I’m trying for a lot of hours to get NGINX working to get a secure connection to my home assistant server.
My setup is as follows:
Intel NUC with Proxmox running several VMs, all network traffic from the VMs is redirected to 192.168.1.x via a virtual network bridge inside Proxmox
one of the VMs is an Ubuntu Server running home assistant (installed via Python virtualenv), I forwarded the port 8123 to 192.168.1.x, I’m able to reach home assistant via 192.168.1.x:8123
one of the VMs is an Ubuntu Server running NGINX, I forwarded port 443 and 80, I’m able to reach the nginx start page via 192.168.1.246
I have a dynamic DNS from my ISP which translates my dynamic IP to xxx.internet-box.ch
I own the domain example.ch, I pointed several CNAME entries to xxx.internet-box.ch, e.g. hass.example.ch, mqtt.example.ch etc.
created a SSL certificate for all the subdomains and main domain with lets encrypt
What I want to achieve is, that when I go to hass.example.ch, it will redirect me to the home assistant frontend.
I edited the file /etc/nginx/sites_enabled/default to look like this:
I can start the nginx service and get no errors. However when I try to access hass.example.ch, I get the following error message in /var/log/nginx/error.log:
I read countless topics and tried different configurations for NGINX but nothing seems to work, I always get this error message above. I don’t know what I’m doing wrong!
I guess @koying’s suggestion is correct. I don’t use HAOS or Supervised, but as far as I remember you should be able to get the IP address with something like
didnt edit trusted_proxy yet, didnt notice that in any setup guide for Nginx so guess I copied the default values… all connections do work flawlessly though, isnt that odd?
and yes, my instance running the Nginx add-on has a fixed Ip, should I use that only? like 192.168.1.71? or must it be the internal 172.30.32.0/24 format, and why not the mentioned 172.30.32.1 for that matter?
while you both are with me here, does it still make any sense to have the ip_ban enabled? Believe to have read that with Nginx, we need to create a dedicated list for that too, (since anything is originating from the Nginx address anyways now?
EDIT
I followed your suggestion on the trusted_proxy, and now see this error spamming the homeassistant.log:
2021-07-19 22:54:31 ERROR (MainThread) [homeassistant.components.http.forwarded] Received X-Forwarded-For header from an untrusted proxy 172.30.33.7
Trusted proxy wasn’t “needed” until 2021.7.x, now it will give an error when it’s not configured.
It should be the docker IP, so 172.30.xxx.xxx. A single IP is enough, I’m however not sure whether this IP can change when the containers are rebuilt or if they stay the same, that’s why it’s suggested to use the CIDR 172.30.32.0/24 network to cover all the possible IP addresses in the range 172.30.32.0 - 172.30.32.255.
IP ban should still work as far as I remember, because when you set use_x_forwarded_for the original IP address will be forwarded to HA. But I’m not sure on this one.
Ah this an NGINX error, I somehow assumed it was a HA error.
Does everything work fine and you get the error only after startup? Could be that it’s because NGINX starts faster than HA. I also can not really help as I don’t understand the config of the NGINX add-on, I “only” have the standard config of NGINX and don’t know how this translates to the add-on config.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# redirect all traffic to https
server {
listen 80;
server_name *.yourdomain.com;
return 301 https://$host$request_uri;
}
############### Home Assistant ####################
server {
listen 443 ssl default_server;
server_name ha.yourdomain.com;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;
proxy_buffering off;
location / {
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://ip-of-ha-instance:8123;
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;
exactly, what’s happening.
Using HA OS here, so I have no access to that file you copied I guess. If you don’t mind Ill take this to the release topic, where a. number of other issues where raised on trusted_proxies, maybe Frenck can chime in, as he authored the latest PR…
startup of HA indeed.
I guees it makes a lot of sense what you say, but how can the Nginx add-on be up before HA would be? they are no fully separated containers are they? (given the fact we configure the add-on from within HA, I suppose I expected that Nginx always will see a completely started HA instance)
ok thanks. That explains what is happening then.
Still, to have the Nginx log be of use, and show only important events, I would love to prevent this from being logged. Other than adding it to the trusted_proxies, would you know of another way? Guess it should not only be trusted, but maybe even ignored I(since there isnt anything to be trusted yet in the situation at hand)?
Ive also seen this being logged (in the Ha log this time):
Login attempt or request with invalid authentication from fe80::1886:d980:2b88:46a6 (fe80::1886:d980:2b88:46a6). (Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.208; macOS 11.4.0))
which I suppose is my HA Mac App, and can be trusted or ignored too. Where do I add this? In trusted_networks, or also in trusted_proxies?
(dont know of a way (a tool) to check these Ipv6 addresses, and am a bit surprised, as my Router is configured not to support Ipv6 in then first place…
any reason this is suddenly logged? Is this Nginx originated? I’ve never seen these before. Did see the 192.168.1.1 before so this would be the Nginx translation for those?