Hi everyone, this is my first topic here !
I had the feeling that my journey through learning reverse proxy with OVH, Proxmox, Nginx and Home Assistant a few months ago was more documented now but with pieces here and there (as far I as know !). So I compulse it here and I hope It would help some people.
THE PRINCIPLE
Your home has only one public (IP) address.
The domain provider of your choice will transfer every connection to any of your subdomains exclusively to your proxy machine.
Your proxy machine will manage the distribution of the connections to every service installed at your home according to their respective subdomains addresses (of your choice) and services machines local IPs (to be static in order to be unchanged as you will have to writt these local IPs in the reverse proxy configuration files).
As the reverse proxy machine will manage any entering connection, a SSL wildcard certificate will authentify at once all the subdomains adresses of you domain and thus all connections from outside to any oy your subdomains/service machines will be recognized as compliant https connections.
THE QUITE GENERIC REVERSE PROXY PART
- Create a container (CT) in Proxmox: CT is very light and enough for such a small service - I chose to install a simple Debian 10 server base:
go and see Proxmox documentation for the procedure - Install NGNIX service on it:
Debian 10 Buster : installer et configurer la dernière version de Nginx et PHP 7.3 FPM | Geek17.com - Learn the basics about Nginx - This article was very helpful to me (no need about the docker part because my config obviously do not use docker) !
How to set up an easy and secure reverse proxy with Docker, Nginx & Letsencrypt (freecodecamp.org) - Set your configurations files - I did mine before the post here below has been published… so I can’t testify for it:
Reverse proxy using NGINX - Community Guides - Home Assistant Community (home-assistant.io)
additionally: Reverse proxy with NGINX using a subdomain - Community Guides - Home Assistant Community (home-assistant.io)
I can publish my config files if there is a demand.
SSL CERTIFICATE PART IN ORDER TO MANAGE SSL CERTIFICATE TO MULTIPLE
OVH SUBDOMAINS=>SERVICES AT ONCE (WILDCARD CERTIFICATE) INSIDE THE PROXY SERVICE
- I own a domain by OVH for 2€/yr - I can’t tell what to do with other providers… but the principle should be the same… and Google is full of dedicated tutorials.
- I chose to go for a “DNS challenge” for the certificate, which go through the provider DNS with the help of a provider API, so that to prevent from letting a port opened to enable the challenge check periodically.
- Here is a quiet comprehensive article for the installation of the SSL certificate on the Nginx Host:
Get a Let’s Encrypt Wildcard Certificate (florianjensen.com) - There is some steps at OVH provider side to manage potential Dynamic IPs from your internet provider but I have only a French link for this:
Paramétrer un DNS dynamique pour son nom de domaine | Documentation OVH
Comments about why not doing a more simple configuration:
- The way I do, the SSL certificate (managed in the reverse proxy container) works for every service/subdomain/machine I use, without ever need to configure anything in these service machines.
- One may notice that Hass.io has a Nginx add-on. Nevertheless I wanted to make a more independent and free installation of the proxy service with full control of the OS that host it, moreover managing several services at once and not only Home Assistant access.
- One may notice that Hass.io has a Let’s Encrypt addon. Nevertheless I wanted my SLL to manage all my services under as much as subdomains as I want, so again I opted for a more independent and versatile option.
- Nabu Casa manages very well every aspect of Home Assistant from outside (domain, SSL, Google Assistant) but again I wanted to build a multiple subdomains solution for multiple services.
- One may think that Nginx could be simply installed on Proxmox OS. That’s not false but:
i. firstly Proxmox OS is quite sensitive to additional installs (I crashed it when attempting other complilationsd in it) so it is recommended to let it alone… indeed there is no gain to install Nginx on the host rather than on a dedicated container (as CT shares the resources with the host);
ii. secondly I would not be able to separate easily Proxmox service and nginx service when accessing them from outside if I install both under the same machine/IP. - As soon as one personal subdomain+SSL certificate is operational, Nabu Casa is not even necessary for Google Assistant integration, as explained in Home Assistant Documentation.
Depending on your use, such simpler solutions might fit you more than mine. Anyway you have the choice now 