Integrating HA with other web domains hosted on same server

armin-gh · December 22, 2024, 8:38am

Can you share your current nginx configuration again? Did you add the additional headers from my earlier post?

And you added the “Trusted Proxies”-Configuration to the http-section in configuration.yaml ?

itm1960 · December 22, 2024, 11:24am

My current nginx config is:

server {
    listen 443 ssl;
    listen [::]:443 ssl;   
    ssl_certificate /etc/letsencrypt/live/home.mydomain.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/home.mydomain.co.uk/privkey.pem; 
    server_name  home.mydomain.co.uk;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";    
    location / {
        proxy_pass http://192.168.1.225:8123/;
        proxy_set_header Host $host;
    }
    location /api/websocket {
        proxy_pass http://192.168.1.225:8123/api/websocket;
        proxy_set_header Host $host;
    }
}

My HA config is:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.36
    - 192.168.1.0/24

If I enter this URL:

https://home.mydomain.co.uk:8123/

I get:

This site can’t be reached - ERR_CONNECTION_REFUSED

It does not leave a trace in the nginx access.log.

Ports 443 and 80 are forwarded to 192.168.1.36 on the router. Port 8123 is not forwarded anywhere.

If I enter this URL:

https://home.mydomain.co.uk/

I get:

net::ERR_CERT_COMMON_NAME_INVALID

If I then proceed to the site and enter my HA login details I get this from HA:

Unable to connect to Home Assistant.

…and these are the entries in the nginx access.log:

