IIS reverse proxy

I’m trying to get URL Rewrite working in IIS.

My goal is to add home-assistant to my list of sub-apps, e.g.

https://whatever.com/home-assistant/

How can I make HA serve at /home-assistant/ instead of at root /

For example, a rewrite config might look like this

            <rule name="home-assistant" enabled="true" stopProcessing="true">
                <match url="home-assistant/(.*)" />
                <action type="Rewrite" url="http://192.168.1.2:8123/{R:1}" />
            </rule>

But since HA requests absolute paths for assets instead of relative paths, none of this works

This is about nginx but they are having the same problem: https://github.com/home-assistant/home-assistant/issues/805

I’m also using IIS with Let’s Encrypt, I want to access all my internal stuff via the URL. I might just keep HA as the root and use directories for everything else. Think that would work? I have only just started looking into it.

For now you can’t put home assistant in a directory. It would require quite a bit of work to make it possible but it isn’t possible today. My solution was to just use a subdomain, so I use https://ha.example.com for my Home Assistant and then https://example.com/webapp1 and /webapp2 for other things. Home Assistant isn’t even the only product I couldn’t get working in a directory, so I actually have several subdomains.

I found some of the other resources I wanted to access also need to be in the root (e.g. IP camera) so I just use the directories in http to forward to the appropriate port on https. For example http://myhost.com/camera redirects to https://myhost.com:8888 where the camera lives.

Please elaborate more on how you get this working with IIS.

I have setup several sub-domains but I cannot get IIS with rewrite to forward to a local IP address. I don’t really want to by-pass IIS but if needs must I can.

I can now get a https connection to my hassio. This was done by side stepping IIS and port forwarding directly to hassio. Let’s Encrypt provided the certificate. Turned out to be straight forward and no ducksdns required. I will look at seeing if I can help by updating the documentation to make it easier for the next person who tries.

Would like to give it a try on your method.

Mind to share your full instruction of your method?

Thanks.

Sure - this is the config file that I use:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <directoryBrowse enabled="false" />
        <httpErrors errorMode="Detailed" />
        <rewrite>
            <rules>
                <rule name="http to https" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
                </rule>
 				<rule name="Forward to Home Assistant" enabled="true" stopProcessing="true">
 					<match url="(.*)" />
 					<action type="Rewrite" url="https://xx.yy.zz.aa:8123/{R:0}" logRewrittenUrl="true" />
 					<serverVariables>
 						<set name="HTTP_SEC_WEBSOCKET_EXTENSIONS" value="" />
 					</serverVariables>
 				</rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

xx.yy.zz.aa is the IP address of your HA on your local network. This essential is route your external IP address on port 80 to an internal IP address on port 8123. When connecting you do not specify a port. I.e. https://hass.mydomain.com will connect your to your HA

I appreciate this isn’'t detailed. Happy to provide more details if required but I am short of time right now.

Hi GeoffAtHome,

I tried your config file with slight modification, which i dont need HTTPS for now.

My Server IP: 10.0.2.15
My Raspberry Pi: 192.168.0.161:8123

And it shows below error:

My config file:

Is there any additional settings required on Home Assistant as well so that connection can be established successfully?

Thanks.

@jerrychico Looks like you are missing the server variable “HTTP_SEC_WEBSOCKET_EXTENSION”. Where this comes from and what it does I don’t know other than it is important.

To set this go to you website in IIS.

Select the URL Rewrite module.

From the Actions on the right click View Server Variables.

and Add “HTTP_SEC_WEBSOCKET_EXTENSION”

Hopefully that is all that is missing.

Thanks for the info.

Since people in this thread use IIS, I was wondering if anyone knows how I can use the X-Forwarded-For header with IIS and Home Assistant. I have tried so many different approaches found on the internet, but none of them seem to do anything. All requests still come from proxy ip.

If there is anyone that could help me with this it would be highly (no I mean really highly) appreciated!

Geoff, did you add this web.configt entry to the top level for IIS, or the Default Web Site, or somewhere else?

@DeanSmith I created a suib-domain and used the reverse proxy on the sub-domain but I see no reason why it would not have worked on the default web site.

