Nginx + duckdns + 2021/7 update

Murray_112 · July 10, 2021, 8:40pm

Hi all,

After some time surfing to find the solution I decided to post because i can’t see it clear…
I have been using without problems the app in my phone by the external url: https://domain.duckdns.org and when at home with the internal url: http://raspberryip:8123 without any problem. It seems that the new update has included new changes and the external URL with this config doesn’t work anymore.
I haven’t use before the part HTTP in the configuration.yaml avec the trusted proxies and all that stuff…

Is this the way to get the external URL to work again?
how do i procceed to set it up properly?

Thank you very much for your help in advance .

Murray_

petro · July 10, 2021, 8:49pm

Yes, add your nginx ip to the suggested configuration in the breaking changes section of 2021.7

Murray_112 · July 10, 2021, 9:20pm

Thanks for your fast answer!
And how is it supposed to be written?
I’ve added this to my configuration yaml

http:
use_x_forwarded_for: true
trusted_proxies:
 - raspberry ip

I’ve tried other adresses but it doesn’t work…
I’m sure that is easier than what i think…

Thank you again

petro · July 10, 2021, 9:52pm

Check your log, there will be errors with the ip that needs to be whitelisted

Murray_112 · July 11, 2021, 10:23am

I’ve checked the config but I don’t see errors in the HASS log or other.
I’ve tried this config because Nginx is in my Raspi:

http:
use_x_forwarded_for: true
trusted_proxies:
 - 127.0.0.1
 - ::1

But it doesn’t work…
To connect from home I use Pc, phone (by the app) or tablet (by the app) with the internal address without problem.
When I try to accès with the phone with 4G or external PC, it says error and show me the internal address but it propose me to change the external one.

Before the update, that addresses (http in internal and https in external) worked like a charm but now I can’t find the mistake to use again the external access.

Can you show me the example of correct config in the yaml or the Internal/external modifications?

Thanks for your time

Murray_

Nick4 · July 11, 2021, 10:27am

Is that the correct IP of your nginx server?

Murray_112 · July 11, 2021, 11:18am

In fact I don’t really know the address… I suppose that is the Raspi IP because I use NGINX Home Assistant SSL proxy.

A thing that I dont understant is that when i try to connect in 4G by the phone app to my home assistant… It tells me unable to connect to http://internal-ip:8123 net::ERR_CONNECTION_RESET
But it gives me the options to configuration, External URL update or wait.

This is the way I have the config.
In the configuration yaml (trusted_proxies) I’ve tried multiples options found in the net and i tried to put the address of the Raspi (because Nginx is normally installed inside) But any of this actions works.
If I switch to WIFI–>Internal connection works great but for the external I can’t solve it…

Thanks for yout help!

Murray_

petro · July 11, 2021, 11:26am

It’ll be listed in your logs

Murray_112 · July 11, 2021, 8:15pm

In fact I’ve tried everything and is like HA doesn’t detect any external access the reason why I don’t have a log with the Nginx IP in my opinion.
I’ve tried to reinstall Nginx Home assistant SSL proxy and also tried the way by Nginx proxy manager with Maria DB. I can’t make it works.
The duckdns domain seems to be ok, but I admit that I’m totally lost in this config and can’t see the light at the end of the tunnel…

EzeCuervo · July 11, 2021, 8:42pm

I have the same problem, I also added the following config that NGINX Add-on on the documentation page says to add:

3. And you need to add the trusted_proxies section (requests from reverse proxies will be blocked if these options are not set).

http:
use_x_forwarded_for: true
trusted_proxies:
 - 172.30.33.0/24

But no luck. When I try to access from outside I receive the following message: ERR_SSL_PROTOCOL_ERROR

I tried with curl -v https://url:port and the message is:

TLSv1.3 (OUT), TLS handshake, Client hello (1):

error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

I don’t know what else I can do, I tried reinstalling duckdns and nginx addon. I tried using Cloudflare and same error. This is so annoying, I hope we can fix this issue ASAP.

I found this link: Solved: Can't connect to external URL · Issue #52867 · home-assistant/core · GitHub
Thanks for your help!

Xelloss99 · July 11, 2021, 9:12pm

The new NGINX docs have the required information (you can go into your NGINX addon, “Documentation” tab.)

Assuming you added NGINX as a Home Assistant add-on, the trusted proxy in the NGINX docker container is 172.30.33.0/24

Basically put the following in your configuration.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

@EzeCuervo Could it be the yaml indentation causing your issue? What you listed is what NGINX docs has, but the http integration in Home Assistant has indentation. I have indentation and it works for me.