"GET /lovelace?auth_callback=1&code=f917aedaee3b449c9673d7e239d39707&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ayIsImNsaWVudElkIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ay8ifQ%3D%3D&storeToken=true HTTP/1.1" 200 2342 "https://home.mydomain.co.uk/lovelace?auth_callback=1&code=f917aedaee3b449c9673d7e239d39707&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ayIsImNsaWVudElkIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ay8ifQ%3D%3D&storeToken=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:13 +0000] "POST /auth/token HTTP/1.1" 400 69 "https://home.mydomain.co.uk/lovelace?auth_callback=1&code=f917aedaee3b449c9673d7e239d39707&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ayIsImNsaWVudElkIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ay8ifQ%3D%3D&storeToken=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:13 +0000] "GET /static/translations/en-GB-859e403d7f0829708a9f6c56aff946c7.json HTTP/1.1" 200 18233 "https://home.mydomain.co.uk/lovelace?auth_callback=1&code=f917aedaee3b449c9673d7e239d39707&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ayIsImNsaWVudElkIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ay8ifQ%3D%3D&storeToken=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:14 +0000] "GET /static/icons/favicon.ico HTTP/1.1" 200 15086 "https://home.mydomain.co.uk/lovelace?auth_callback=1&code=f917aedaee3b449c9673d7e239d39707&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ayIsImNsaWVudElkIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ay8ifQ%3D%3D&storeToken=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:14 +0000] "GET /static/locale-data/intl-displaynames/en-GB.json HTTP/1.1" 200 12038 "https://home.mydomain.co.uk/lovelace?auth_callback=1&code=f917aedaee3b449c9673d7e239d39707&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ayIsImNsaWVudElkIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ay8ifQ%3D%3D&storeToken=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:14 +0000] "GET /sw-modern.js HTTP/1.1" 200 27009 "https://home.mydomain.co.uk/lovelace?auth_callback=1&code=f917aedaee3b449c9673d7e239d39707&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ayIsImNsaWVudElkIjoiaHR0cHM6Ly9ob21lLnJpY2htb25kdGVjaC5jby51ay8ifQ%3D%3D&storeToken=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET / HTTP/1.1" 200 2342 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/core.2ec491a82939c7be.js HTTP/1.1" 200 15562 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/app.acd47987c7cb8292.js HTTP/1.1" 200 76292 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /static/images/ohf-badge.svg HTTP/1.1" 200 3522 "https://home.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /static/fonts/roboto/Roboto-Regular.woff2 HTTP/1.1" 200 64632 "https://home.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /static/fonts/roboto/Roboto-Medium.woff2 HTTP/1.1" 200 65484 "https://home.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /hacsfiles/iconset.js HTTP/1.1" 200 3842 "https://home.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /static/translations/en-GB-859e403d7f0829708a9f6c56aff946c7.json HTTP/1.1" 200 18233 "https://home.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/63230.5143f1d05f91ba97.js HTTP/1.1" 200 2397 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/85842.1862b97b2f41e697.js HTTP/1.1" 200 1302 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/46379.3377a95556650f1c.js HTTP/1.1" 200 9786 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/66031.dd4c02b477d0829d.js HTTP/1.1" 200 2287 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/91552.0882435224ebe7e3.js HTTP/1.1" 200 5567 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/97983.80bfede1ce437707.js HTTP/1.1" 200 5918 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/25618.6dab809a9621022f.js HTTP/1.1" 200 5521 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/24199.9a0b481d2bec73b7.js HTTP/1.1" 200 13446 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/78456.4324f67ac4e53aa6.js HTTP/1.1" 200 4741 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:39 +0000] "GET /frontend_latest/27506.99934c61961b6e27.js HTTP/1.1" 200 22915 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET / HTTP/1.1" 200 2342 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/core.2ec491a82939c7be.js HTTP/1.1" 200 15562 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/app.acd47987c7cb8292.js HTTP/1.1" 200 76292 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /static/images/ohf-badge.svg HTTP/1.1" 200 3522 "https://home.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /hacsfiles/iconset.js HTTP/1.1" 200 3842 "https://home.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /static/fonts/roboto/Roboto-Medium.woff2 HTTP/1.1" 200 65484 "https://home.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /static/fonts/roboto/Roboto-Regular.woff2 HTTP/1.1" 200 64632 "https://home.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /static/translations/en-GB-859e403d7f0829708a9f6c56aff946c7.json HTTP/1.1" 200 18233 "https://home.