How to have both http and https for INTERNAL LAN use only (no remote access) - is NGINX the answer?

I want to be able to use:
http://homeassistant.local:8123 AND
https://homeassistan.local:8123
nothing more, nothing less.

There has to be a way to do this. Every guide I look at assumes you want remote access and uses DUCK DNS. I don’t. I have Nabu Casa for remote access and that because I have Starlink and it’s literally impossible to reach to my router’s ip address externally. Plus I want to support the devs and the HA project in their effort$$.

Browsers REQUIRE https for the mic to work on the Voice assistant. Too many of my other apps and devices fail when https is enabled w/ Lets Encrypt and there are logged HA bugs with no workarounds (OpenHasp for one) .

I think NGINX is the answer here, but I’ve messed w/ it for days and am at impasse. I’m not using DuckDNS.

I do have https working right now w/ LetsEncrypt. So my certs are valid and that chain of configuration works for most things like Lovelace. I use this right now for my instance:
https://home.somedomain.com:8123
its just that the apps I need to work cannot use https…

Do I remove this from configuration.html

http:
   ssl_certificate: /ssl/fullchain.pem
   ssl_key: /ssl/privkey.pem

I’m not clear at all on how NGINX relates to LetsEncrypt, DuckDNS, etc.

While I don’t use nginx - for myriad reasons, not the least of which is the complexity, as you’ve discovered. Rest assured though, someone will be along shortly to tell you how wrong I am and how simple it is - even though you’ve already struggled with it for days.

NOW - having said that, I do believe that in your particular case, it is the correct answer. My understanding of the way it works, at a theoretical level, is that nginx is a proxy - so you would install your SSL cert on it, and then it would initiate HTTP connections to your HA server. So the traffic would go HTTPS → NGINX → HTTP → HA.

That way you can have your HTTPS cake, and eat it, too. As a result, I think you need to remove that SSL cert from HA, since HA will never respond via HTTP if it has a cert on it - or at least no way that I’ve ever seen/read about.

This presumes that there is a valid need for both HTTPS and HTTP connectivity to HA. I’ll not venture down that rabbit hole, though, and instead take the easy way out and assume that you’ve already identified a use case for this particular type of communication that you cannot get around.

Me? I use HTTPS everywhere. Inside, outside, done. Easy.

Best of luck!

yeah. I use OpenHasp and sending any images from HA to the Sunton displays using https: is hopelessly broken. Issues logged, etc.

Do you want both http and https on the same port tied to the same ip address? That won’t happen.

Do you want both actually called ‘homeassistant.local’? That won’t happen either with a letsencrypt cert. You don’t own that domain. Its a local domain.

ok, I removed this:

http:
   ssl_certificate: /ssl/fullchain.pem
   ssl_key: /ssl/privkey.pem

set all the defaults in NGINX and setting the domain to home.mydomain.party I get

Safari can’t open the page “https://home.mydomain.party:8123/auth/authorize?
response_type=code&redirect_uri=http%3A%2F%2Fhome.shole.party%3A8123
%2F%3Fauth_callback%3D1&client_id=http%3A%2F%2Fhome.shole.party%3A
8123%2F&state=eyJoYXNzVXJsIjoiaHR0cDovL2hvbWUuc2hvbGUucGFydHk6
ODEyMyIsImNsaWVudElkIjoiaHR0cDovL2hvbWUuc2hvbGUucGFydHk6ODEyMy8if
Q%3D%3D” because Safari can’t establish a secure connection to the server 
“home.mydomain.party”.

http://home.mydomain.party:8123 - works fine.
https://home.mydomain.party - gives 400: Bad Request

You will need a different port for https. (if you don’t specify port in browser, http is 80, https is 443)
Just follow the nginx docs: Securing HTTP Traffic to Upstream Servers | NGINX Documentation
Or literally any nginx guide (except the part where it redirects all http traffic to https): Setup SSL with NGINX reverse proxy · GitHub
And then the proxy_pass value would be http://homeassistant.local:8123

that is set where?

I’m using the community Add-On…

That is part of your nginx config. Or you can use "nginx proxy manager’ by Frenk and it will setup letsenrypt cert and nginx with a GUI.

So I set
And then the proxy_pass value would be `http://homeassistant.local:8123

where???

I don’t have a UI button:

what am I missing???

Well, CRAP. I had no idea these were different…

I don’t use that. looking at their docs, it probably auto-generates the config/proxy pass. Did you follow all the directions? including adding

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

They both will work. But just work differently. THe nginx manager is simpler but requires a database and will handle letsencrypt and such. The other will just do nginx and require you to manage duckdns letsencrypt with another addon. Its up to you. But they are different.

Not sure how I get around this one…

I’m guessing the addon is finding your certificates already generated from duckdns or something else. Im guessing it is on the home assistant file system and its finding it. Rename them… Or the other addon is already running with that cert. Or duckdns addon.

Or you already create the certificate within nginx proxy manager and now you’re telling it to ‘request a new ssl certificate’ instead of using the one you just created.

BTW, you probably don’t want ‘force ssl’ if you want to use both ssl and non-ssl.

Its never ending… I removed the cert files and restarted HA. I get this when trying to submit the form

Are you using the FQDN that matches the issued certificate as the URL to connect to HA, or are you trying to connect using the IP address or homeassistant.local or something? In order to not get a certificate error, you MUST connect using the URL containing the CN the cert was issued to. This is why the use of DNSMasq is useful for HTTPS deployments.

Check the addon logs if that happens.

I have a FQDN working and can access HA using it w/ http. I deleted the certs. I also tried using Cloudfare DNS w/ it’s token. I restarted My NUC.

It’s back to saying

the PEM files are gone…

Go to the ssl drop down. do you already have a cert??

Recall that this all worked w/ Letsencrypt. So the domain stuff is nailed down.