I am sort of new to all this, so I am not sure where I should be posting such questions…
The issue that started everything: All is working using duckdns.org to set encryption and allow things like amazon media and other add-ons that require encryption to work. Problem is… Local traffic is blocked. Fortunately for me, I have multiple external IP addresses available. So I have been leaving one address routing traffic to duckdns.org and returning in the other address to my Home Assistant (HA) Virtual Machine (VM) on the server.
Difficulty arises when I attempt to set up presence detection. All of the iPhone(s) set up easily, but only connect when on Cellular signal and not on WiFi. So many options available and none work on WiFi.
I was led to install and configure NGINX add-on. Following the instructions, the result is opposite. Local traffic passes, but encrypted traffic is blocked instead of being proxied.
Is anyone available that uses duckdns and NGINX add-on? Or know of another solution?
I have NAT Port Forwarding from WAN 443 to 192.168.1.59, port 8123
and from WAN 8123 to 192.168.1.59, port 8123.
How did you determine the address for trusted proxy?
Documentation talks about cast.home-assistant.io but does not indicate how to obtain that (loop-back?) address.
Using this configuration, everything local works but traffic sent to xxx.duckdns.org:8123 is rejected.
Any ideas?
the only port I have opened for HA on my router is the port I use in https://duckdns_address:port
this port on my router is forwarded to HA lan ip_address with port 443 as target (this is also the port (443) opened in NGinx)
my configuration.yaml:
homeassistant:
#
# Authentication Providers
#
auth_providers:
- type: homeassistant
- type: trusted_networks
trusted_networks:
- 192.168.2.0/24 # this is all my lan addresses
- 127.0.0.1
- ::1
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24
- 172.30.32.0/24
to access ha:
externally (forwarded on your router to port 443 of the HA node (see above):
https://duckdns_address:port
internally (no need to redirect on the router). your browser will tell you that it is not a trusted side but continue accepting the risk and it will add that to his list of exceptions, you will never be asked again (except if you clear everything from the browser history and data)…
http://lan-ip-address:8123
this is also documented under homeassistant in configuration.yaml file:
That is correct; however, that is not my issue. My Issue is that the external traffic directed to duckdns.org is blocked. HTTPS inbound Traffic is not using the duckdns lets_encrypt: keys. This is very easy for me to test. As mentioned, I do get LAN access via http:// in that configuration, my alexa skill is broken. Additionally, I have the resource of multiple external addresses as well as an external PC in another state by remote desktop (That was the screen capture with SSL Error in previous message).
My suspicion is the entry in hte configuration.yaml file.
Is the “x” is “use_x_forwarded…” verbatim or should I have replaced the “x” with something else?
Did you get my contact information in the e-mail sent? I can share screens with you if that would help?
I’d really like to get this working. and no one else is making suggestions. I also have the ability to use cloudflare, but as far as I know, it does not offer the encryption required by Amazon Web Services and a few other api(s). Strangely enough, I shouldn’t need any of these since my Home Assistant configuration resides on its own static IP address.
Hello… I am not in the US…
Based on what you mention, even if Alexa is impacted, this is more than just HA… You should have a problem at the router level I think… or with duckdns config…
Got it. The problem is, as I already mentionned, you are requesting an https connection on port 8123 which is an http port… This will never work !
So you have to:
choose a port to access HA externally, let say: 15200 (choose another one please for security reason)
on your WAN router you have to map the external port 15200 to the lan ip node 192.168.1.59 with an internal port of 443 !!! (443 is the port you opened in NGinx parameters, if you choose another one, please update occordingly)
One additional advice: never share your duckdns.org address in a post (no logonid, no password, no port, no DNS name, no key…)… So if you want to be secure looking forward: change quickly your duckdns name to something else (except if the one shared is not what you will use and use another port than 15200 in my example… My two cents of the day.
I wanted to thank you for your efforts! I would have never thought.
For anyone else with the same issue… All of the documentation for duckdns, let’s encrypt advises that you have it send communications on port 8123 and the encryption worked. NGINX fixes other issues created. the key is that when sending communications from duckdns, you need to specify port 443. And of course in the router port forward external 443 to the HA Address, but specify it stays port 443.
It just goes to show, if you stare at the obvious too long, you will never find your way.
Thank you again https://community.home-assistant.io/user_avatar/community.home-assistant.io/browetd/60/98606_2.png