I have a Raspberry Pi out on my network that is running NginxProxyManager so I don’t want to host it from my Home Assistant machine (from the addon). However, all the Home Assistant infrastructure is designed around having Home Assistant manage the certificates and I can’t figure out how to set up NginxProxyManager to allow TCP pass-through so HA can handle its own cert files and whatnot.
I’m guessing that’s not possible. What are my options for this if I want to have the reverse-proxy running on a different host than the one running Home Assistant?
The point of the reverse proxy is to terminate SSL at NGINX and not require the downstream services to support or even know about SSL. It doesn’t matter what machine is running NGINX - you just forward a port to that machine and then add locations that point to your internal machines and ports for the services you want to expose. Home Assistant can be one of those (with destination as machine IP and port 8123), and SSL should not be configured in Home Assistant if you’re using a reverse proxy.
I mean no offense here Rob but this statement is false. The point of the reverse proxy is to handle requests for downstream services. Otherwise the stream directive wouldn’t have been developed (for handling layer 4 transmissions). See this for more detail: Benefits of Layer 7 Load Balancing | NGINX Load Balancer
I know that you can terminate TLS at NGINX and most people do that and use unsecured internal services. I want to do something more advanced than that. I want to support both Layer 4 and Layer 7 proxying. I’m pretty sure it’s possible with several reverse proxy setups (in nginx I think it’s the ssl_preread option) but it’s so advanced and not widely used that I haven’t been able to find anyone with an example of what I’m trying to do.
For example:
I run deemix internally and it only works with insecure HTTP. For this I want the reverse proxy to terminate the TLS and forward the request via HTTP.
I run plex internally it supports TLS well and wants to handle HTTPS traffic. For this I want the reverse proxy to forward the whole TCP transmission so plex can manage the certs and renew with let’s encrypt. I want to do the same for Home Assistant.
I want the forwarding based on the duckdns hostname. If I use homeassistant.example.duckdns.org and deemix.example.duckdns.org I want the reverse proxy to handle those both but forward (pass through) the TLS via TCP all the way to Home Assistant while terminating the TLS on the deemix requests.
I got this to work finally! I tried out traefik this past weekend and found that it has the ability to handle both raw TCP layer 4 (TLS pass through) and HTTPS layer 7 (TLS terminate) transmissions, simultaneously.
