Most mysterious thing, as far - DuckDNS + Nginx do not work for me for remote access

Tags: #<Tag:0x00007fc414b531c0>

Hi, I spend already a long time of my life searching for a solution to why I can not access remotely my Hassio.
I had;
Duck DNS (installed, logged on the website, taken token, changed add-on configuration according to plugin instructions)
configuration.yaml (uncommented http section, changed ‘base_url’ for mine)
Router port forwarder (80>80, 443>8123)
In SSL directory are already fullchain.pem and privkey.pem

it didn’t work. DuckDNS log shows IP address not changed, so it is working but I can not log-in remotely. I tried many options (name, IP addres, with ports, without, with http and https, from inside and outside of net…)

So I add
Nginx (configure, run, the log shows it is working)
removed from configuration.yaml lines ssl_certificate and ssl_key

Unfortunatelly still nothing.

I will be very thankfull for any help as I read major part of the internet already, there are some differencies in approach (especially ports) and most probably I am doing something wrong.

Hassio 0.100.3 on RPI2B

I have the same situation, with HomeAssistant behind Nginx. I have HA configured to not know anything about certificates. Nginx handles all of that. The https connection to Nginx will forward to my http (insecure) HA.

I think you should forward port 443 to port 443 (not the HA port of 8123) so that Nginx will also handle HTTPS. There should be some lines in the nginx config that start with

# Ensure these lines point to your SSL certificate and key

Obviously, make sure those lines point to your duckdns certificate and key.

Then, also in my nginx config, I have this:

    location / {
        proxy_pass http://localhost:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

Unfortunatelly I am not able to put this code into nginx config. I did try after last bracket, before it, before first bracket. Everytime I have all the config text in red and no possibility to save.
Could You please share how the whole config should looks like in that case?

My nginx.config file is unchanged from the default. This is my /etc/nginx/sites-enabled/[site] file:. Remember to replace example.com with your duckdns domain name. Note that on my router, everything forwards to the same port, i.e., 80 --> 80, 443 --> 443. If you want to have SSL on a different port, then forward it as such, and look for the “443” in the sites config file, and change it to match.

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

## I don't actually do anything on port 80.
## This section can probably be removed.
server {
    # Update this line to be your domain
    server_name _;

    # These shouldn't need to be changed
    # listen [::]:80 ipv6only=off;
    listen *:80;
    return 301 https://example.com$request_uri;
}

server {
    # Update this line to be your domain
    server_name www.example.com;

    # Ensure these lines point to your SSL certificate and key
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    # Use these lines instead if you created a self-signed certificate
    # ssl_certificate /etc/nginx/ssl/cert.pem;
    # ssl_certificate_key /etc/nginx/ssl/key.pem;

    # Ensure this line points to your dhparams file
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    # These shouldn't need to be changed
    # listen [::]:443 default_server ipv6only=off; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
    listen *:443 default_server; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "[not sure if this was sensitive, but I removed it]";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    location / {
        proxy_pass http://localhost:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
[email protected] $ dir /etc/nginx/sites-available/
total 8.0K
-rw-r--r-- 1 root root 2.1K Feb 11  2017 default
-rw-r--r-- 1 root root 3.5K Oct 23 16:49 example.com
[email protected] $ dir /etc/nginx/sites-enabled/
total 0
lrwxrwxrwx 1 root root 33 Jun  3  2018 example.com -> ../sites-available/example.com
[email protected] $
``
1 Like

Thank You Steve. And sorry for most probably a silly question but I am a newbie in HA (and I use Win explorer for Hassio folders instead of the terminal): as I can not find on my Hassio anywhere ‘etc’ folder, should I create this files?
Previously for configuring nginx I’ve used its subwebpage on Hassio

I’m not sure…I don’t use hassio, and nginx is installed standalone, not as a hassio addon.

1 Like

Qbaf,
This is what works for me.
Funnily enough, Steve was a MAJOR contributor to the overall solution in the insights he gave me. :crazy_face:

Unfortunatelly, failed @ #15 :frowning:
Both - from inside and outside

Your etc folder should be off the root of the file system, as in /etc. Can you SSH into your Home Assistant machine? see if you can run this command:

find / -iname nginx.conf 2> /dev/null

That’ll search your machine’s filesystem from the root looking for a file named nginx.conf and discard any errors. Then you’ll see where you should look for your sites-enabled folder.

I did quick lesson on SSH, installed PuTTY. Unfortunatelly when opening HA machine i receive Network error: Connection refused
Is it good omen? Does we guess where the enemy could be?

I think it’s different if you’re using hassio. Do you have this addon installed?

OK, mystery solved. I am behind two routers. So in this case is needed to port forward both routers (outer router ports to inner router, inner router ports to Hassio) or DMZ the outer one.

Thank You all for assistance anyway.