Home Assistant OS + External NGINX (not addon)

catmilk · May 6, 2022, 2:04am

Is there a guide for getting Home Assistant OS to work with an external NGINX docker for Cloudflare Origin Certs?

I already have NGINX running elsewhere so ports 443 & 80 are taken on my network so i don’t think I can run 2 instances of NGINX on the network. Im looking for the Cloudflare Origin Cert to work as my Home Assistant was exposed over DuckDNS and was getting daily brute force attempts. My Ubiquiti IDS is seeing attempts on my network as well so the less visibility out there the better without having to go down a VPN route.

I’m getting mixed results when i try to use the external NGINX docker, like being able to see the login page but it fails login after 2fa and the loop restarts, or the page being visible on my web browser on my mobile but the Home Assistant Android APP not seeing the server running.

CentralCommand · May 6, 2022, 2:44am

Did you start here? They link a guide for setting up nginx with their origin certificate.

As for the HA side, just look at the nginx addon. I know youre not actually using the addon but you can still reference it’s nginx config as an example.

Also don’t forget to add your reverse proxy as a trusted proxy or HA will not like it.

DavesCodeMusings · May 6, 2022, 3:11am

I have Nginx running as a Docker container using this docker compose file:

services:
    nginx:
        image: nginx
        container_name: nginx
        hostname: nginx
        restart: unless-stopped
        ports:
        - 80:80
        - 443:443
        volumes:
        - /etc/ssl:/etc/ssl:ro
        - /opt/docker/nginx/conf.d:/etc/nginx/conf.d
        - /srv/www:/usr/share/nginx/html:ro

Inside Nginx’s conf.d directory I have 00_default.conf that configures Nginx to use the SSL cert (and also serves static html files.)

# This avoids an error message 'could not build server_names_hash'.
server_names_hash_bucket_size 64;

# Serve static files
server {
    listen 80;
    listen 443 ssl;
    server_name  anubis.home;
    ssl_certificate  /etc/ssl/certs/anubis.home.crt;
    ssl_certificate_key  /etc/ssl/private/anubis.home.key;
    location / {
        root /usr/share/nginx/html;
        index index.html index.htm;
    }
}

For Home Assistant reverse proxy, I have homeassistant.conf:

# Home Assistant redirection and SSL off-loading.
server {
    server_name homeassistant.anubis.home;
    return 301 https://homeassistant.anubis.home;
}

# Do not use "proxy_set_header X-Forwarded-For $remote_addr;" or Home Assistant
# will block the request.
server {
    server_name homeassistant.anubis.home;
    listen 443 ssl;
    location / {
        proxy_pass http://anubis.home:8123;
    }
    location /api/websocket {
        proxy_pass http://anubis.home:8123;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

I did not need to adjust the Home Assistant trusted proxies, because I’m not using X-Forwarded-For.

Hopefully some of this will help.