Home Assistant (http) behind HTTPS nginx reverse proxy guide?

Configuration
,
1

Hello!

I am wondering what is the current way of adding https to Home Assistant by nginx reverse proxy, and if such a config is even supposed to work…

Because recently I brought online a Home Assistant VM, that I run on a VMware ESXi host (way more powerfull machine that a RPi), and I needed to be able to go through HTTPS to talk to it from outside my home network.

Found a couple of good resources here, in the forums, but I can’t make it work, for some reason.

Anyone with a recent enough install of HA and nginx as reverse SSL proxy?

I see that nginx gets mentioned here:


but following its link goes nowhere…

Any help will be greatly appreciated!

1 Like
2

To add a little more details here:

I am running the nginx reverse proxy on another VM, but when I try to log in I get to type my credentials, but then an error appears, saying that something went wrong, and I can hit retry.

I watched to logs of nginx and I could see the requests going through, but HA did not like something about the fact that the communication was not direct, or so it seems…

I am using Home Assistant 0.113.1:

arch x86_64
chassis vm
dev false
docker true
docker_version 19.03.8
hassio true
host_os HassOS 4.11
installation_type Home Assistant OS
os_name Linux
os_version 5.4.50
python_version 3.8.3
supervisor 229

I got the above from https://www.home-assistant.io/hassio/installation/ using the OVA virtual appliance download link.

3

I use my HA via an SSH tunnel to a remote server which is running a Nginx reverse proxy, my method should work without an issue in VMs.

You can read all about my setup here:

4

As in @pjcarly setup you would need:

            proxy_set_header    Upgrade     $http_upgrade;
            proxy_set_header    Connection  "upgrade";

as part of the proxy configuration.
Otherwise authentication will not work. Or at least this is what I needed. Not sure exactly why, though :slight_smile:

GV

3 Likes
5

This is a good guide

6

Thanks for your replies!

It turns out that @greengolfer showed what was incorrect/missing from my nginx config - now all is fine, and I can access my Home Assistant setup from outside using secure connection.

Much appreciated, @greengolfer!

As a bonus from the whole thing - I am about to automate my home server certificate issuance as I got introduced to LetsEncrypt. Nice!

7

I also need a little help here. I have Hassio OS in my local network, and on the same network I have a machine, which is connected to VPN network. This machine is accessible through VPN and my idea is to also use it as Nginx reverse proxy. So, my Hassio OS will be accessible through that VPN network.

So, to clarify:

  • my LAN is 192.168.178.0/24
  • Hassio OS machine has IP: 192.168.178.200
  • VPN machine has LAN IP: 192.168.178.150, VPN IP: 10.10.8.2

I would like to access my Hassio through http://10.10.8.2/ha when I am on VPN.

In my sites-enabled/default I have:

         location /ha {
                proxy_pass http://192.178.168.200:8123;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }

Unfortunately browser says only “404: Not Found”.

Any idea?

1 Like
8

The above does not work for you because you have a typo in there.

I beleive your line

proxy_pass http://192.178.168.200:8123;

should be

proxy_pass http://192.168.178.200:8123;

         location /ha {
                proxy_pass http://192.168.178.200:8123;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }
9

No, no, I had it correct on a server, just made a typo when pasting it here.

So yes, I have as you suggested, but it is still not working.

However, it is working if I am listening on port 8123 and forwarding directly to port 8123.

10

I am also having the same issue. Running nginx on my router trying to proxy to HA. I am able to proxy to other servers on my network but I believe HA is blocking access due to the reverse proxy.

11

Having the same challenge. I have tried using location /ha/ and also setting a trailing slash after the port e.g. ```
proxy_pass http://192.168.178.200:8123/;
``
This at least lets the logo show, doesn’t do anything else though, also there doesn’t seem to be way to get the additonal ‘location /api/websockets’ section to work either. I would prefer to not have to create a new fqdn for the HA server proxy for the purposes of installing ssl certificates.

Cheers

12

To reiterate once agian - I wanted to expose HomeAssistant outside of my home network via SSL.

To achieve this, on my LAN I run Home Assistant and a proxy machine. The proxy is then able to receive HTTPS requests on its IP/hostname if called like so:

https://my.server.net:8123/

or

https://192.168.1.6:8123/

if my.server.net points at 192.168.1.6

Once you have that working internally, all that needs to be done is port forward port 8123 to the proxy machine IP from the router

Here is my config for the nginx proxy machine:

server {
    listen       8123 ssl;
    server_name  my.server.net;

    location / {
        proxy_pass          http://192.168.1.7:8123;
        proxy_http_version  1.1;
        proxy_set_header    Host             $host;
        proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header    Upgrade          $http_upgrade;
        proxy_set_header    Connection       $connection_upgrade;
    }
}

In the above, my Home Assistant instance is running on the IP 192.168.1.7

One obviously needs to prepare all the SSL things as well, but this works for me right now.

13

I want to use reverse proxy with nginx proxy manager. Other way vpn. Reverse proxy is really safety? Still not sure if it’s a good idea to publish it on the internet

15

Here’s what each of those directives does:

  1. proxy_set_header Upgrade $http_upgrade;
  • This directive sets the “Upgrade” header in the request being sent to the proxied server. The “Upgrade” header is used in HTTP for switching the connection to a different protocol, and it is commonly used with WebSocket connections.
  • $http_upgrade is an Nginx variable that contains the value of the “Upgrade” header from the client’s HTTP request. If the client’s request contains an “Upgrade” header, it will typically specify the protocol to upgrade to, such as “websocket.”
  • By setting this header, you are informing the proxied server that the client wants to upgrade the connection to a WebSocket or another protocol, allowing the server to respond accordingly.
  1. proxy_set_header Connection $connection_upgrade;
  • This directive sets the “Connection” header in the request being sent to the proxied server. The “Connection” header indicates whether the client and server want to keep the connection open after the current request/response exchange.
  • $connection_upgrade is another Nginx variable that contains the value of the “Connection” header from the client’s HTTP request. If the client’s request contains a “Connection” header with the value “upgrade,” it signifies that the client wants to upgrade the connection to a different protocol, such as WebSocket.
  • By setting this header, you are indicating to the proxied server that the client intends to upgrade the connection.

These directives are commonly used when you are configuring Nginx as a reverse proxy for WebSocket applications. When a WebSocket connection is established, these headers are important for initiating the WebSocket handshake and ensuring that the connection is properly upgraded from a standard HTTP connection to a WebSocket connection.

16

Thanks!
You’ve saved my day!