Hi All,
I’ve recently change my configuration with proxies, I’m playing around with [ NGINX Proxy manager ] & [ CloudFlare ], have run into the issue where I cant use [ ZTP CF Tunnel ] for all of my services.
All help is very much apreciated !!
Working
Summary
I have had my HA Setup running through CloudFlare [ ZTP CF tunnel ]. Works great, setup my cloudflared instance… added the relevant config to my HA config.ymal & BOOM I have access to my HA login through my domain name as seen below.
HA Server Config
Working through Cloudflared
Need help With
As said I have decided to try integrate NPM into my setup & migrate over all bar a few of my services to this along with the CF DNS proxied connections. I have managed to get it to work with all other services and have managed to get it directing to my HA Server but I get the wonderful Error 400: Bad Request. Ill post my full setup below with redacted info in hope that someone can help.
I am aware that images show my internal IP structure, this is not an issue as its a test network and will be destroyed after posting.
Configurations
----- CloudFlare -----
A quick rundown of the config. this is the DNS page, As my ISP does not offer a static address or for that matter long static leases, so I’ve had to do some trickery to allow stable connections. I have setup my PFSense box to connect to the CF network using inbuilt ddns to update an A record with my external IP every 6 hours.
So I have setup a CNAME [test1] this points towards the A record on my domain ddns. this allows me to connect to my services through CloudFlare & then my reverse proxy.
I have created an origin certificate through CloudFlare to sign my domain and sub domains & set the encryption mode to Full Strict.
See Images Below.
----- Firewall -----
My Firewall / Router is [ PFSense ]
I have created an alias with the following info ports [ 80 & 443 ] the ports required by NPN & Networks this contains a list of the [ CF Proxy networks ] that could be used to communicate with my Network services from the CloudFlare network, I have created a NAT Port Forwarding rule to use the alias, this intern has created the WAN rules sending requests to NPM running on the HA Server.
See Images Below.
----- Home Assistant -----
The reverse proxy is NGINX Proxy Manager. I have installed this through my HA Server with the configured ports ports [ 80 & 443 ]. I also added the CF Proxies to the HA config.yaml.
See Images Below.
----- Reverse Proxy -----
After installing the NPM on Ha & doing a basic setup it was ready to use. As I am using CF Proxy I added CF Networks to the access list of NPM.
I added my CloudFlare origin cert & Key to the NPM cert section with [ CF Root certificate ].
See Images Below.
Summary
Finally I setup a new host [test1] pointing it to my internal address for the HA Server, adding the access list created and CF certificate to it.
Access List
Certificate
Host Setup
If it helps here is a log file of NPM from start and attempting to access.
-----------------------------------------------------------
Add-on: Nginx Proxy Manager
Manage Nginx proxy hosts with a simple, powerful interface
-----------------------------------------------------------
Add-on version: 1.0.1
You are running the latest version of this add-on.
System: Home Assistant OS 12.4 (amd64 / generic-x86-64)
Home Assistant Core: 2024.6.4
Home Assistant Supervisor: 2024.06.0
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
s6-rc: info: service base-addon-banner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service base-addon-log-level: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service base-addon-log-level successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service init-npm: starting
s6-rc: info: service init-nginx: starting
s6-rc: info: service init-npm successfully started
s6-rc: info: service npm: starting
s6-rc: info: service npm successfully started
s6-rc: info: service init-nginx successfully started
s6-rc: info: service nginx: starting
s6-rc: info: service nginx successfully started
s6-rc: info: service legacy-services: starting
[17:46:42] INFO: Starting the Manager...
[17:46:42] INFO: Starting NGinx...
s6-rc: info: service legacy-services successfully started
[6/23/2024] [5:46:42 PM] [Global ] › ℹ info Using Sqlite: /config/database.sqlite
[6/23/2024] [5:46:43 PM] [Migrate ] › ℹ info Current database version: none
[6/23/2024] [5:46:43 PM] [Setup ] › ℹ info Logrotate Timer initialized
[6/23/2024] [5:46:43 PM] [Setup ] › ℹ info Logrotate completed.
[6/23/2024] [5:46:43 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services...
[6/23/2024] [5:46:43 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[6/23/2024] [5:46:43 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4
[6/23/2024] [5:46:44 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6
[6/23/2024] [5:46:44 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized
[6/23/2024] [5:46:44 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[6/23/2024] [5:46:44 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized
[6/23/2024] [5:46:44 PM] [Global ] › ℹ info Backend PID 157 listening on port 3000 ...
[6/23/2024] [5:46:44 PM] [Nginx ] › ℹ info Reloading Nginx
[6/23/2024] [5:46:44 PM] [SSL ] › ℹ info Renew Complete
[23/Jun/2024:17:48:54 +0100] - 400 400 - GET https test1.REDACTED.co.uk "/" [Client 162.158.33.166] [Length 16] [Gzip -] [Sent-to 10.9.0.150] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
[23/Jun/2024:17:49:44 +0100] - 400 400 - GET https test1.REDACTED.co.uk "/" [Client 162.158.74.74] [Length 16] [Gzip -] [Sent-to 10.9.0.150] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
[23/Jun/2024:17:49:45 +0100] - 400 400 - GET https test1.REDACTED.co.uk "/" [Client 162.158.74.74] [Length 16] [Gzip -] [Sent-to 10.9.0.150] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
[23/Jun/2024:17:49:46 +0100] - 400 400 - GET https test1.REDACTED.co.uk "/" [Client 162.158.74.74] [Length 16] [Gzip -] [Sent-to 10.9.0.150] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"