From the outside I browse to https://homeassistant.mydomain.com. Internally these get routed to https://my_homeassistant_local_ip_address:8123

Most home assistant plugs work without issues (node-red, visual studio etc). The only problem one is ESPHome but this is only for creating new devices.

Ah this is so frustrating.

1. Router forwards ports 80 & 443 to my Windows Server with valid SSL/TLS certificates
2. Windows Server has the following installed:
   2.1. Application Request Routing 3.0
   2.2. URL Rewrite 2.1
   2.3. Websockets Protocol
3. Windows server has the following configured:
   3.1. AAR Server Proxy Enabled at the server level
   3.2. Application Pool “External” with No Managed Code
   3.3. Failed Request Tracing Rules between 200-399 enables for Default Web Site
   3.4. URL Rewrite Inbound Rule for (homeassistant)(.*) rewriting to http://homeassistant.local:8123{R:2] for Default Web Site
   3.5. URL Rewrite Outbound Rule for http://homeassistant.local:8123/(.*) rewriting to https://my.domain.com/homeassistant/{R:1} for Default Web Site
4. Home Assistant has the following configured:
   4.1. external_url set to https://my.domain.com/homeassistant in core.config
   4.2. internal_url set to http://homeassistant.local:8123 in core.config

Are there any more settings I need for the reverse proxy? Is there something in configuration.yaml I need to specify? Does anyone know what I might be missing for the latest version of the Home Assistant virtual machine?

@DeanSmith - I know this can be really frustrating. All about looks similar to what I am doing.

Did you add the “HTTP_SEC_WEBSOCKET_EXTENSION”? This needs to be added to both the rules and also inside IIS.

<rewrite>
  <rules>
    <rule name="http to https" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="^OFF$" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
    </rule>
    <rule name="Forward to Home Assistant" enabled="true" stopProcessing="true">
      <match url="(.*)" />
      <action type="Rewrite" url="https://192.168.xx.yy:8123/{R:0}" logRewrittenUrl="true" />
      <serverVariables>
        <set name="HTTP_SEC_WEBSOCKET_EXTENSIONS" value="" />
      </serverVariables>
    </rule>
  </rules>
</rewrite>

The are the rewrite rules that I use. I am using R:0 and R:1. This are stored in web.config for the site. Nothing else is stored in the directory for the website. I am running IIS 10 on Windows Server 2019.

I have also had a recent problem when I switch ISP from Virgin to TalkTalk. With Virgin I could use the external URL on my internal network. I.e. from a external network I could access the Home Assistant but not from my local network. To fix this I have to run my own DNS server, which I did not want. It may be worth checking from an external network to help eliminate this issue.

Can you take me back to basics here - are these rules in a separate virtual directory, or site, or similar? Can you list the steps you took to get your site initially set up?

For example, for my configuration:

1. Confirmed my local homeassistant was good
2. Installed web sockets and AAR on Windows Server
3. Added a reverse proxy rewrite rule to web.config at the default level: C:\inetpub\wwwroot
4. Tested access - which failed

What steps did you take?

A problem that I had when switch from Virgin to TalkTalk was DNS. Accessing the HA from outside was fine but on my LAN it did not work until I put an entry in my hosts file.
C:\Windows\System32\drivers\etc\hosts
The entry is a simple entry
192.168.xxx.yyy my.domain.url

My sure if this is or is not relevant. In configuration.yaml I have the entry:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  base_url: https://my.domain.url

The certificate in IIS can be used here or a new one generated.

Steps that I took.

1. Confirmed local HA is good
2. Make sure I could access a simple website hosted on IIS from outside
3. Create a new subdomain
4. Edit web.config as above
5. Add server variable as above

I am running IIS v10.0.17763.1
IIS URL Rewite Module 2 v7.2.1993
Microsoft Application Request Routing 3.0 v3.0.1988
This is all running of Windows Server 2019.

Can’t think of anything else.

Damn, I can’t subdomain right now.

I’ll try to configure ha as a separate site, perhaps that’ll fix it.

I don’t believe a subdomain should be important, it;s just what I have done. A subdomain in IIS is straight forward. Don’t forget to get a new certificate, unless you have a site certificate and to add it to your DNS records.

Happy to do a video call so you can inspect my setup - as this may be the quickest way to resolve the issues. If that is an option you want to take propose some dates and time. I can’t do today or tomorrow.