NGINX Home Assistant SSL proxy not working

idar · October 12, 2022, 2:19pm

Hi,

I’ve installed the official NGINX Home Assistant SSL proxy addon and generated (self-signed) cert and key. I’ve configured it with the following config:

domain: effnet.local
hsts: max-age=64072000; includeSubDomains
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

The proxy does start according to the log:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
[16:00:26] INFO: Running nginx...

When connecting to https over 443 the service is not responding. Also when checking with netstat -lntp the service is not listening (running):

netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.11:38065        0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      136/sshd -D -e [lis
tcp        0      0 0.0.0.0:8099            0.0.0.0:*               LISTEN      446/ttyd
tcp        0      0 :::22                   :::*                    LISTEN      136/sshd -D -e [lis

How can I debug this?

browetd · October 12, 2022, 2:30pm

In the configuration parameters of NGINX, you have to activate the port (in the “network” part of the configuration parameters)… Is it activated ? You do not show it in the configuration…

idar · October 12, 2022, 2:36pm

I don’t know why it does not show in the yaml, but it is configured here:

Is it insufficient?

avd706 · October 12, 2022, 2:42pm

This is right

idar · October 12, 2022, 2:51pm

okay.
then; how can I debug this? is there a more verbose log I could look at?

CentralCommand · October 12, 2022, 3:22pm

Not really. The customize option can be used to customize the nginx configuration used so you could try and add logging options you find in here. Haven’t tried it myself so I’m not sure what works and what doesn’t.

idar:

Also when checking with netstat -lntp the service is not listening (running):

netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.11:38065        0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      136/sshd -D -e [lis
tcp        0      0 0.0.0.0:8099            0.0.0.0:*               LISTEN      446/ttyd
tcp        0      0 :::22                   :::*                    LISTEN

Where are you running this btw? Based on the ports being shown it seems like you might have installed the ssh addon, ssh’ed in and then ran it from there. If so that won’t tell you anything. All addons are docker containers including the ssh addon so you’re just seeing what ports are listening for that container, not what ports are listening on the host.

What do you actually see when you try to connect to HA via a browser? Is there anything in the HA logs?

idar · October 12, 2022, 4:18pm

oh, everything is a container. that explains why I don’t see it within the ssh session

Will check out the debug and also try to run bash from the docker to see inside it.

Thanks for all your help!

idar · October 12, 2022, 6:01pm

As a reference if someone finds this on google. I had several problems. Here’s a couple you should check out:

“domain” in the nginx config is the FQDN (the whole name of your homeassistant box and not just your domain) this means not just “home.local” but “homeassistant.home.local” which resolves in your DNS server
reverse proxy within configuration.yaml is required (HTTP - Home Assistant). for me the docker network on my raspberry pi installation was “172.30.32.0/23” (found with “ha network info”) so I created it like this:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.32.0/23

CentralCommand · October 12, 2022, 6:15pm

FYI, this part is mentioned specifically in the docs:

And you need to add the trusted_proxies section (requests from reverse proxies will be blocked if these options are not set).

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

That’s kind of what I figured it was honestly. Was why I was asking what was in your HA log as there’s a log entry when a proxied request gets denied this way. It may be in the docs but its still a common issue unfortunately.

Also you actually only need 172.30.33.0/24 as that is the subnet all addons get assigned an IP from. The broader 172.30.32.0/23 includes supervisor and its plugins which all have static IPs assigned by supervisor.

I guess I thought this was clear from the doc personally. But if you don’t feel free to suggest some language tweaks in a PR to here

Anyway glad it got sorted