Good luck. The Synology aspect probably adds a layer of obfuscation, but if it would be helpful for me to post my whole config, let me know.
1 Like
For anyone who has a Synology DS and is using the reverse proxy feature under the application portal (nginx), there is a small patch you can apply to allow Websockets for all servers proxied and HASS works perfectly.
Check this and enjoy.
Kman
5 Likes
Thanks =) This helped me!
I know this is an old thread, sorry for resurrecting it
I’m going to give this a try this weekend probably, but I want to make sure about a couple of things before I dedicate another RPI :).
- My internal network is running off of a dual homed linksys router.
- The backup path, goes to my verizon wireless modem.
- The primary path, goes to an AT&T router, which connects to AT&T through DSL (I know, I live in the country, it sucks).
So my HA environment is behind two routers 99% of the time, and the other 1% of the time, not getting to HA is the least of my worries. So lets focus on the path out through the AT&T router. Where should I install NGINX? Should it be between the AT&T router and the Linksys Router, or on the main network with all the rest of my servers behind the Linksys router?
I understand internal networking, but when it comes to proxy’s and reverse proxy’s my knowledge falls off quickly.
What I want to be able to do is this.
- Access HA remotely via web browser
- SSH into my HA server and hopefully my other servers without having to go through the HA server to get to them.
- Open a VNC session on any of my servers.
- Basically I want to be on my home network without opening every port up on the routers.
- I’m not sure if a VPN is a viable solution because of the two router situation.
Thanks
Thanks Kman, this old post saved my day!
I would suggest, you try the following: http://www.pivpn.io
I took my less than 30 mins to get my VPN up and running (including securing my pi a little bit better). Together with EntryDNS (or DuckDNS, or …) it works like a charme and I don’t have to worry about changing public IP addresses.
After you connect to your home VPN you have FULL access to everything: SSH, VNC, RDP or whatever you need 
Bye,
Daniel
same for me, did you solve?
Yes. You should of kept reading this thread. You only have to look 5 posts above this one and the answer is there 
MMhhh I tried and is not working with synology (nginx on synology and router forward 443 to the synology).
I manage to make it work with a pi3 (I installed nginx on the pi3 and I forward the router not to the Synology but to the pi3).
Yeah not sure. Works fine for me doing exactly the same thing. I forward router port 443 to Synology and I have Lets Encrypt certificates for all servers I proxy. Sorry i can’t help any more.
I tried setting this up as well and got it working on everything except Apple devices. Turns out there’s something in webkit that’s going wrong with my setup.
to keep it simple:
I have basic_auth active on my Nginx instance on top of home assistant’s own auth. And that’s causing issues with the reverse proxy with websockets in webkit, the header isn’t being set correctly as far as i can tell but I cannot fix it unless I disable my basic_auth on that part of my reverse proxy … which I don’t like to do 
Ok, I fought with NGINX all weekend and finally went back to my setup as of Friday. I think the following diagram describes what I’m trying to do. I can get parts to work, but then other parts stop working. It’s quite frustrating :).
The black lines represent the physical world. The red lines represent what I’m hoping nginx will do.
I’m using 1 conf file in the include directory because it seems to make a difference what order the files are loaded in as to which rules get interpreted when and I don’t know any other way to control it.
Questions:
- How many SSL certificates do I need, what names and where do they need to go?
- I have drawn this as if I am using ssl inside my lan. That is not currently the case, and don’t really care to do that, as long as I have an encrypted connection in the outside world. So all I really want encrypted is data between the NGINX server and the outside world. Inside the lan can be unencrypted.
Thanks
I’m not sure if it’s due to an update or because I am on a Pi and using the debian lib for NGINX, but I could not get it to load without commenting out:
proxy_set_header Connection $connection_upgrade;
which it identified as an unknown option. I was having no luck with NGINX and HA though and couldn’t figure out why. I did a little research and found that it is actually:
proxy_set_header Connection "upgrade";
So just in case it was related in some way to my issues, I fixed it and reloaded NGINX which no longer complained about it.
And that was all it took for HA to start working through NGINX! For me, anyway since that was the only thing I changed in the config for that restart. Hope this helps someone.
Just a note, this may be version related - I am on NGINX 1.6.2
Thanks to all of you Finally I got it up and running with NGINX and LetsEncrypt certificate…
And I got an A+ on http://www.ssllabs.com Together with an api_password that I even can’t remember, I should have a quite safe environment now!
But one question: I added the IP range of my servers to the “trusted_networks” (NGINX server is NOT my HASS server) in my configuration and I wasn’t even asked for the password when I logged in from the internet 
So the requesting IP is not the public IP but the IP of my NGINX server?
Thanks again for all those hints and tips within this thread!
Daniel
That’s how it works, there is a warning about it in the http documentation. You should not use trusted networks in this kind of setup.
1 Like
I guess I missed this part when I read the documentation
Thanks,
Daniel
Thank you KmanOz!
You saved my day!
With your solution I can now connect to my home assistant from outside but now the certificate appears as insicure.
Do you also have this situation?
Thank you in advance!
You need to create a certificate with Letsencrypt for the domain you setup for Hass and apply it
The certificate exists.
It has been created with Letsencrypt using the built in feature in Synology DSM.
The issue was releated to a wrong configuration.
ISSUE CLOSED