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /api/websocket HTTP/1.1" 400 66 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/63230.5143f1d05f91ba97.js HTTP/1.1" 200 2397 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/85842.1862b97b2f41e697.js HTTP/1.1" 200 1302 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/66031.dd4c02b477d0829d.js HTTP/1.1" 200 2287 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/46379.3377a95556650f1c.js HTTP/1.1" 200 9786 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/91552.0882435224ebe7e3.js HTTP/1.1" 200 5567 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/24199.9a0b481d2bec73b7.js HTTP/1.1" 200 13446 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/72206.72b9e8a8f31f3f1f.js HTTP/1.1" 200 7322 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/78456.4324f67ac4e53aa6.js HTTP/1.1" 200 4741 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/56898.18c6e190842ecd09.js HTTP/1.1" 200 2664 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/41258.d0ec2811f4acb4e9.js HTTP/1.1" 200 4558 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/97983.80bfede1ce437707.js HTTP/1.1" 200 5918 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/42950.31d333e8d85cd90f.js HTTP/1.1" 200 2606 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/35671.3e64c07bb04b183f.js HTTP/1.1" 200 6168 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/25618.6dab809a9621022f.js HTTP/1.1" 200 5521 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/29570.3b9d54447ef0edfb.js HTTP/1.1" 200 3317 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/40099.4a8d36b5c6a4f8ef.js HTTP/1.1" 200 5271 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/83895.15674f4ee606ea51.js HTTP/1.1" 200 2530 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/8795.c0fd062b1b5bcd7c.js HTTP/1.1" 200 11775 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/7010.e7d487ca3712b987.js HTTP/1.1" 200 2594 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/71588.152a405f9227826b.js HTTP/1.1" 200 1986 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/58640.2b872d12b8b81346.js HTTP/1.1" 200 3270 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/92139.36bca4331518688a.js HTTP/1.1" 200 5303 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/29818.9dd2d6a4763d3e92.js HTTP/1.1" 200 2970 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/32146.fc9c5148f5ec81f0.js HTTP/1.1" 200 6846 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/46274.036843c777c15080.js HTTP/1.1" 200 5390 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/471.4db4169c9a9391b0.js HTTP/1.1" 200 14600 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/37602.dedc1acc04a2d7ee.js HTTP/1.1" 200 1934 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/67899.8bd10c48acc4db1a.js HTTP/1.1" 200 19641 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/44959.3efc4d30ed26baf8.js HTTP/1.1" 200 5320 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/67390.1a550db1663d696d.js HTTP/1.1" 200 2180 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/18865.e354e16bdcfb9dd2.js HTTP/1.1" 200 2927 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/52358.20783fab0178256e.js HTTP/1.1" 200 3356 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/79931.7373851d3b36e9ca.js HTTP/1.1" 200 6295 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/44251.7f8fd7f00ec7c7b6.js HTTP/1.1" 200 7666 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/63556.4b99971d652b1636.js HTTP/1.1" 200 4948 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/3371.6fc9332017c15199.js HTTP/1.1" 200 3677 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/38326.2deb02863973dc83.js HTTP/1.1" 200 28525 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/10745.8df39959c88a4cda.js HTTP/1.1" 200 3971 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/16912.3ba6caefaf031138.js HTTP/1.1" 200 3308 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/57282.a92e01f9717ad158.js HTTP/1.1" 200 25006 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/65499.25581803f7be69f0.js HTTP/1.1" 200 5026 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/89790.9463e4c97b548f7a.js HTTP/1.1" 200 4315 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/20924.d12c95c15088b0fd.js HTTP/1.1" 200 13449 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/27506.99934c61961b6e27.js HTTP/1.1" 200 22915 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/62736.4c3d1d6a7e0bd804.js HTTP/1.1" 200 9379 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/77099.656588f7a0df7312.js HTTP/1.1" 200 5014 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/1916.8cbbfcba80ab267c.js HTTP/1.1" 200 8988 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/90216.dcb8c196370f6c8f.js HTTP/1.1" 200 6319 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/62477.92d8efc78de61093.js HTTP/1.1" 200 30993 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/49445.b724fcd9c3df500e.js HTTP/1.1" 200 3190 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /static/icons/favicon.ico HTTP/1.1" 200 15086 "https://home.mydomain.co.uk/lovelace" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/30282.3feea422cc5b8708.js HTTP/1.1" 200 10492 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /frontend_latest/59826.279dfdc4437f047d.js HTTP/1.1" 200 1933 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:40 +0000] "GET /static/locale-data/intl-displaynames/en-GB.json HTTP/1.1" 200 12038 "https://home.mydomain.co.uk/lovelace" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:41 +0000] "GET /sw-modern.js HTTP/1.1" 200 27009 "https://home.mydomain.co.uk/lovelace" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:45 +0000] "GET /frontend_latest/60048.36c85768f9d9a9c8.js HTTP/1.1" 200 7694 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:45 +0000] "GET /frontend_latest/388.90c279c9089fe475.js HTTP/1.1" 200 1777 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
192.168.1.1 - - [22/Dec/2024:11:31:45 +0000] "GET /frontend_latest/99824.d9b0b655350381dc.js HTTP/1.1" 200 2528 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"

