NGINX Proxy and WS

tormjens · January 3, 2018, 5:30pm

Hi,

I’ve been tinkering with the NGINX/SSL addon for Hass.io, and I’m almost there. I still need local access to my install via the hassio.local address (because the router provided by my ISP is stupid), so was hoping I wouldn’t need to change the base URL of my install.

I can visit my install fine at https://myinstall.duckdns.org, but whenever I try to log in Chrome says it is unable to connect to the wss:// address.

WebSocket connection to 'wss://myinstall.duckdns.org/api/websocket?latest' failed: Error in connection establishment: net::ERR_NOT_IMPLEMENTED

I’m stuck, so I’m asking for any pointers as to how I can resolve this.

Best,
Tor

tormjens · January 5, 2018, 11:03am

Anyone? This is really bugging me.

macjob · January 5, 2018, 12:14pm

Are you sure you have the required configuration in nginx to enable WSS, from memory it is:

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

Cheers
Andy

tormjens · January 5, 2018, 1:10pm

As I am using Hass.io’s NGINX Proxy Add-on, I’m unsure as to how much modifications I can do, but seeing in the Github-repo, these are present in that config.

daemon off;
error_log stderr;
pid /var/run/nginx.pid;

events {
	worker_connections 1024;
}

http {
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        server_name _;
        listen [::]:80 default_server ipv6only=off;
        listen [::]:443 ssl http2 default_server ipv6only=off;
        ssl_certificate /data/ssl-cert-snakeoil.pem;
        ssl_certificate_key /data/ssl-cert-snakeoil.key;
        return 444;
    }

    server {
        server_name %%DOMAIN%%;

        # These shouldn't need to be changed
        listen [::]:80;
        return 301 https://$host$request_uri;
    }

    server {
        server_name %%DOMAIN%%;

        ssl_certificate /ssl/%%FULLCHAIN%%;
        ssl_certificate_key /ssl/%%PRIVKEY%%;

        # dhparams file
        ssl_dhparam /data/dhparams.pem;

        listen [::]:443 http2;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        proxy_buffering off;

        location / {
            proxy_pass http://homeassistant:8123;
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }
}

macjob · January 5, 2018, 1:22pm

ok, I don’t use Hass.io so not too familiar with that.

Another suggestion would be to run a SSL check to make sure that all good on the ssl configuration, ssl labs have a test on their website.

Are you getting the same issue with Firefox, safari etc…

tormjens · January 5, 2018, 2:04pm

Seems to be a Chrome issue. Works fine in Firefox.

Thanks for your guidance. I’m just stupid.

macjob · January 5, 2018, 3:50pm

No problem. Glad working.

seaser · April 21, 2018, 10:40am

Hello tormjens

Do you have HassIO and the Nginx Proxy Addon correctly working? My goal is to have a redirect from HTTP to HTTPS as the addons says.

My setup with HTTPS works and the DNS entry also.
However, this addons does not work allow HTTPS connections and does not forward the connection.

Can you please share your experience and the config you use?
All the best
Mischa

mekatrol · October 27, 2020, 10:16pm

Home Asistant Network Architecture

CloudFlare as my DNS provider (also provides some DDOS and other protection) for my external domain (in this example https://my_domain_name.com)
My internal subnet is 192.168.1.x
NGINX as my internal proxy running on a Raspberry PI 3 (on internal IP address 192.168.1.101) - also runs PI HOLE. NGINX is also my SSL termination for external users (home assistant running HTTP only)
HomeAssistant running on a Raspberry PI 3 (on internal address 192.168.1.38), using internal host header http://home.lan.

NGINX config section:

server {
        listen 443 ssl;
        listen [::]:443;

        ssl_certificate /etc/ssl/cert.crt;
        ssl_certificate_key /etc/ssl/key.txt;

        server_name my_domain_name.com;

        location /api/ {
                proxy_pass http://192.168.1.38:8123;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header Host $host;
        }

        location / {
                proxy_pass http://192.168.1.38:8123;
                proxy_http_version 1.1;
                proxy_set_header Host $host;
        }
}

My HTTP config (in HomeAssistant configuration.yaml) is:

http:
  # Allow all
  server_host: 0.0.0.0
  
  # Allow these host headers for CORS reqests
  cors_allowed_origins: 
    - http://home.lan
    - http://my_domain_name.com
    - https://my_domain_name.com
    
  # Enable parsing of the X-Forwarded-For header to pass
  # correct client IP when proxied
  use_x_forwarded_for: true
  
  # The proxies that are permitted to process requests
  # sent to home assistant
  trusted_proxies: 
    - 192.168.1.101
    
  # Enable IP banning
  ip_ban_enabled: true
  
  # Ban login attempts threshold
  login_attempts_threshold: 5