Local Home Assistant SSL Offloading with pfSense -> ACME -> HA Proxy

Hello everyone,

I am experiencing great difficulty in properly configuring SSL offloading to my Home Assistant instance via HA Proxy frontend, using a Let’s Encrypt certificate generated with ACME automation, both components installed as packages in my pfSense firewall.

My current configuration works correctly with all my other local webservers, but I cannot get it to work in any way to get Home Assistant gui to correctly respond in SSL and using my domain’s wildcard certificate:

Following several threads here in the community, I tried modifying the configuration.yaml file, adding the http section, setting the use_x_forwarded_for field and trusted proxies, specifying the virtual IP on which the HA Proxy frontend is listening and the address of the pfSense LAN interface related to the VIP.

How can I get reverse proxy to work locally in the given configuration for Home Assistant too?

Thanks in advance to anyone who will spend time in helping a newbie!!!

Please be more specific.
What do you mean by “HA proxy frontend”? What are the difficulties?

I’m using a very basic nginx reverse proxy configuration without issue

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    include global/ssl_home_com.conf;
    server_name <my_ha_hostname>.com;

    location / {
      include global/proxy_params.conf;
      proxy_set_header Host <my_ha_hostname>.com;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      proxy_pass http://<my_lan_hostname>:8123;

Hello Chris, thanks for your message.

In my HA Proxy configuration, I have two different frontends: one for redirecting http to https, and the other is shared among my various backend servers, listening on port 443 and using my domain’s wildcard certificate (generated via pfSense ACME automation) for SSL offloading of HTTPS traffic.

In my DNS Resolver (pfSense itself), I have instead configured records for the various webservers whose resolution results in the IP address of the HA Proxy frontend.

To give a practical example, the console of my UniFi APs can be reached with the FQDN unifi.mydomain.tld, which is resolved into the frontend address of the HA Proxy, which redirects the request to the relevant backend server with its internal ACLs.

Due to the frontend providing SSL offloading, the FQDN will be correctly reachable in HTTPS and will use the wildcard certificate of my domain.
I would like to be able to achieve the same result for the Home Assistant webgui, to be able to reach the FQDN haos.mydomain.tld locally in HTTPS via the reverse proxy.

The solutions I have found online involve manually adding the certificate on the machine hosting Home Assistant, but this would make me have to manually upload the certificate every month… I hope I have described the situation properly, let me know if I have missed any details!

Hi guys, anyone who has been able to get a setup like this to work? :frowning_face:

Not sure what’s your problem, but a picture would probably make your config and problem clearer.

I just edited my router DNS config to redirect “haos.mydomain.tld” to the local ip of HA and that works.

I’m using openwrt, that supports NAT loopback, but I suppose pfsense does, too.

Came across this while trying to run down some separate HAProxy cert issues of my own.

I’ve got a pretty similar setup and it’s definitely doable. I agree with koying, some screenshots of key settings would probably help quite a bit. If you already have this working for other servers you’re likely 95% of the way there.

You already mentioned the use_x_forward_for and trusted_proxies values for Home Assistant, and from what I can remember those values were the main thing I had to fiddle with. To confirm what’s working for me:

  • I’ve got three trusted proxies. The first is the pfSense interface IP for the subnet Home Assistant is on. I also use Cloudflare, so the other two are cidr ranges for where those requests come from. I don’t think those ended up being necessary though.
    Screenshot 2024-06-14 at 9.31.34 PM

  • It’s not really specific to Home Assistant, but I also have a couple shared frontends in HAProxy that each map to multiple back ends. When that config is working for pre-existing servers, but not a newly added one, I often find myself double-checking the back end config. Unless you’re also using a cert between HAProxy and Home Assistant (doesn’t sound like you are), the SSL checks should be off, and the port should be the Home Assistant default:

Hope that helps!