NGINX Home Assistant SSL proxy not working


I’ve installed the official NGINX Home Assistant SSL proxy addon and generated (self-signed) cert and key. I’ve configured it with the following config:

domain: effnet.local
hsts: max-age=64072000; includeSubDomains
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

The proxy does start according to the log:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
[16:00:26] INFO: Running nginx...

When connecting to https over 443 the service is not responding. Also when checking with netstat -lntp the service is not listening (running):

netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0*               LISTEN      -
tcp        0      0    *               LISTEN      136/sshd -D -e [lis
tcp        0      0  *               LISTEN      446/ttyd
tcp        0      0 :::22                   :::*                    LISTEN      136/sshd -D -e [lis

How can I debug this?

In the configuration parameters of NGINX, you have to activate the port (in the “network” part of the configuration parameters)… Is it activated ? You do not show it in the configuration…

I don’t know why it does not show in the yaml, but it is configured here:

Is it insufficient?

This is right

then; how can I debug this? is there a more verbose log I could look at?

Not really. The customize option can be used to customize the nginx configuration used so you could try and add logging options you find in here. Haven’t tried it myself so I’m not sure what works and what doesn’t.

Where are you running this btw? Based on the ports being shown it seems like you might have installed the ssh addon, ssh’ed in and then ran it from there. If so that won’t tell you anything. All addons are docker containers including the ssh addon so you’re just seeing what ports are listening for that container, not what ports are listening on the host.

What do you actually see when you try to connect to HA via a browser? Is there anything in the HA logs?

oh, everything is a container. that explains why I don’t see it within the ssh session :sweat_smile:

Will check out the debug and also try to run bash from the docker to see inside it.

Thanks for all your help!

1 Like

As a reference if someone finds this on google. I had several problems. Here’s a couple you should check out:

  • “domain” in the nginx config is the FQDN (the whole name of your homeassistant box and not just your domain) this means not just “home.local” but “homeassistant.home.local” which resolves in your DNS server
  • reverse proxy within configuration.yaml is required (HTTP - Home Assistant). for me the docker network on my raspberry pi installation was “” (found with “ha network info”) so I created it like this:
  use_x_forwarded_for: true
1 Like

FYI, this part is mentioned specifically in the docs:

And you need to add the trusted_proxies section (requests from reverse proxies will be blocked if these options are not set).

  use_x_forwarded_for: true

That’s kind of what I figured it was honestly. Was why I was asking what was in your HA log as there’s a log entry when a proxied request gets denied this way. It may be in the docs but its still a common issue unfortunately.

Also you actually only need as that is the subnet all addons get assigned an IP from. The broader includes supervisor and its plugins which all have static IPs assigned by supervisor.

I guess I thought this was clear from the doc personally. But if you don’t feel free to suggest some language tweaks in a PR to here

Anyway glad it got sorted :+1: