I have one server but want to host several web domains (one HA, the others not being HA) on it. When HA is running, it hogs ports 80 & 443, but I would like NGINX to be my main webserver in control as I have experience with that. Is it possible at all to have NGINX send all traffic from " home-assistant.mydomain.xyz/* " to an end point within HA without having HA be the one listening? I don’t know if that makes much sense. Let me know if I can help explain better.
I use nginx in front of my HA installation exactly as you describe. I forward home.mydomain.com to my home assistant ip:8123. I have nginx installed on a separate virtual machine and opened port 80 and 443 to the ngnix vm in my router. I run certbot on this vm too.
server {
server_name home.xx.xxx;
location / {
proxy_pass http://192.168.0.104:8123/;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/websocket {
proxy_pass http://192.168.0.104:8123/api/websocket;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Thank you for this! I am getting a 502 error when trying this.
Error from nginx log:
2023/01/08 13:32:28 [error] 292807#292807: *12 upstream prematurely closed connection while reading response header from upstream, client: HOME_IP_ADDRESS, server: HA.MYLINK.BLAH, request: "GET /frontend_latest/c206843c.js.map HTTP/1.1", upstream: "http://HA_LOCAL_IP:8443/frontend_latest/c206843c.js.map", host: "HA.MYLINK.BLAH"
My config is:
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/HA.MYLINK.BLAH/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/HA.MYLINK.BLAH/privkey.pem;
server_name HA.MYLINK.BLAH;
location / {
proxy_pass http://HA_LOCAL_IP:8443/;
proxy_set_header Host $host;
}
location /api/websocket {
proxy_pass http://HA_LOCAL_IP:8443/api/websocket;
proxy_set_header Host $host;
}
}
When I copy your config over and change the relevant addresses, I get no errors in the log and the website hangs.
>>> curl https://HA.MYLINK.BLAH/
curl: (7) Failed to connect toHA.MYLINK.BLAH port 443 after 3 ms: Connection refused
And when copying your method, I can see there are no listeners on port 443, which is why nothing is going through. Not sure how my setup differs from yours. From mine, everything is run on the same server.
FYI: Navigating to https://HA.MYLINK.BLAH:8443/ in my browser gives an SSL error, but once you pass that it works fine.
No, it doesn’t…HA only uses port 8123, either http or https.
On my router, i forward port 443 to ha:8123
and port 80 is forwarded to apache:80
(then again, I am not running NGINX either…wouldn’t have a clue why i need it…)
Are you running ngnix as an addon in HA or outside?
My apologies here. I had port forwarding setup on my router so that 80 & 443 forwarded to 8443 (my HA port). Need my coffee this morning. Reset forwarding so 80 and 443 go straight through now without changing port.
Just got this working. Had to remove the old SSL settings in my configuration.yaml file and restart HA. Same config as I pasted above.
The usecase for running nginx is that you can run services other than HA through the reverse proxy. Different websites on different servers / containers for example. All traffic goes through the ngnix that proxies the traffic to the correct service with SSL and so on.
Nice! Be sure to set up certbot also.
Was running it outside. Installed through apt
I also had openvpn listening on 443 as their TCP fallback. Had to move that. My setup was a mess lmao
final tip, use uptimerobot to monitor your urls so you get notified if some of your services crash.
And that part I don’t get…
I have multiple servers on multiple hosts using multiple ports with NAT loopback and my own DNS using both http and https (as well as some more), all working nicely…all traffic going through router.
So why would I require an additional NGINX, i fail to see the added benefit 
You probably have a more fancy router then the rest of us 
HA does not use port 80 or port 443.
I am trying to do the same thing here, but can’t work it out.
- My HAOS host is at 192.168.1.225:8123
- My niginx server is at 192.168.1.36
- My HA domain name is home.domain1.co.uk
- My other web domain name is domain2.com
- My router has ports 80 and 443 forwarded to 192.168.1.36
- I have copied my SSL certs for home.domain1.co.uk from my HAOS host to /etc/letsencrypt/live/home.domain1.co.uk
This is my home.domain1.co.uk file (in the sites-available folder on 192.168.1.36):
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/home.domain1.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/home.domain1.co.uk/privkey.pem;
server_name home.domain1.co.uk;
location / {
proxy_pass http://192.168.1.225:8123/;
proxy_set_header Host $host;
}
location /api/websocket {
proxy_pass http://192.168.1.225:8123/api/websocket;
proxy_set_header Host $host;
}
}
When try to connect on https://home.domain1.co.uk:8123/ I get "This site can’t be reached - ERR_CONNECTION_REFUSED). Nothing gets written to the nginx access log.
Any idea what I might be doing wrong?
using the wrong port here? Your nginx server is listening on port 443, not 8123
Armin
I get exactly the same error with both of these two URL’s:
Ah…I think I may have found the problem - I have changed the two proxy pass entries to https, instead of http. It now seems to be working:
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/home.domain1.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/home.domain1.co.uk/privkey.pem;
server_name home.domain1.co.uk;
location / {
proxy_pass https://192.168.1.225:8123/;
proxy_set_header Host $host;
}
location /api/websocket {
proxy_pass https://192.168.1.225:8123/api/websocket;
proxy_set_header Host $host;
}
}
But I’m now confused as to which Lets Encrypt certs are being used - the ones on the nginx host or the ones on the HAOS host? If the latter, will the LetsEncrypt add-on still be able to automatically renew them, now that port 80 is no longer being forwarded to the HAOS server?