The article at the link describes “how to configure https ssl for Home Assistant, which is behind NAT (behind a home router) when the provider issues a gray IP address”.
But what if you need to install and configure Home Assistant on a VPS/VDS server? A white IP address is issued there, so services like DuckDNS and setting up port forwarding in routers are not needed.
The scheme is this:
When we enter the address example.com in the address bar of the browser, then on our server Ngnix will accept this request on port 443. It must first be configured using the link above. And in those settings it is indicated that these requests are redirected to http://127.0.0.1:8123.
Nginx settings in the hass file:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
# Update this line to be your domain
server_name example.com;
# These shouldn't need to be changed
listen [::]:80 default_server ipv6only=off;
return 301 https://$host$request_uri;
}
server {
# Update this line to be your domain
server_name example.com;
# Ensure these lines point to your SSL certificate and key
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Use these lines instead if you created a self-signed certificate
# ssl_certificate /etc/nginx/ssl/cert.pem;
# ssl_certificate_key /etc/nginx/ssl/key.pem;
# Ensure this line points to your dhparams file
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# These shouldn't need to be changed
listen [::]:443 ssl default_server ipv6only=off; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# ssl on; # Uncomment if you are using nginx < 1.15.0
ssl_protocols TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
proxy_buffering off;
location / {
proxy_pass http://127.0.0.1:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
Home Assistant accepts and processes these requests. And in order for Home Assistant to allow such a reverse proxy, the following magic words must be written in Home Assistant in configuration.yaml:
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
Most likely, this will also work successfully if port forwarding is done through OpenVPN or another VPN.
A few months ago I tried to do this on Apache2, but it didn’t work. Toli I did not fully understand the scheme, if (as people write) it is very difficult or not possible to do this through Apache.