IIS reverse proxy

I don’t believe a subdomain should be important, it;s just what I have done. A subdomain in IIS is straight forward. Don’t forget to get a new certificate, unless you have a site certificate and to add it to your DNS records.

Happy to do a video call so you can inspect my setup - as this may be the quickest way to resolve the issues. If that is an option you want to take propose some dates and time. I can’t do today or tomorrow.

@DeanSmith did you get this resolved? What issue are you actually seeing? Reason why I ask is that I got a 502.3 error today. This was because the certificate that I had in the virtual machine had expired. Not sure why Let’s Encrypt on the virtual machine had not updated the certificate.

To be clear, I have two certificates. One that is installed on IIS and the other installed on the virtual machine. This is important.

Still haven’t resolved it, but this is interesting. Is the certificate on the virtual machine the same? i.e. for the same site?

Yes - the certificate is for the same site.

For some reason Let’s Encrypt no longer runs on my virtual machine so I am using https://www.win-acme.com/ to create a certificate for IIS and the virtual machine. I then copy the certificate from the host to the ssl directory in the virtual machine… I need to automate this as the certificate will expire in another three months. I only took this approach as it works for me and seems easier than getting Let’s Encrypt working again.

I checked and this isn’t the issue.

It is possible to have a server certificate on your internet-facing server (apache + ngix or iis + aar) that reverse proxies to your http enabled ha server. I spent some considerable time researching this - but I’ve still not found the root cause.

If I go to https://my.domain.com I see the expected landing page. If I go to https://my.domain.com/airsonic I see my Airsonic server, hosted via Apache Tomcat and accessible by reverse proxy.

When I go to https://my.domain.com/homeassistant I see this:

I feel I am very close to getting this to work…

Proxying HA as a subfolder is/will not be supported:

@DeanSmith what do you see in the debug console and network requests? In Chrome or Edge press F11 and select the Network tab. This may reveal more information.

Fantastically frustrating, because without being able to access my HA deployment over https, I cannot add SmartThings.

But I don’t see a major issue with this.

At least, with Nginx Proxy Manager addon (NPM) you can still use https://homeassistant.yourdomain.org (fully supported) instead of https://yourdomain.org/homeassistant (not supported).

At the moment, I am not able to use a subdomain, nor am I able to use Nginx.

So, that’s my major issue. I shall keep researching.

If you can use former Hassio or regular Linux installation (although not supported) you can install NPM addon.

I’ve installed the VM version of home-assistant, so I guess I’m out of luck. Such a shame, having SmartThings integrated to HA would have been fun.

I think not.

“VM version” is a vague term and doesn’t actually point to a certain installation method; however, if you used the virtual appliance installation option then you have the full OS and you can install addons. You only need to install DuckDNS (to get the domain) and NPM addons (takes care of Let’s Encrypt). You can then use NPM to reverse proxy (probably) anything you need with https://subdomain.domain.duckdns.org or https://domain.duckdns.org/subfolder (however, not everything works with subfolder, at least HA is not supported).

1 Like

The duckdns add-on already takes care of letsencrypt, no need to use NPM for that

It depends on the user’s needs.

In my opinion NPM has better usage as the 5 domains that DuckDNS provides might not be enough for all users. Most of the services work for reverse proxying with both subdomains and subfolders but not all with subfolders (HA doesn’t, thus it needs a domain/subdomain).

NPM can be used to generate all the subdomains needed without having to deal with the 5 domains limit of DuckDNS (and to generate subfolders too).

On top of it, with NPM, certificate management is centralized and one doesn’t need to deal with any SSL stuff on the device itself, as might not be always possible to add certificate (and, in LAN, can use the non-secure address, http://192.168.x.y:port if needed instead of the https://subdomain.domain.duckdns.org)

Hey guys,

What are the new rules to get IIS proxy working with the new changes?

Release 2021.7.1 - July 8

Thanks

Look for my post here.

1 Like

Thanks mate!

Ill check it out :slight_smile:

ha ha jolly good this works. I had such a rigmarole going through this.

I’d steer away from IIS if you have that chance. I have used it for years and boy what a joy it was to use something like NPM or Traefik compared to IIS. Way too cumbersome. I’d only use it if I really had to (e.g. company policies or whatnot). If you do want to use Windows Server/Hyper-V then I’d suggest setting up a HA VM or run HA on a linux distro VM. If you do not rely on AD (which most home users won’t) then I will highly recommend using Unraid or Proxmox instead (Unraid tends to be more user friendly and has docker natively).

Lastly, after reading this thread, I am actually pretty baffled that so many use duckdns. I really wonder why? A domain name is around 5/10 euro/dollar a year. Setting it up on Cloudflare would also give you all of its security features. My wife could never remember the duckdns address, but she can easily remember our domain name. It also looks better to see myname.com instead of myname.duckdns.com (added benefit, we also have email addresses [email protected]). I understand that it is free, I just wonder why so many do not care about an actual domain name (it is not criticism btw, it is a genuine question).