and for certificates created with let’s encrypt?
Use NGINX to handle that, not Home Assistant.
My own writeup is here. I use Let’s Encrypt on NGINIX, and the Google Assistant component.
So in the configuration of Nginx I have to point to certificates created with Let’s encrypt?
to configure GA how should I do?
Yes
Don’t worry about that - you’re over thinking things You don’t have to configure each component on the proxy, you’re simply forwarding all connections to HA after all.
ok, but in the GA platform which address should I put?
last thing works with a domain on duckdns?
You only have ONE URL. The point of the reverse proxy is to only expose the reverse proxy, not the direct connection to the server being proxied.
of course
Here is a WORKING config that I use:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
# Update this line to be your domain
server_name domain.com;
# These shouldn't need to be changed
listen 80;
return 301 https://$host$request_uri;
}
server {
# Update this line to be your domain
server_name domain.com;
# Ensure these lines point to your SSL certificate and key
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
# Ensure this line points to your dhparams file
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# These shouldn't need to be changed
listen 443 http2; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
#listen 80 http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
access_log /var/log/nginx/hass.access.log;
error_log /var/log/nginx/hass.error.log;
proxy_buffering off;
location / {
proxy_pass http://homeassistant.ip.address:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
So I do not have to reconfigure Google Assistant?
thanks for the clarity now I have to buy RPi3 B+
Do you already have the Google Assistant component enabled and configured?
Yes, I have already configured and enabled the component for Google Assistant
You will need to reconfigure it to go to your public URL that you are serving through NGINX reverse proxy
If it is the same URL, then there is nothing to configure.
should you also leave port 8123 in the GA configuration?
well, that depends. are you going to run the proxy on port 8123 (which kind of defeats the purpose of the reverse proxy)?
If no, then you will need to reconfigure GA URL
what do you mean: which kind of defeats the purpose of the reverse proxy?
I would like to be able to protect all RPi3 with O.S. Hass.io
A reverse proxy doesn’t really ‘protect’ the OS.
What exactly are you looking to do? What do you think the reverse proxy does?
but a reverse proxy doesn’t really do that on its own…
the only thing a reverse proxy does is pass through the traffic.
I think you may be confused on what a reverse proxy is/does.
How do you think it will ‘protect the pages’?
Ok, thanks for the information, later I will also put a firewall that handles incoming and outgoing connections.
At least so now I do not burden the connection of RPi3 with O.S. hass.io
You could do that now and have the same effect.
I’m not sure I understand this comment.