MMhhh I tried and is not working with synology (nginx on synology and router forward 443 to the synology).
I manage to make it work with a pi3 (I installed nginx on the pi3 and I forward the router not to the Synology but to the pi3).
Yeah not sure. Works fine for me doing exactly the same thing. I forward router port 443 to Synology and I have Lets Encrypt certificates for all servers I proxy. Sorry i canāt help any more.
I tried setting this up as well and got it working on everything except Apple devices. Turns out thereās something in webkit thatās going wrong with my setup.
to keep it simple:
I have basic_auth active on my Nginx instance on top of home assistantās own auth. And thatās causing issues with the reverse proxy with websockets in webkit, the header isnāt being set correctly as far as i can tell but I cannot fix it unless I disable my basic_auth on that part of my reverse proxy ā¦ which I donāt like to do 
Ok, I fought with NGINX all weekend and finally went back to my setup as of Friday. I think the following diagram describes what Iām trying to do. I can get parts to work, but then other parts stop working. Itās quite frustrating :).
The black lines represent the physical world. The red lines represent what Iām hoping nginx will do.
Iām using 1 conf file in the include directory because it seems to make a difference what order the files are loaded in as to which rules get interpreted when and I donāt know any other way to control it.
Questions:
- How many SSL certificates do I need, what names and where do they need to go?
- I have drawn this as if I am using ssl inside my lan. That is not currently the case, and donāt really care to do that, as long as I have an encrypted connection in the outside world. So all I really want encrypted is data between the NGINX server and the outside world. Inside the lan can be unencrypted.
Thanks
Iām not sure if itās due to an update or because I am on a Pi and using the debian lib for NGINX, but I could not get it to load without commenting out:
proxy_set_header Connection $connection_upgrade;
which it identified as an unknown option. I was having no luck with NGINX and HA though and couldnāt figure out why. I did a little research and found that it is actually:
proxy_set_header Connection "upgrade";
So just in case it was related in some way to my issues, I fixed it and reloaded NGINX which no longer complained about it.
And that was all it took for HA to start working through NGINX! For me, anyway since that was the only thing I changed in the config for that restart. Hope this helps someone.
Just a note, this may be version related - I am on NGINX 1.6.2
Thanks to all of you 
Finally I got it up and running with NGINX and LetsEncrypt certificateā¦
And I got an A+ on http://www.ssllabs.com Together with an api_password that I even canāt remember, I should have a quite safe environment now!
But one question: I added the IP range of my servers to the ātrusted_networksā (NGINX server is NOT my HASS server) in my configuration and I wasnāt even asked for the password when I logged in from the internet 
So the requesting IP is not the public IP but the IP of my NGINX server?
Thanks again for all those hints and tips within this thread!
Daniel
Thatās how it works, there is a warning about it in the http documentation. You should not use trusted networks in this kind of setup.
1 Like
I guess I missed this part when I read the documentation
Thanks,
Daniel
Thank you KmanOz!
You saved my day!
With your solution I can now connect to my home assistant from outside but now the certificate appears as insicure.
Do you also have this situation?
Thank you in advance!
You need to create a certificate with Letsencrypt for the domain you setup for Hass and apply it
The certificate exists.
It has been created with Letsencrypt using the built in feature in Synology DSM.
The issue was releated to a wrong configuration.
ISSUE CLOSED