How to configure Home Assistant correctly with external URL?

frogmog · January 16, 2025, 9:20pm

Hi, I’m trying to make my HA instance available from outside of my network. Following multiple guides, my current configuration looks like the following:

System: Home Assistant OS (14.1), running Home Assistant 2025.1.2
Installed (relevant) add-ons: Duck DNS, NGINX Home Assistant SSL proxy

Duck DNS config:

domains:
  - <subdomain>.duckdns.org
token: <token>
aliases: []
lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
seconds: 300

NGINX config:

domain: <subdomain>.duckdns.org
hsts: max-age=31536000; includeSubDomains
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf
real_ip_from: []

Exposed port: 443

configuration.yaml:

[...]
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

Port forwarding on router:

From what I understood, this should suffice to make my instance accessible. However, accessing https://<subdomain>.duckdns.org only yields (after a long time of loading) “This site can’t be reached: <subdomain>.duckdns.org took too long to respond.”

Open Port Check Tool - Test Port Forwarding on Your Router shows that port 443 is open. Can anyone explain to me what I’m doing wrong?

wmaker · January 16, 2025, 10:22pm

Although I don’t use NGINX, I don’t see a path in NGINX that gets you from (outside)443->(inside)443->NGINX->HA-port (8123).
Maybe this particular HA Community NGINX guide will help. Although it is old, the last user post Sept 2024 says its still works, but you can look at his delta config too. It shows that NGINX is listening on 443, and that it is forwarding to an address (local loopback) and port 8123.

frogmog · January 17, 2025, 12:25pm

Thank you for the hint! Unfortunately, the guide did not really help, since the add-on does not allow to take complete control of the configuration. But your comment promted me to look at the nginx config of the add-on and realize that I had to set the port to 8123 instead of 443 in the settings. Now, at least the HA icon appear when visiting .duckdns.org. Unfortunately, the other assets are all timing out and the nginx logs show the following:

2025/01/17 11:42:44 [error] 128#128: *6 upstream timed out (110: Operation timed out) while reading upstream, client: XXX, server: <subdomain>.duckdns.org, request: "GET /static/images/ohf-badge.svg HTTP/2.0", upstream: "http://172.30.32.1:8123/static/images/ohf-badge.svg", host: "<subdomain>.duckdns.org", referrer: "https://<subdomain>.duckdns.org/"
2025/01/17 11:42:44 [error] 128#128: *6 upstream timed out (110: Operation timed out) while reading upstream, client: XXX, server: <subdomain>.duckdns.org, request: "GET /hacsfiles/iconset.js HTTP/2.0", upstream: "http://172.30.32.1:8123/hacsfiles/iconset.js", host: "<subdomain>.duckdns.org", referrer: "https://<subdomain>.duckdns.org/"
2025/01/17 13:19:45 [error] 128#128: *22 upstream timed out (110: Operation timed out) while reading upstream, client: XXX, server: <subdomain>.duckdns.org, request: "GET /static/images/ohf-badge.svg HTTP/2.0", upstream: "http://172.30.32.1:8123/static/images/ohf-badge.svg", host: "<subdomain>.duckdns.org", referrer: "https://<subdomain>.duckdns.org/"

I already extended my trusted_proxies section as follows:

  trusted_proxies:
    - 127.0.0.1
    - 172.30.33.0/24
    - 172.30.32.0/24

but that does not seem to help. Any ideas how to fix this?

tombo12354 · January 17, 2025, 12:29pm

Do you have the CNAME and A records setup with you domain registrar? Are you able to ping your domain?

frogmog · January 17, 2025, 4:15pm

I don’t have any such records, I only have the DuckDNS account. I am under the impression that this should suffice.

I cannot ping the DuckDNS subdomain. Also, what I said earlier about setting the port to 8123 seems to have been a fluke: the add-on automatically resetted it to 443 and when I try to set it to 8123, it says “Failed to start add-on: Port ‘8123’ is already in use by something else on the host.”. I also don’t see the home assistant icon anymore when trying to access the page.

tombo12354 · January 17, 2025, 11:49pm

I’m assuming you setup the sub-domain through the duckdns website, as iirc the duckdns add-on just keeps your DNS records up to date in case you public IP address changes. Setting it up through duckdns’ site ties your sub-domain to your public IP (by setting up CNAME and A records).

You said you cannot ping your sub-domain, but can you ping your public ip and port? you could try accessing by just the ip address, i.e

https://xxx.xxx.xxx.xxx:443

Where xxx.xxx.xxx.xxx is your public ip address (not 192.168.0.52). That may help identify if the issue is with DNS seeptting or home assistant web options.

I also see you added 172.30.32.0/24 and 172.30.33.0/24 to your trusted proxy, but in your router config, you shows home assistant with an address in the 192.168.0.0/16 range. Which range is your network using?