Home Assistant Community Add-on: Nginx Proxy Manager

Installation Home Assistant OS
,
103

You’re spot on. I just checked LetsEncrypt (and anything using the certbot and most ACME clients) use port 80 by default.

There’s workaround like DNS challenge but you will most likely have to do it manually and play with the DNS zone records, I think in Duckdns you will only be able to do this for one domain\subdomain as you only have on TXT record.
https://jmorahan.net/article/lets-encrypt-without-port-80
https://github.com/certbot/certbot/issues/6496

At this point I recommend you to dump Duckdns and get your own domain in Cloudflare, having your own domain and having Cloudflare as DNS makes everything work effortlessly and more secure. It will probably cost you about 15-20USD for 2 years, the longer the cheaper it is. It is basically the domain cost only.

What you get from Cloudflare is security features which you should take advantage of since you’re exposing your instance to the internet. Using the FREE tier you get:

  • Cloudflare acts as a proxy, the IP resolved from your hostname does NOT point to your public IP. It will be pointing to Cloudflare servers. This is HIGHLY desirable.

  • You get DNSSEC

  • Firewall rules. Managed rules (You get protected from HTTP,UDP,SYN,ACK,QUIC flood), firewall rules (block known bots, block based on threat score of IP).
    In my case I block ALL bots and just allow Google and UptimeRobot bots to reach my instance so I can use Google Assistant. I do a JavaScript Challenge for low threat score IP and block high threat score (IPs known for malicious activity). I have also blocked or put challenge to HIGH risk countries such as Ukraine, Russia, China. You can have rate limiting so if any IP exceeds at threshold limit it will be blocked, this is highly effective. You can also block specific user agents.

  • Cloudflare access. This is VERY good, but you’re limited to 5 users. Basically you can have an extra authentication step in Cloudflare, so anyone using your domain MUST authenticate. You can add exceptions to Cloudflare access, in this case I added Google API and UptimeRobot IPs as an exception so they do NOT have to authenticate.
    You will run into this authentication page, you can authenticate via several methods as per below and more. I can either get a “magic” link to authenticate without putting any codes, getting a code on my email or use other methods like FB or Google authentication.

    image
    image382×621 12.3 KB

    You can also create page rules to disable or enable features based on the URL. So you can expose specific URLs.

Once you’ve done such things you can basically DROP everything in your firewall that is NOT coming from Cloudflare servers, you only allow stuff coming from their proxy servers. Everything will have to go through Cloudflare including API calls, webhooks, etc but you get the extra layers of security.

Or you can also disable the proxy feature in Cloudflare and let everything go straight to your instance, let it be just a DNS resolver. Basically what DuckDns is doing.

As an extra you get one free wildcard certificate, analytics, FAST DNS resolver, and additional modes if you think you’re getting hacked. Also they do some black magic to speed up everything. Not a pro in this, just got started but I am more than happy with the features.

So basically anyone running into a HA instance will run into the Cloudflare firewall (dangerous IPs, bots, high risk countries and others get blocked or challenged based on the risk), then Cloudflare Access authentication, then you can reach your instance. Authentication can be saved so you do it once from known clients.

And anyone trying to reach you by IP address directly will be dropped by your firewall since only Cloudflare servers will be whitelisted.

I have a bunch of subdomains for several services like NextCloud, PLEX, HA, Unifi, CCTV system, etc. Definitely not a must have, but a really nice thing to have.

4 Likes
104

I’ve thought about using cloudflare but it seems too complex. Using Caddy, I currently have around 10 subdomains (working with DNS validation not not using port 80). I just don’t see a reason to change.

105

got the same problem, did you solve?
My error is this


[8/24/2019] [1:45:20 PM] [SSL      ] › ℹ  info      Revoking Let'sEncrypt certificates for Cert #8: xxx-docker.duckdns.org
[8/24/2019] [1:45:25 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #9: xxx-docker.duckdns.org
[8/24/2019] [1:45:26 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot renew -n --force-renewal --disable-hook-validation --cert-name "npm-9" 
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
No certificate found with name npm-9 (expected /etc/letsencrypt/renewal/npm-9.conf).
106

Never got it working properly …
So removed it, lol

107

Having big problem now, can’t access my xxx.duckdns.org, can’t renew my certificate from the ADDON (and also any other mode is not worlkking), any clue?

