How do I configure NGINX reverse proxy to allow Google Home integration?

Hi

I’m running Home Assistant in docker on my QNAP NAS.

This is my setup:

  • NGINX reverse proxy in docker (ip address 192.168.1.50)
  • Home Assistant Core in docker (ip address 192.168.1.60)
  • DDNS provided by QNAP: [name].myqnapcloud.com
  • SSL certificate from Let’s Encrypt (I’m reusing the SSL certificate provided by myqnapcloud on my NAS)
  • Port forwarding set-up in my router (port 22662 forwarded to NGINX (192.168.1.50) and NGINX then proxies to Home Assistant at 192.168.1.60 on port 8123)

This setup is working fine for me: externally, I can connect to my Home Assistant over HTTPS and on the local network, I can connect over HTTP. This is all working without a glitch.

But, when I try to connect Google Home to Home Assistant, it just does not work. No error shown in Google Home nor Home Assistant.

To link Google Home to Home Assistant, I followed the steps as defined Google Assistant - Home Assistant. I’m sure I did everything as it is supposed to (see below why).

I’m getting blocked in the step where I add the service in Google Home app. When I add my service [test] <Action Name>, I get prompted with a Home Assistant login screen. I provide my credentials. After that, the login screen closes, a Google spinner is shown for about 10s and that is it. Nothing is linked.

I can fix this issue by bypassing NGINX: when I set up my port forwarding to forward [name].myqnapcloud.com:22662 directly to my Home Assistant instance on 192.168.1.60:8123 (and configure Home Assistant to use HTTPS), I have no problem with linking Google Home to Home Assistant. Home Assistant is still functional, but only over HTTPS, but this prevents me from using Home Assistant over HTTP on my local network.

So, I’m pretty sure I’m missing something in my NGINX configuration, but I just can’t figure out what. I used the NGINX add-on as the basis for my NGINX configuration: https://github.com/home-assistant/addons/blob/e933cba5a457a492fec458dcb2629e9dbadeb569/nginx_proxy/data/nginx.conf )

This is my configuration:

configuration.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.50

nginx.conf

error_log   stderr;

events {
	worker_connections  1024;
}

http {
    map $http_upgrade $connection_upgrade {
        default     upgrade;
        ''          close;
    }
    
    server_names_hash_bucket_size   64;

    server {
        server_name                 [name].myqnapcloud.com;

        ssl_session_timeout         1d;
        ssl_session_cache           shared:MozSSL:10m;
        ssl_session_tickets         off;
        ssl_certificate             /etc/ssl/private/fullchain.pem;
        ssl_certificate_key         /etc/ssl/private/key.pem;
        ssl_dhparam                 /etc/ssl/private/dhparam.pem;
        ssl_protocols               TLSv1.2 TLSv1.3;
        ssl_ciphers                 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers   off;

        listen                      22662 ssl;
        add_header                  Strict-Transport-Security "max-age=31536000; includeSubDomains";
        
        proxy_buffering             off;

        location / {
            proxy_pass                  http://192.168.1.15:8123;
            proxy_set_header            Host $host;
            proxy_redirect              http:// https://;
            proxy_http_version          1.1;
            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header            Upgrade $http_upgrade;
            proxy_set_header            Connection $connection_upgrade;
        }
    }

}

Can anyone spot what I’m missing?

Thanks in advance for suggestions!

Hans

I don’t understand much about your .conf, but it seems you did not include websockets.

This is my .conf

# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name ha.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://10.0.0.63:8123;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://10.0.0.63:8123;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Thanks for the suggestion. I’m definitely going to try it.

I have websockets working on my Home Assistant UI, but maybe this is used by the Google Home integration as well

I see a line in your config that I don’t know how to translate:

resolver 127.0.0.11 valid=30s;

Who is this 127.0.0.11?

For those that have a similar issue: I found a/the solution to my problem.

I was using a bridged network between NGINX and the QNAP NAS.

I changed this by using a dedicated ip address for NGINX (and update the port forwarding).

So, in the end, I ended up with this configuration, which is working smoothly:

  • QNAP NAS (ip address 192.168.1.50)
  • NGINX reverse proxy in docker (ip address 192.168.1.55)
  • Home Assistant Core in docker (ip address 192.168.1.60)
  • DDNS provided by QNAP: [name].myqnapcloud.com
  • SSL certificate from Let’s Encrypt (I’m reusing the SSL certificate provided by myqnapcloud on my NAS)
  • Port forwarding set-up in my router (port 22662 forwarded to NGINX (192.168.1.55) and NGINX then proxies to Home Assistant at 192.168.1.60 on port 8123)

I updated the configuration.yaml file to allow this proxy server:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.55

And I slightly simplified the NGINX config file:

worker_processes  1;

events {
	worker_connections  1024;
}

http {
    map $http_upgrade $connection_upgrade {
        default     upgrade;
        ''          close;
    }
    
    server {
        server_name                 -;
        listen                      22662 ssl;
        listen                      [::]:22662 ssl;

        add_header                  Strict-Transport-Security "max-age=31536000; includeSubDomains";

        ssl_session_timeout         1d;
        ssl_session_cache           shared:MozSSL:10m;
        ssl_session_tickets         off;
        ssl_certificate             /etc/ssl/private/cert/fullchain.pem;
        ssl_certificate_key         /etc/ssl/private/cert/key;
        ssl_dhparam                 /etc/ssl/private/dhparam/dhparam;
        ssl_protocols               TLSv1.2 TLSv1.3;
        ssl_ciphers                 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers   off;
        
        proxy_buffering             off;

        location / {
            proxy_pass                  http://192.168.1.60:8123;
            proxy_set_header            Host $host;
            proxy_redirect              http:// https://;
            proxy_http_version          1.1;
            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header            Upgrade $http_upgrade;
            proxy_set_header            Connection $connection_upgrade;
        }
    }

}

Hello, it’s the first time I feel so connected with someone , lol! I have the exact same configuration as you do along almost every step of the way. I am too using a QNAP to host my HA container, utilizing the provided myqnapcloud domain with the certificates that QNAP auto-renews for its web interface.

The only difference is that in my case the mode I am using to create ALL of my containers (including HA and NGINX) is the one Container Station calls “Host” which practically uses the same IP address of QNAP for all containers but with different ports.
i.e.
192.168.1.4:8123 → HA
192.168.1.4:7878 → Radarr
192.168.1.4:8989 → Sonarr
etc…

I never had problem until recently that I realized my instance is unable to receive nest_events from the Nest Integration (Nest - Home Assistant).

Looking closer at my NGINX configuration you have some lines more than me like:

ssl_session_tickets         off; #I dont have that
ssl_prefer_server_ciphers   off; #I have that to on
ssl_dhparam                 /etc/ssl/private/dhparam/dhparam;  #I dont have that
ssl_session_cache           shared:MozSSL:10m; #I have shared:SSL:10m

Do you think any of our above (minimal) differences could constitute a reason as to why Nest wouldn’t work?