How to config Home Assistant OS runs on VM for SSL/HTTPS access. I am getting 502 Bad Gateway nginx

Bazim · December 26, 2023, 7:47am

Hello,

can you please help me. I have the same issue as few people here and I cannot find a solution for so long time already.

I have a linux machine on 192.168.0.110. Here it runs the official HAOS KVM (virtual machine) installation. Port of that is 192.168.0.73.

In my router port 80 and 443 is open for the main machine (192.168.0.110) and used by other websites.

I have a domain and a SSL certificate so I did nginx proxy reverse in my host machine (192.168.0.110):

(replaced hosts with domain.xyz)

server {
if ($host = domain.xyz) {
return 301 https://$host$request_uri;
}

 listen 80;
 server_name domain.xyz;
 return 301 https://$host$request_uri;

}

server {
listen 443 ssl;
server_name domain.xyz;

    ssl_certificate /etc/letsencrypt/live/domain.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.xyz/privkey.pem;

 location / {
    proxy_pass http://192.168.0.73:8123;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # WebSocket support
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
 }

}

When I go to 192.168.0.73:8123, everything works, but when I go to https://domain.xyz it shows only 502 Bad Gateway nginx (but I can see that the domain is working under let’s encrypt certificate).

Can you help me with that please? I have no problem to pay someone to try to help me with this, because I am really lost.

Will this even work if the port 80 and 443 is used by other websites that runs directly on the host machine (192.168.0.110)?

Bazim · December 27, 2023, 1:11pm

Noone knows about this issue?

mobile.andrew.jones · December 27, 2023, 1:19pm

Looks like it should work.
Did you edit your Home Assistant config though to allow for the proxy? By default Home Assistant will refuse the connection until you edit the configuration.

Here’s my config:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
    - 172.30.33.2
    - 192.168.2.17
  ip_ban_enabled: true
  login_attempts_threshold: 8

You would just need to have yours say something like:

  trusted_proxies:
    - 192.168.0.110

Bazim · December 27, 2023, 1:21pm

I tried so many things. But no, atm I have no http: or homeassistant: in m HA config.

Can you please help me what exactly is needed?

The use_x_forwarded_for: true and trusted_proxies?

mobile.andrew.jones · December 27, 2023, 1:22pm

Yes. - See edit.

Bazim · December 27, 2023, 1:30pm

Thank you, anyway I added this:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 255.255.255.0/24
    - 192.168.0.110
  ip_ban_enabled: true
  login_attempts_threshold: 8

and still same error.

mobile.andrew.jones · December 27, 2023, 1:36pm

Can you press the </> button to format that correctly so we can see it’s indented properly.
You don’t need that 255.255.255.0/24 line. Just the IP address of the Nginx Proxy

Bazim · December 27, 2023, 1:38pm

Yes, ofcourse. Sorry. Edited. And I tried add other IP’s like my computer, my public IP etc… still not working.

mobile.andrew.jones · December 27, 2023, 1:40pm

I would also remove this:

server {
if ($host = domain.xyz) {
return 301 https://$host$request_uri;
}

 listen 80;
 server_name domain.xyz;
 return 301 https://$host$request_uri;
}

And just stick with 443 only. Apart from anything else, I don’t understand why there are 2 sections that redirect to https? One in an if statement, and one outside it. At the very least surely only one redirect is needed?

I’m not an expert in nginx config files (I just use Nginx Proxy manager) - but to me that seems like because the host will always match domain.xyz, it will be infinitely redirected?

Bazim · December 27, 2023, 1:42pm

It was generated by Certbot if I remember correctly.

Other websites works with it, but no problem. I removed it. Still same issue. It was there to redirect you from http to https.

mobile.andrew.jones · December 27, 2023, 1:44pm

OK and you have restarted Home Assistant obviously after editing the config.
Next step is to go the Home Assistant logs and then see what shows up in the logs when you try and access it via the https domain

Bazim · December 27, 2023, 1:48pm

In NGINX error log there is still this:

2023/12/27 14:45:00 [error] 1826992#1826992: *99 connect() failed (113: Unknown error) while connecting to upstream, client: MY_PUBLIC_IP, server: domain.xyz, request: "GET /favicon.ico HTTP/2.0", upstream: "http://192.168.0.73:8123/favicon.ico", host: "domain.xyz", referrer: "domain.xyz"

In HA settings - system - logs. There is nothing.

mobile.andrew.jones · December 27, 2023, 1:57pm

Hmm 113 is couldn’t connect to the upstream host.
With that config - and with Home Assistant restarted to ensure that the new configuration has been loaded, then it should be accepting the connection now.

Bazim · December 27, 2023, 2:12pm

Restarted even twice, and still the same.

mobile.andrew.jones · December 27, 2023, 2:22pm

Give me 5 or 10 minutes and I can probably take a look using something like AnyDesk if you want.

Bazim · December 27, 2023, 3:06pm

Oh that would be neat, but you know it is hard to trust to give someone access to my files etc…

fleskefjes · December 27, 2023, 3:28pm

Here’s my working config for comparison. I use ha.mydomain.com for HA.

server {
    server_name  ha.mydomain.com;

    location / {
        proxy_pass http://192.168.0.104:8123/;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /api/websocket {
        proxy_pass http://192.168.0.104:8123/api/websocket;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ha.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ha.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = ha.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen       80;
    server_name  ha.mydomain.com;
    return 404; # managed by Certbot


}

Bazim · December 27, 2023, 3:40pm

Thank you for helping, but did not work for me.

Anyway are you hosting also the HAOS ? Not Docker etc?

Can you post your HA config pls?

fleskefjes · December 27, 2023, 3:42pm

HAOS running in VMware ESXi. Nginx running in a separate vm (192.168.0.50)

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.0.50
  ip_ban_enabled: true
  login_attempts_threshold: 5

Bazim · December 27, 2023, 3:46pm

Ye same only the KVM is running on the host machine for me, but like the same. So I really do not know why it is not working.