Hello,
for those who use nginx as reverse proxy serving multiple domains, has anyone successfully combined home assistant and nginx reverse proxy with proxy_protocol feature enabled on the nginx?
My reverse proxy serves many other services on the LAN on different host and is configured with the stream{} upstream{} method. HA web server has been working but without X-Forwarded-For properly working. I read somewhere that enabling proxy_protol on nginx can allow the X-Forwarded-For to work but HA web server broke when it’s turned on.
I’m doing the same thing here, and using proxy_protocol on; in the nginx config (separate from HA) breaks access to HA. I get PR_END_OF_FILE_ERROR in firefox. On other systems, I’ve had to tell them to accept the “proxy protocol”, most recently in lighttpd via extforward.hap-PROXY .
I thinkthis PR aims to implement this. I’m not sure if that will be through an add-on, but it makes sense to have this feature available in the http: block of the HA configuration.
edit: enabling use_x_forwarded_for: and specifying trusted_proxies: as in the link provided by @Tinkerer has no effect.
It has to be some sort of config setting though, because Nginx Proxy Manager which obviously is using Nginx behind the scenes, works without a problem, as long as you remember to enable websockets.
I got it to work. Note that this uses an addon that I built using @miguelrjim’s changes to the nginx_proxy in the aforementioned PR. It pulls code from my personal github and runs a docker container from my personal dockerhub repository. It is in no way official nor supported.
In the add-on store, add https://github.com/gingerbreadassassin/ha-addons.nginx-proxy_protocol as a repository
Install the nginx addon
In configuration:
a. Set the Domain to whatever is your HA fqdn
b. Set proxyProtocol.enabled to true
c. Set proxyProtocol.realIpFrom to the ip of your “downstream” proxy (whatever is proxying traffic to your HA, 192.168.1.40 in my case)
enabled: true
realIpFrom: 192.168.1.40
Start the nginx_proxy plugin
In the http block of your main HA configuration:
a. Comment out the ssl options
b. add: