NGINX Home Assistant SSL Proxy setup

Configuration
1

Hi,

is there a explanation of how to troubleshoot the NGINX Home Assistant SSL Proxy ?

im running HA OS 7.5 with LETS encrypt and NGINX add-ons installed.

i cant seem to get it to proxy incoming 80 or 43 traffic to the ha instance on 8123.

my HA works internally over 8123 (on http no encryption) - just want to enable remote on SSL.

my configuration.yaml includes…

http:
ip_ban_enabled: true
login_attempts_threshold: 5
use_x_forwarded_for: true
trusted_proxies:

  • 127.0.0.1
  • ::1
  • 172.16.0.0/12
  • 192.168.0.0/16

and nginx config :
certfile: fullchain.pem
cloudflare: false
customize:
active: false
default: nginx_proxy_default*.conf
servers: nginx_proxy/*.conf
domain: mydomain
hsts: max-age=31536000; includeSubDomains
keyfile: privkey.pem

NGinx logs only show…
[s6-init] making user provided files available at /var/run/s6/etc…exited 0.
[s6-init] ensuring user provided files have correct perms…exited 0.
[fix-attrs.d] applying ownership & permissions fixes…
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts…
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[13:26:05] INFO: Running nginx…

2

The most obvious question is did you open port 443 on your router and direct it to your home assistant machine?

1 Like
3

Hi.
So I have a domain name registered on cloudflare DNS.
My router updates cloudflare to proxy the traffic to my public IP.
My router forwards 443 to the HA server running nginx proxy ssl.
Nginx proxy ssl is listening on 443 and 80 and forwarding to home assistant on 8123 (no ssl).

I can figure out how to check what nginx proxy ssl is actually doing. Logs dont seem very verbose.

4

Here is my basic Home Assistant and home network configuration. I am currently running HA 2022.3.8 on Home Assistant OS 7.6. Hope this helps you and anyone else having similar issues.

configuration.yaml:

config yaml
config yaml1069×628 39.2 KB

In configuration.yaml, you need to configure http to enable SSL, NGINX proxy routing, and trusted proxies. In my example, 10.10.70.60 is my Home Assistant internal IP address. Change your IP address accordingly. 172.16.0.0/12 is Docker’s container network subnet. 127.0.0.1 is Home Assistant’s loopback network interface.

letsencrypt configuration:

letsencrypt config
letsencrypt config1704×1119 108 KB

In order to use NGINX reverse proxy on port 80 to access your HA instance, you must acquire Letsencrypt certs using DNS challenge instead of HTTP challenge. Change the Network port to something besides port 80. I chose 8088 at random. It really doesn’t matter since I won’t be using the HTTP challenge anyway.

nginx configuration:

nginx config
nginx config1406×916 36.2 KB

I override port 443 to 18123. You can use whatever port you want so long as your firewall reflects it in port forwarding. Using a port other than 443 may help with any firewall issues since some ISPs do not allow you to connect to port 443. Enable port 80 on NGNIX to allow you to connect to Home Assistant using the Home Assistant’s internal ip address. Example: http://10.10.70.60:8123

pfsense firewall NAT routing:

home assistant nat pfsense
home assistant nat pfsense2119×1474 203 KB

Nothing special here. Just port forwarding network ports so my phone or other device from outside the home network can connect with Home Assistant.

pfsense DNS Resolver Host Override:

dns resolver host override
dns resolver host override1400×1033 46.7 KB

Optional but handy: I use DNS host override to direct internal network devices (home computer, phone while on your home network etc.) towards the Home Assistant internal IP address. The benefit of this is two-fold. It avoids hair-pinning your home network routing from external WAN to internal LAN, and it allows you to use one domain name for both, internal and external networks. In order for this to work, my computer or phone must point their DNS settings to use pfSense’s DNS resolver. Using Google’s DNS servers (8.8.8.8, 8.8.4.4) or any other third party DNS service will not work.

If all goes well, you should be able to pull up Home Assistant using your domain name or by IP address.

Over http:

ha web view direct ip address
ha web view direct ip address1465×1003 89.8 KB

Notice I’m on port 8123 when connecting to the IP address directly without https.

Over https:

ha web view
ha web view1533×1006 94.1 KB

And now connecting to Home Assistant using my domain name over HTTPS. Notice I am connected on port 18123.

Mobile Home Assistant app:

phone home assistant
phone home assistant1440×3120 231 KB

If your setup is implemented correctly, internal and external connections over the same domain will act transparently. You won’t need to use the internal IP address under ‘Internal Connection URL’ although you can if you are unable to implement DNS host override.

5 Likes
6

The one thing I don’t see here, maybe I missing it

But your router should be port forwarding 80 and 443 to the NPM internal address. It reads as if you are forwarding with nat from 80 → 8123 or 443 → 8123 which is wrong

Your router needs to forward to NPM, not to home assistant.

If NPM is the HA add-on, then it’s your HA internal address, but router 80 → haip:80 and router 443 → haip:443

You shouldn’t need to open port 8123 at all.

1 Like
7

What exactly are trusted proxies and what ip should I write there?

8

@MartinG
NPM doesn’t start with a static address in the docker network. So it’s easier to just add the docker network space for trusted proxy.

In configuration.yaml

Screenshot_20230313-212020
Screenshot_20230313-2120201440×309 481 KB

1 Like
9

what exactly is a docker network space?

10

The last line in Brad’s screen cap.

11

I inderstand that. But what exactly does this ip address mean? What is this /24?
Why this in particular and not something like 192.168.1.50?

1 Like
12

The ‘/24’ indicates the nature of the IP addresses in your network (technically it refers to the size of the subnet mask). (See Subnet Cheat Sheet – 24 Subnet Mask, 30, 26, 27, 29, and other IP Address CIDR Network References (freecodecamp.org) for information on this.
The IP address used is one of the non-routing addresses that are defined for IPv4 - also called private addresses. Just like the 192.168.x.x or 10.x.x.x addresses, addresses in the range 176.16.0.0 to 176.31.255.255 will not be sent out of your router to the internet - and if for some strange reason they are, none of thr internet routers will forward them on anywhere. Private network - Wikipedia explains this.
Actually putting those two things together means that the address above should probably be 172.300.33.0/12 to get the full range but the /24 means that Brad is deliberately limiting the range of addresses on that subnet.
Susan

1 Like
13

image
image1197×141 6.37 KB

My routing on pfSense forwards port 18123 to Home Assistant (also on port 18123 remapped via Nginx Home Assistant SSL proxy). Port(s) 80 & 443 are not open on my firewall’s ingress traffic.

My whole setup was basically created to provide a seamless transition on my phone without having the HA app switch from an external network mapping to internal mapping. Unbound DNS resolver handles the host override on my local area network to redirect the Home Assistant FQDN from a normally external WAN IP to the HA local IP address once my phone connects to the local network.

I know this setup appears a bit unusual and convoluted, but it works.

14

@zskwrel I do that on my phone by just leaving internal blank in the app - so only external URL is filled out.

From there, then it is DNS based. When I’m outside my network public DNS is in effect, when I’m inside my network, private DNS is in effect (AdGuard) by using rewrites so you don’t loop outside your local network just to come back in.

15

Great write-up, helped a lot :slight_smile: Did the same with pihole static DNS, cheers!

1 Like