Nginx docker IP not a trusted proxy to HA

PeteRage · October 13, 2023, 12:35pm

If you put all the containers in the same bridge network, then you can access them by name rather than by ip address. So with this docker-compose HA references MQTT using “mqtt” as the host name and “zwave” as the zwave host name. Also I’d recommend specifying specific versions of container images, such that an upgrade is a decision you make by changing the version vs just happens when you rebuild your docker. You can put all these constants in a .env file, so that’s the one place you go to change versions, subnets, etc.

version: '3'

networks:
  local_network:
    ipam:
      driver: default
      config:
        - subnet: ${SUBNET}.0/24

        
services:
  ha:
    container_name: ha
    image: homeassistant/home-assistant:${HA_VERSION}
    volumes:
      - ${DOCKER_FOLDER}/${HA_FOLDER}/config:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    environment:
      PROXY_IP: ${SUBNET}.1
      TZ: America/New_York
    networks: 
      local_network:
        ipv4_address: ${SUBNET}.2
    depends_on:        
      - zwave
      - mariadb
    ports:
      - 8123:8123
      - 1400:1400
      - 1401:1401
  zwave:
    container_name: zwave
    image: zwavejs/zwave-js-ui:${ZWAVE_VERSION}
    volumes:
      - ${DOCKER_FOLDER}/${ZWAVE_FOLDER}:/usr/src/app/store
      - /etc/localtime:/etc/localtime:ro
    devices:
      - /dev/ttyACM0:/dev/ttyACM0
    restart: unless-stopped
    environment:
      TZ: America/New_York
    networks: 
      local_network:
        ipv4_address: ${SUBNET}.3
    ports:
      - 3000:3000
      - 8091:8091
        
  mqtt:
    container_name: mqtt
    image: eclipse-mosquitto:${MQTT_VERSION}
    # chown 1883:1883
    volumes:
      - ${DOCKER_FOLDER}/${MQTT_FOLDER}/config:/mosquitto/config
      - ${DOCKER_FOLDER}/${MQTT_FOLDER}/log:/mosquitto/log
      - ${DOCKER_FOLDER}/${MQTT_FOLDER}/data:/mosquitto/data
    restart: unless-stopped
    user: "1883:1883"
    environment:
      TZ: America/New_York
    networks: 
      local_network:
        ipv4_address: ${SUBNET}.6
    ports:
      - 1883:1883
      - 9001:9001
       
  mariadb:
    container_name: mariadb_ha
    image: mariadb:10.11.2
    volumes:
      - ${DOCKER_LOCAL_FOLDER}/${MARIADB_FOLDER}:/var/lib/mysql
      - ${DOCKER_LOCAL_FOLDER}/mariadb_conf:/etc/mysql/conf.d
      - /etc/localtime:/etc/localtime:ro
      
    restart: unless-stopped
    environment:
      MARIADB_ROOT_PASSWORD: ${MARIADB_PWD}
      MARIADB_MYSQL_LOCALHOST_USER: "yes"
      MARIADB_MYSQL_LOCALHOST_GRANTS: "yes"
      MARIADB_AUTO_UPGRADE: "yes"
      MARIADB_DISABLE_UPGRADE_BACKUP: "yes"
      TZ: America/New_York
      PUID: 1037
      PGID: 100
    networks: 
      local_network:
        ipv4_address: ${SUBNET}.4
    ports:
      - 3316:3306
  phpmyadmin:
    container_name: phpmyadmin
    image: phpmyadmin:5.2.1
    restart: unless-stopped
    environment:
      - PMA_HOST=mariadb_ha
    hostname: phpmyadmin
    domainname: phpmyadmin.st.home.arpa
    networks: 
      local_network:
        ipv4_address: ${SUBNET}.5
    ports:
      - 8088:80

ninjaef · October 13, 2023, 12:45pm

a display of rather impressive docker skill - but I don’t see where you are referring to dockers by name rather than IP… can you post just the salient lines please

PeteRage · October 13, 2023, 4:26pm

Shell into one of your docker containers and try to ping by name, you will see it resolves to an ip address as docker runs its own DNS for you.

Here is how I have MQTT in HA configured. It just uses the host name mqtt which the docker dns resolves to the appropriate container ip.

IOTNinja · October 13, 2023, 5:37pm

I usually point these to direct IP addresses rather than relying on mDNS. You can use the IP address to the host (ie, your 192.168.x.x) there. I have reserved this IP (eth0 from my host) on my router, so this remains constant.

ninjaef · October 13, 2023, 6:24pm

ah, you mean use the container name in the host config. i thought to were talking asmr about using names inside containers to reference IPs in other containers

what’s mDNS do that DNS doesn’t btw ?

PeteRage · October 13, 2023, 7:27pm

I’m not sure I understand your question. You do not need a host file with host name and ip addresses. Anywhere in the application configuration that requires a host name you can use the container name and docker DNS will resolve it to the ip address - or you can just use the ip address.

Mdns is a local discovery protocol for finding stuff like printers, music players, etc. It only works on a LAN segment and does not work across routers. When using a docker bridge network, there is the equivalent of a router running between the bridge and your host network. So for example, the HA Sonos integration does not discover stuff when running in a bridge network and hence you need to configure the ip addresses of those devices…

ninjaef · October 13, 2023, 7:54pm

I’m not sure i understand your response:laughing:
never mind
soberingly, another topic i dont understand abs need to learn 🫠

User87 · January 14, 2024, 4:02am

This post is gold and extremely helpful.

Before I was getting Bad 400 and 502 errors - all caused by hosting Home Assistant and Nginx on the same device.

A few points to add:

Using the docker networks will disable “network_mode: host” for home assistant.
Disabling host networking will break network discovery on home assistant

I couldn’t poke enough port holes in the container to overcome the problems without network discovery, so ultimately I had to migrate from nginx and certbot containers to swag.

tmjpugh · February 21, 2024, 1:48am

Macvlan solves this