x_forwarded_for works, but nginx does not see the real adress but only the docker ip.
Only solution at the moment seems to be to start the docker container with network_mode: host but i think this is not possible using one of the addons.
Again, thank you for helping, in the end it shoed me where to look further and my originally problem ist solved :slightly_smiling_face:

Hi! Iā€™m using the NGINX addon with DuckDNS + Letsencrypt to access my HA (VM in ProxMox) instance externally. Now,Iā€™d like to access additional internal VM:s through the reverse proxy. Is this possible? If it is - is there a guide?

BR,
Niklas

Yes, this is possible.
Not sure if there is a guide somewhere, but you can even achieve that with additional duckdns subdomains from you current duckdns domain. I went through this, maybe this post and the following ones by me help:

btw ! help ! i have problems while accesing ESPHOME and VSCODE addons iternaly by the addon , chrome browser shows blank page. other addons works well
edge shows 401: Unauthorized



when connecting without addon by local ip and http addons loading but working bad due to insecure http

Has anyone experienced getting their domains flagged as deceptive/phishing from Google after using NPM?

I moved from using NGINX Proxy SSL to NPM a few weeks ago due to needing to redirect more than 1 domain to different services, and wanted secure access. Not sure how long after, my the subdomain (from DuckDNS) that I was using to access HA was flagged as dangerous.
Shortly after, the other subdomain I was using to access this other addon was also flagged.

I have seen reports of people using DuckDNS subdomains of these issues. So I went and decided to use a domain of my own.
It was instaflagged too, and not only my own subdomain, but the main domain too (which was pointing to our business website). It caused quite a big deal of trouble tbh. Since itā€™s Googleā€™s flagging system, it doesnā€™t allow you to use OAuth services with Googleā€™s either.

After that I went ahead and did further testing today. I retraced my steps, went back to DuckDNS (same subdomain I was using) + NGINX Proxy SSL (NPM deactivated). So far itā€™s not being flagged, which is making me strongly suspicious NPM was indeed the culprit, and Iā€™m not sure why.

I actually need to use NPM, as I said, since I need more than just HA to be accessible remotely. And NPM was easy enough for me (non-dev) to use, including the SSL certs.

My domain has also been flagged and as far as i can see this happens to a lot of us. (i have also seen something similar with other software)
you can read more about it at:

What do you mean by NPM? is that an option in Nginx Proxy Manager?
edit: did not know it was short for Nginx proxy manager.

I am looking for a solution for this.

but it is still interesting that NGINX Proxy SSL works but NPM not, but still implements the NGINX, this sounds like a option

I have sent report to Google and few hours later it all went back to normal

@grosilver And did it never happen again? I cannot risk my entire domain to this happening once in a while. It fucked up our emails, everything started being rejected everywhereā€¦ it was a bit of chaos. Actually Iā€™ve reported it this morning and Iā€™m still waiting for it to be fixed.

@DJJo14 Yeah, Iā€™ve seen that thread but it relates to DuckDNS. It was my first thought. But as I said, I tested with a domain of my own, doing DDNS on my own, without any connection to DuckDNS. And the domain was instantly flagged as soon as it connected to my local server. Which leads me to believe itā€™s not DuckDNS fault, but NPMā€¦

Edit: soā€¦ today the DuckDNS subdomain shows as dangerous again, just using NGINX Proxy SSL. So NPM itself is not to blame then. Iā€™m going to deactivate it and see if DuckDNS alone is still flagged, so I can blame reverse proxies in general.

I had to restore HomeAssistant from a backup and ever since my NGINX proxies donā€™t work anymore.

I was able to renew the certificates, all the port forwarding is still the same as before.
When I try to test the server reachability in NGINX I get this error: Communication with the API failed, is NPM running correctly?

I was reading through this thread but couldnā€™t find anything on how to restart/reinstall NPM in homeasssistant or in the NGINX add-on.

Can anyone help me here?

EDIT: Oh just realized NPM stands for NGINX Proxy Manager haha now I am even more confused. I have reinstalled the addon already and nothing changed

SOLVED: Now I feel stupid: It was all caused by a typo in the general network gateway settings of the Piā€¦ Thanks for coming to my TED Talk

thanks - should be sticky or in some FAQ. totally helped me out. !

1 Like

same, in 2023. I havenā€™t accessed the addon for a couple of months because I didnā€™t need to, and now I cannot log in. Password is managed by Bitwarden and should be correct.

Same. Cannot log in.

answer to myself. fixed by adding aditional configuration

location / {
# Needed to workaround VSCode Web Socket Origin error
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $http_host;

# Proxy!
include conf.d/include/proxy.conf;
}

Hi, with the Nginx Proxy Manager is the ZeroSSL cert with automated renew supported, if so, how to configure it? The ZeroSSL support page says itā€™s a partner with nginx-proxy, but there are two nginx proxyā€™s available inside the HA Add-on store, which one is it? Iā€™m a noob when it comes to ssl certificates, until now i configured them manually (generating the cert inside ZeroSSL web and downloading the certs and uploading to HA and using the configuration.yaml to locate the cert and key)

May I ask where you added this config?
I tried adding it here, but then the proxy goes offline:


i added it here. btw loks like it broke esphome for a little /example you cant see logs from outside . look next post for solution

And another fix to make working esphome but i cant set them both

after some attempts to learn ngnix i did the trick
solution

proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;

and


Custom Nginx Configuration

location / {
    location  /api/hassio_ingress { 
    }
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $http_host;

# Proxy!
include conf.d/include/proxy.conf;
}

be careful with structure and chek it )

3 Likes

Hi, Iā€™m trying to configure access lists on NPM to prevent external access to some services I am going to add, but they donā€™t seem to be working because the IP that Nginx sees for every client is 172.30.32.1.
This is also an issue because the HA ip_ban system also detects the same IP.
If I use WireGuard, the IP which gets recorded is my home network public IP.

From what I read, adding an X-Forwarded For header should do the trick, but I donā€™t know how to do that, especially for the VPN traffic.

Also, how do I decide if I can enable cache assets, web sockets support and http/2 support depending on the service Iā€™m using? (Iā€™m my case Iā€™d like to configure HA, Bitwarden, UniFi app, Node-RED dashboard and Nginx itself)

HA, WG (add-on) and NPM (add-on) are all hosted on my RPi.

Thanks in advance.

Sorry if this is a stupid question, but will this add on conflict with dyndns & SSL certificates run/installed directly on my UDM Pro router?

I have a domain for my UDM Pro using Duck DNS and SSL certificates using GitHub - alxwolf/ubios-cert: Manage SSL / TLS certificates with acme.sh (Let's Encrypt, ZeroSSL) for Ubiquiti UbiOS firmwares.

I would like to setup https access to the Plex addon, as well as Overseerr and it looks like the Nginx Proxy Manager is designed to do this, but Iā€™m worried that either it wonā€™t work or will conflict with the ubios-cert setup.

So can I simply install the Nginx Proxy Manager addon, or do I first need to undo the ubios-cert and dydns setup on my UDM Pro?

i think u must use different ports and subdomains and forward port 80 to pass letsencrypt check