EzeCuervo · July 12, 2021, 2:14am

Hi @Xelloss99, thanks for your reply!
I gave up with NGINX add-on but I believe what you suggested was the real problem.
Now, I re-tried using CloudFlare. I can access HA from outside, but when I’m logged in I receive this message: Unable to connect to Home Assistant.

I noticed this at web browser console:

core.821a37cc.js:1 WebSocket connection to ‘wss://xxxx/api/websocket’ failed:
a @ core.821a37cc.js:1

My setup is:
CloudFlare domain with Flexible https and Portzilla app that routes my domain to specific port →
My firewall forwards from specific port → internal_IP:8123 and that’s it.

In my configuration.yaml I specified all CF IP address ranges:

 http:
   use_x_forwarded_for: true
   trusted_proxies:
     - 172.30.33.0/24
     - 103.21.244.0/22
     - 103.22.200.0/22
     - 103.31.4.0/22
     - 104.16.0.0/13
     - 104.24.0.0/14
     - 108.162.192.0/18
     - 131.0.72.0/22
     - 141.101.64.0/18
     - 162.158.0.0/15
     - 172.64.0.0/13
     - 173.245.48.0/20
     - 188.114.96.0/20
     - 190.93.240.0/20
     - 197.234.240.0/22
     - 198.41.128.0/17

Internally I can browse HA with no issues via http://homeassistant.local:8123

Any idea?

Murray_112 · July 12, 2021, 1:27pm

Hi all!

Following the thread I’ve changed the way to connect and I think that I’m near to the solution… I’ve abandoned the Nginx home assistant SSL proxy.
I’ve set up Nginx proxy manager with Maria DB. I have a proxy running and normally the ports to the internal HA ip opened but when I try to open the domain duckdns from the phone for example I land to the main page of the router instead inside HA…
Anyway with the first trusted proxies line It seams that Nginx and Maria DB runs without problem…
Where is the problem now? Why it lands on routers page?

Internal URL: http://192.168.1.26:8123 (home assistant runs ok in WIFI)
External URL: https://domain.duckdns.org (home assistant doesn’t work in phone app and in web browser lands to the router main page )

Thanks a lot again for your help.

Murray_

EzeCuervo · July 12, 2021, 4:16pm

I resolved my problem using CloudFlare avoiding Portzilla. Just opened 80 port from my firewall and allowed just CF IP rage list.

Can you try changing 80 port to another one (let’s say 8080) and try to access from outside https://domain.duckdns.org:8080?

Dani_Leal · July 15, 2021, 7:21am

Hi! check that in the url of the browser you are putting https://dominio.duckdns.org if you have SSL activated, it is what was happening to me. As the browser hides what is in front of the domain.duckdns.org I did not see that it was trying to enter http://domain.duckdns.org.
Hope this can help you

Murray_112 · July 18, 2021, 4:30am

Thanks for all your answers!

I finally solved it but I don’t really know how… I’ve renewed one more time the ssl certificate in Nginx proxy manager and reclosed/reopened the ports 443, 80 and 8123 and like this it works. I’m not sure that 8123 is really needed, but with this config it works properly inside and outside. I don’t use cloudflare. I only use Maria DB, Duckdns and Nginx proxy manager.

I’ve also added ::1 to the list of trusted_proxies.

Thanks again to all for your help

ma-armenta · July 22, 2021, 3:19am

I have this same issue.
The add on documentation is not clear at all. I entered both the default ip and the pi IP for trusted_proxies, and none of them work and the logs do not error out at all.
Also, do we still need port forwarding? The addon set up on github does not mention that at all.

Thanks!!

log below, same regardless of the ip I put for trusted_proxies

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[22:18:38] INFO: Running nginx...

ma-armenta · July 22, 2021, 4:28am

Yes I did, but still same log errors

EDIT:
I found the issue!! This is for NGINX Home Assistant SSL proxy add-on

This is what you need.

default add-on configurations. just add your duckdns url
Add the http settings they have on their github, just like it is posted.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

Configure port forwarding 443 port of your pi, to 443 external port

* And the most important step, not mentioned anywhere… you need to install the MariaDB add-on and make sure it runs fine, before starting MariaDB, make sure you change de null password value. Please ignore this bullet. Thanks. - Petro

Thanks all. that will work!