[email protected]:/data/logs/letsencrypt$ cat letsencrypt.log
2019-09-06 08:31:41,104:DEBUG:certbot.main:certbot version: 0.30.2
2019-09-06 08:31:41,105:DEBUG:certbot.main:Arguments: [’-n’, ‘–force-renewal’, ‘–disable-hook-validation’, ‘–cert-name’, ‘npm-4’]
2019-09-06 08:31:41,106:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-09-06 08:31:41,131:DEBUG:certbot.log:Root logging level set at 20
2019-09-06 08:31:41,132:INFO:certbot.log:Saving debug log to /data/logs/letsencrypt/letsencrypt.log
2019-09-06 08:31:41,134:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.30.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3.6/site-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/lib/python3.6/site-packages/certbot/main.py”, line 1271, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3.6/site-packages/certbot/renewal.py”, line 394, in handle_renewal_request
conf_files = [storage.renewal_file_for_certname(config, config.certname)]
File “/usr/lib/python3.6/site-packages/certbot/storage.py”, line 51, in renewal_file_for_certname
“{1}).”.format(certname, path))
certbot.errors.CertStorageError: No certificate found with name npm-4 (expected /etc/letsencrypt/renewal/npm-4.conf).
[email protected]:/data/logs/letsencrypt$ ^C
[email protected]:/data/logs/letsencrypt$

108

Anybody also using the Wireguard addon?

How do you configure the NGINX Proxy Manager addon to listen on port 51820 for Wireguard to function? I’m assuming it’s something to do with either ‘custom locations’ or something to add in the advanced options, but I have no idea what to change/add.

Any help would be appreciated. :slightly_smiling_face:

Thanks!

109

Not even sure what you are asking because the 2 things are unrelated. You need to forward UDP port 51820 just like you forwarded TCP ports 80 and 443 for Nginx Proxy Manager.

110

Hello. I am trying to enable external access to Home Assistant API without external access to UI.

Can I do it with this add-on?

I use ddns and forwarded port from ty router to 80 port (used by Nginx Proxy manager add-on). How can I add proxy host to enable access only to http://ip_address:8123/api/?

111

I think a figured it out.
To allow access only to http://ip_address:8123/api/

  1. I added custom location / with forward hostname and port homeassistant 8123 and additional options:
deny all;
return 404;
  1. I added custom loation /api/ with hostname and port homeassistant/api/ 8123

Seems to work.

112

Thanks for the reply, I really appreciate it!

OK, I’ll keep looking for the problem then. I asked this question because when I install the NGINX Proxy Manager addon, Wireguard stops working. I assumed that was because I still needed to allow something that I hadn’t. Yes, I’ve forwarded those ports. The addons work separately for me, but not together.

113

hi there
has anyone worked out how to password protect the custom locations?

or I wonder if i am setting this up correctly (i prefer not to use sub domain)
So I set up 1 host and add custom locations, it only protects the host but not custom locations. see screenshot below, is this the right way? or is it much better to use subdomain?

Thanks!

image
image484×521 13.3 KB

image
image481×536 11.4 KB

114

Anyone know if there’s a way to specify a URL to a certificate? E.g. Running the duckdns addon it already generates certificates. Can we point the certfile location to /ssl/privkey.pem?

115

Hi to all I´m having problems to get SSL certificates, it keeps giving me Time out operation here´s my log:

[9/22/2019] [10:03:04 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[9/22/2019] [10:03:04 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #14: mydomain.duckdns.org:8989
[9/22/2019] [10:03:23 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[9/22/2019] [10:03:23 AM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot certonly --cert-name "npm-14" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" -n -a webroot -d "maydomain.duckdns.org:8989" 
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.duckdns.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mydomain.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydomain.duckdns.org/.well-known/acme-challenge/06PKZIapaNhDmqYgGCCNiwonGgWuqPAN9mvn88xFoH4: Timeout during connect (likely firewall problem)

would apreciate any help
rgds

116

Looks like you are using the http challenge so Port 80 needs to be forwarded to port 80 for that to work.

117

Hi thanks for the reply,
is already forwaded rpi ip 80 to 80 also 443 to 443. Anything could be goign wrong.

rgd

118

I have set up the addon and it is working. However, how do I limit access to HomeAssistant only from the nginx proxy? I want to avoid people bypassing it. Anyone know what I need to add in the HA config for this?

Thomas

119

You would have to add a whitelist and use_x_forwarded_for in http:

120

With whitelist, do you mean “trusted_proxies”? And would this disable direct access without passing through a browser?

TNx,

Thomas

121

It would unless you whitelisted your internal IP as well!

122

I’ve been trying to setup the Nginx Proxy Manager, but unfortunately, it is not working. I starts up without error and successfully created a Let’s Encrypt SSL certificate. However, if I try to access HA through my duckdns URL, then I get to the login screen and can input my login credentials. However, as soon as I hit “Next”, it verifies the credentials and then says “Unable to connect to Home Assistant”. If I use the official Nginx add-on, then everything works fine. Any help would be highly appreciated. Thanks!