HomeAssistant NGINX SSL proxy setup

vswraith · September 10, 2016, 12:19pm

i can try this and it works, but i need to plug this url in Amazon endpoint for Alexa…not sure why else to do

kylerw · December 31, 2016, 9:19pm

did you ever figure out why it was redirecting to /? This is driving me nuts. I know clearing cache fixes it but I don’t want to have to do that…

w1ll1am23 · December 31, 2016, 9:48pm

Unfortunately I did not. I changed my setup to use home.domain.com and deluge.domian.com ect and created my cert to support those as well. Letsencrypt supports this. If you’re interested I can post my current config probably tomorrow.

kylerw · December 31, 2016, 10:06pm

Yeah I’d like to see it. Does that get around this issue?

w1ll1am23 · December 31, 2016, 10:13pm

Yes each service I use has its own domain so the issue goes away. I’ll post what I have as soon as I can.

w1ll1am23 · January 1, 2017, 5:26pm

ssl_certificate /etc/letsencrypt/live/home.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/home.domain.com/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

proxy_buffering off;


server {
        listen 80;
        server_name *.domain.com;
        rewrite ^ https://$host$request_uri? permanent;
        client_max_body_size 25M;
}

server {
    listen 443 ssl;
    server_name del.domain.com;
    ssl on;

    location / {
        proxy_pass http://localhost:8112/;
        proxy_set_header X-Deluge-Base "/";
     }
}

server {
    listen 443 ssl;
    server_name home.domain.com;
    ssl on;

    location / {
        proxy_pass http://192.168.5.5:8123;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

server {
    listen 443 ssl;
    server_name hass.domain.com;
    ssl on;

    location / {
        proxy_pass http://192.168.5.4:8123;
    }
}


server {
    listen 443 ssl;
    server_name octoprint.domain.com;
    ssl on;

    location / {
        proxy_pass http://192.168.5.4/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Script-Name /;
    }

}

kylerw · January 3, 2017, 7:43pm

Thanks, that seemed to resolve the cache issue for me as well.

brianjking · February 12, 2017, 2:08am

@w1ll1am23 –

Thank you for putting this guide together. It looks like there may be some issues with either this NGINX Proxy configuration or with the WebSockets API introduced in Home Assistant 0.38.

Has anyone been able to load their Home Assistant after upgrading?

Also, on 0.37.1 I’m seeing connection lost...reconnecting errors every so often inside of the HomeAssistant frontend. Any ideas?

Thanks!

w1ll1am23 · February 12, 2017, 4:37pm

I am not seeing this issue. I am running dev (updated yesterday) when I get a chance I’ll test out a production install and see what happens.

Just tested a fresh install of 0.38.1 and I am not seeing this problem. Maybe there was a fix for it in .1?

justinmartin · February 12, 2017, 8:17pm

I am having the same issue. Upgrading to .38.1 didn’t make a difference. I enter my API key, it says connecting for a few seconds and then kicks me back to the login screen.

brianjking · February 12, 2017, 8:19pm

@justinmartin

What are you seeing in Chrome’s console.log? I even tried removing my api_password from my configuration.yaml and still no go.

Also on 0.38.1…

brianjking · February 12, 2017, 11:28pm

@w1ll1am23 – According to @balloob the only way to use NGINX is to follow this guide which I can never get working properly.

See his comment here.

Any ideas?

Thanks!

w1ll1am23 · February 13, 2017, 12:18am

He is correct, you need to have most of those settings or websockets won’t work.

I am using the /etc/nginx/sites-enabled/default from above and I am using the following /etc/nginx/nginx.conf

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
        worker_connections 1024;
}

http {

        map $http_upgrade $connection_upgrade {
            default upgrade;
            '' close;
        }

        client_max_body_size 100m;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        access_log /dev/null; # /var/log/nginx/access.log;
        error_log /dev/null; # /var/log/nginx/error.log debug;

        gzip on;
        gzip_disable "msie6";

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

justinmartin · February 13, 2017, 3:10am

Updating my configuration to the linked configurations fixed it for me.

Thanks!

brianjking · February 14, 2017, 7:25pm

@justinmartin & @w1ll1am23 –

I can access the Home Assistant page, however, upon entering my password I’m still getting WebSockets errors in Chrome’s console log.

/etc/nginx/nginx.conf

gist.github.com

https://gist.github.com/anonymous/9540d38040f8fd5356b36fdb7baeca91

nginx.conf

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
        worker_connections 1024;
}

http {

This file has been truncated. show original

/etc/nginx/sites-enabled/default

gist.github.com

https://gist.github.com/anonymous/684316e75155239743a7d0f714921d48

default

server {
        listen 80;
        server_name raptorbot.ddns.net;
        return 301 https://$server_name$request_uri;
}
server {
        listen 443 ssl;
        server_name raptorbot.ddns.net;
        ssl on;

This file has been truncated. show original

configuration.yaml

github.com

brianjking/homeassistant-config/blob/master/configuration.yaml

homeassistant:
  name: Home
  latitude: !secret latitude 
  longitude: !secret longitude
  elevation: 179  
  unit_system: imperial
  time_zone: America/Chicago
  customize: !include customize.yaml
  auth_providers:
    - type: homeassistant
    - type: legacy_api_password
      api_password: !secret http_password

lovelace:
  #mode: yaml


# Enables Auth Component 
auth:

This file has been truncated. show original

Router

Home Assistant Accessible via VNC to the Raspberry Pi Running HASS

Any ideas? Thanks!

kylerw · February 14, 2017, 7:44pm

did I miss it? I don’t see:

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

brianjking · February 14, 2017, 8:56pm

@kylerw – Should this be going in nginx.conf or /etc/nginx/sites-enabled/default?

kylerw · February 14, 2017, 8:59pm

Should go in the default - see below:

server {
    listen 443 ssl;
    server_name home.domain.com;
    ssl on;

    location / {
        proxy_pass http://192.168.5.5:8123;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

brianjking · February 14, 2017, 9:04pm

Thanks @kylerw. Fixed!

d4v3d · February 17, 2017, 10:10am

I have NGINX SSL working for external access to HASS, however when I try to access the URL from within my network I am getting the following errors in Chrome console:

WebSocket connection to 'wss://mysubdomain.duckdns.org/api/websocket' failed: Error in connection establishment: net::ERR_INSECURE_RESPONSE

Any ideas how to fix this? It would be nice to use the same URL as a bookmark without having to switch to the internal IP when on the network.

Thanks!