After two weeks of fighting with nginx I think I have it fixed.
My environment is as follows.
- Home Assistant Server (no encryption on the in-house lan) port 8123
- Octoprint server for monitoring 3d printer port 80
- nginx server for nginx ( I like separating things, and RPI’s are cheap ).
Cisco/Linksys router
ports 443 forwarded to my nginx server port 443
port 80 forwarded to my nginx server port 80.
Requirement:
- get to my HA environment while away from home securely.
- get to my octoprint environment while away from home securely.
- do 1 and 2 using one external IP address
- future requirement be able to get to all my hosts via ssh remotely (4 hosts, same port on each, still 1 external ip address).
Solution: Nginx
I had in initial success installing Nginx and getting my octoprint visible externally on port 80 pretty easily. It was a little harder getting HA visible because I wanted it secure so I needed the ssl certificates from lets encrypt. I started out trying self signed certificates and looking back those probably would have worked, but after fighting with it for a weekend, I decided over the week at work, to just give in and do it the way everyone else was and use letsencrypt for my ssl certs. Lets encrypt was very easy to setup and I won’t go into the instructions here.
This got HA visible externally and now works.
Problem.
No matter what I typed in for a subdomain on my ipad, I got my octoprint server. So using everyone’s favorite domain as an example, example.com gave me octoprint. dog.example.com gave me octoprint and octoprint.example.com gave me octoprint. I only wanted one of them to work.
Solution is to setup a catch all server under nginx Something along the lines of this worked for me.
server {
listen 80 default_server;
server_name _;
return 444;
}
The server_name of “_” is a catch all for any name that doesn’t match another server name more specifically. So since in another serverblock I was looking for a server_name of octop.example.com and redirecting it to my octoprint server, I was able to get to my octoprint server using that url and any other variation of the example.com url failed. In this case failure was good.
I tried the same thing for my HA server using port 443, but that didn’t work. I tried it without and with my certificates and in both cases, I still got to my HA server using anything resemblying https://HA.example.com Lets just say that many hours and many web pages were spent/visited before I found the answer.
The server block for the catch all for the ssl port, has to have it’s own cert with a bogus url. The example page I saw suggested using a * for the url when creating the cert, they also suggested using a self signed cert for this one. I guess there isn’t any sense paying for a CA cert if you can just build one for free.
That little post made all the difference and now my install works correctly.