I can not access ha via duckdns and nginx

uspec · July 24, 2024, 12:12am

Hi,

im sorry but after wasting days, watching youtube tutorials and googling everything about duckdns nginx and port forwarding and even deleting my HA iso on my unraid and starting from scratch, i am destroyed and seek help.

currently i can access my HA via local http ip address 192.168.178.61:8123

i set up an duckdns account and created the subdomain(s, yes 3 as i liked to) and let the duckdns ha addon do its magic by creating a letsencrypt ssl cert.

duckdns config (test is my masked name for this documentation here):

domains:
  - testhaDOTduckdnsDOTorg
  - testncDOTduckdnsDOTorg
  - testDOTduckdnsDOTorg
token: XXXXXXXX
aliases: []
lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
seconds: 300

i installed nginx and configed it hard like in the tutorials stated as well:

nginx config:

domain: testhaDOTduckdnsDOTorg
hsts: max-age=31536000; includeSubDomains
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
customize:
  active: true
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

and i set the outside port in nginx to 8124. why not 8123 u ask? nginx told me that there is already something else using 8123, so i was not able to choose this. i dont know why… but it shouldnt matter which port i use for this.

i added the reverse port forward in my fritzbox which is the router of my IP.

for my HA ip: 192.168.178.61
and the port 8124

on my unraid i have an active piHole acting as my DNS server, where i added the DNS record of the duckdns domain:

testha.duckdns.org -> 192DOT168DOT178DOT61

and i did set piHole ip as DNS server IP in fritzbox (router).

my ha config yaml is also enhanced by me with the http block (forgot it in itial block to point out):

http:
  use_x_forwarded_for: true
  login_attempts_threshold: 5
  trusted_proxies:
    - 172.30.33.0/24
  #ssl_certificate: /ssl/fullchain.pem
  #ssl_key: /ssl/privkey.pem

i commented the ssl lines out as nginx configures and uses those pems by itself in its own config.

i restarted HA multiple times, i restarted nginx and ducksdns already, i even restarted my unraid server and of course i also did restart my pc to get rid of possible temporary DNS information, which may be wrong at any time between config changes (mostly in the end).

behavoir:

i am able to access HA locally with http + ip + port (http192DOT168DOT178DOT61:8123). Thats what i would expect when using nginx anyway.
i am not able to access HA from outside with https + duckdns domain + port (httpstesthaDOTduckdnsDOTorg:8124)

i think at some point when testing from outside, that i got the SSL is too long SSL error. Then i tried to use dnsmasq to check if the dns record in piHole didnt work (setting fritzbox DNS server to HA ip with installed dnsmasq, configured it to upstream to piHole and created host (testha .duckdns.org) and ip (192DOT168DOT178DOT61). But that also didnt work, so dnsmasq is currently stopped and i changed fritzbox DNS ip back to piHole. now when i try to access httpstesthaDOTduckdnsDOTorg:8124 it just gives me an error, that it is not able to connect (so not even the SSL too long error any more).

nothing helps, im helpless, maybe someone can help me!

thanks in advance!

mightybosstone · July 24, 2024, 1:34am

If you ping your DuckDNS domain name do you get a reply from your ISP assigned IP address? Did you add the http entry to your configuration.yaml file?

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

I would try to eliminate DuckDNS/piHole/local DNS issues from the equation and see if you can’t get it working (testing only) with a simple port forward from external port 80 to internal port 8123 and using http://testha.duckdns.org

michaelblight · July 24, 2024, 2:31am

Ah I got this wrong - I was looking at the wrong addon (NGINX Proxy Manager), so disregard…

To which option are you referring? You shouldn’t need to set any ports on the NGINX addon. By default it uses:

80 for obtaining certificate info (I think). Don’t change this.
81 for the NGINX admin UI. You can change this if you want, but there’s no need.
443 for receiving the external traffic. Don’t change this.

Port 8123 is Home Assistant’s port. DuckDNS is allowing you to communicate over SSL (port 443) and NGINX receives on that port and forwards to Home Assistant’s port 8123 automatically. This is why you can’t set NGINX to use port 8123, as it’s already in use by Home Assistant.

mightybosstone · July 24, 2024, 2:45am

I’m no longer using it since I switched to Nabu Casa, but the NGINX Home Assistant SSL proxy add-on does ask for the external port that you’ll have forwarded in the router.

michaelblight · July 24, 2024, 4:44am

Oops, wrong addon. I’ve updated my comment. Thanks

uspec · July 24, 2024, 11:06pm

ok i try this first. resetting nginx port to its default 443.
(background info: i know port 80 and 443 as standard definitions for http and https traffic)

but i dont have time atm. i’ll continue trouble shooting on saturday i guess

–

and for mighties post:

yeah i’va set port 8124 in ngninx.

now i will try out using default port 443 as stated. but it shouldnt make any difference. and yes i know i must adapt my routers port forwarding if i change that port.

–

i edited the initial post and added my http config there for completion.

also i can give you my nslookup situation atm:

C:\Users\username>nslookup testha.duckdns.org 192.168.178.3
Server:  pi.hole
Address:  192.168.178.3

Name:    testha.duckdns.org
Address:  192.168.178.61

and without dns server ip:

C:\Users\username>nslookup testha.duckdns.org
Server:  fritz.box
Address:  ff00::00f6:00ff:ffd0:00ff

*** Keine internal type for both IPv4 and IPv6 Addresses (A+AAAA)-Einträge für testha.duckdns.org verfügbar.

with external ip:

C:\Users\username>nslookup [external ip address found also found in duckdns website for my subdaomain without port]
Server:  fritz.box
Address:  ff00::00e0:00ff:fff0:00ff

Name:    h11111111111.host.wavenet.at
Address:  [external ip address]

does my router block loopback?
shouldnt he at least being guaranteed to find the way to HA server with using the ip?

mightybosstone · July 27, 2024, 3:35am

I’m no routing expert, but i don’t believe that running nslookup testha.duckdns.org should return a 192.168 IP address. It should return the external, public IP address assigned to you from your internet provider. It should return something like this:

C:\Users\username>nslookup pineapple.duckdns.org
Server:  pi.hole
Address:  192.168.178.3

Non-authoritative answer:
Name:    pineapple.duckdns.org
Address:  185.12.45.79

uspec · August 6, 2024, 7:39pm

~~so what did i do wrong?~~

so today i started up everything again and it worked.
i marked the solution, i think that worked for me. thank you!