armin-gh · December 22, 2024, 12:06pm

Perhaps that was not clear from my previous post, proxy_set_header should be inside the location

server {
    listen 443 ssl;
    listen [::]:443 ssl;   
    ssl_certificate /etc/letsencrypt/live/home.mydomain.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/home.mydomain.co.uk/privkey.pem; 
    server_name  home.mydomain.co.uk;
    location / {
        proxy_pass http://192.168.1.225:8123/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";    
    }
    location /api/websocket {
        proxy_pass http://192.168.1.225:8123/api/websocket;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";    
    }
}

not sure you really need a separate location for “/api/websocket”, the “/” location should cover this, but for the time being I would leave as is, one step after another.

itm1960 · December 22, 2024, 1:32pm

Thanks. OK my nginx config looks like this:

server {
    listen 443 ssl;
    listen [::]:443 ssl;   
    ssl_certificate /etc/letsencrypt/live/home.mydomain.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/home.mydomain.co.uk/privkey.pem; 
    server_name  home.mydomain.co.uk;
    location / {
        proxy_pass http://192.168.1.225:8123/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";    
    }
    location /api/websocket {
        proxy_pass http://192.168.1.225:8123/api/websocket;
        proxy_set_header Host $host;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";    
    }
}

Now if I enter https://home.mydomain.co.uk/ I get:

net::ERR_CERT_COMMON_NAME_INVALID

If I choose to proceed I can now login and access HA from a web browser, but the Android Home Assistant app will not connect using the same URL - I get:

Unable to connect to Home Assistant. The Home Assistant host name certificate mismatch, please review the Home Assistant certificate or the connection settings and try again

Could this have something to do with the CNAME rccord for home.mydomain.co.ukk ?

armin-gh · December 22, 2024, 2:57pm

the android app unfortunately insists on a valid certificate and there is no switch to ignore an invalid certificate.

I guess your DNS setup is the next ( and hopefully final) step
I’m not yet sure what you need the CNAME for?
Perhaps to reiterate what we are looking at… you own domain “mydomain.co.uk”
On the DNS for your domain registrar you added home.mydomain.co.uk as a A-record for the external IPv4-address of your router,
router forwards port 443 to nginx (192.168.1.36)

On your router(?) you have your internal DNS and there a CNAME record for home.mydomain.co.uk ?
Can’t you have an A record on your internal domain pointing home.mydomain.co.uk to the IP of nginx?

itm1960 · December 22, 2024, 4:18pm

TBH I thought a CNAME was the recommended way to handle a subdomain. I actually had it pointing to the the same “main” domain (not my other domain, as I suspected) - i.e. I had CNAME home.mydomain.co.uk pointing to mydomain.co.uk .
Anyway I’ve now deleted the CNAME record and replaced it with an ‘A’ record for home.mydomain.co.uk - pointing to the external IP address of my router.
I haven’t done any internal DNS routing on my router before (Netgear R7800/DD-WRT v3.0). I have now added this:
dnsmasq

Is that what you mean?

All of the above hasn’t helped - I still get the error in the HA Android app.

I’m puzzled by the results of that openssl query:

openssl x509 -in /etc/letsencrypt/live/home.mydomain.co.uk/fullchain.pem -text -noout |grep -A1 Subject
        Subject: CN = myotherdomain.ddns.net
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
--
            X509v3 Subject Key Identifier: 
                E5:DA:48:0A:7C:C0:12:8B:07:7D:53:3D:3E:37:D2:40:D0:15:4D:2E
--
            X509v3 Subject Alternative Name: 
                DNS:myotherdomain.ddns.net

I don’t understand why it references “myotherdomain.ddns,net” rather than “mydomain.co.uk”. Maybe I need to recreate the SSL cert for home.mydomain.co.uk ?

armin-gh · December 22, 2024, 5:33pm

I’m not familiar with DD-WRT, but if a ping to home.mydomain.co.uk resolves to 192.168.1.36 it should be ok

yes, the certificate has to be for home.mydomain.co.uk as Subject or this domain has to be at least a Subject Alternative Name

itm1960 · December 22, 2024, 5:46pm

Ah…if I ping home.mydomain.co.uk from a machine on the LAN it resolves to my external IP address (86.23.****). So I guess the DNS setup didn’t work.

I guess I need to contact LetsEncrypt support to help sort out the CN/Subject Alternative Name in the certificate.

armin-gh · December 22, 2024, 7:12pm

Setting on DD-WRT looks correct to me. The DD-WRT router is your DNS on the LAN? Cleared the cache on the client? ipconfig /flushdns on windows, linux might not be configured for caching unless systemd-resolve is installed or distribution of your choice is not using systemd at all.

Of course won’t fix your issue with the certificate being issued for a different server name, means only your internal clients and servers will directly connect to nginx instead of using your external IP on the router.

itm1960 · December 23, 2024, 11:57am

I can confirm that it was the SSL cert that was the final problem - I’ve resolved it with the help of the LetsEncrypt community and everything is now forwarding and working as it should.
Many thanks for your help and patience with this - much appreciated.