I am sure this has been answered, but I am now so confused I need some hand holding.
I have a hassbian install of HA on a Pi 3
I have nginx installed on a a Pi zero on the same network
I used https://www.home-assistant.io/docs/ecosystem/nginx/ method and everything seems to work fine.
My problem is in trying to access other devices through the proxy.
I have my HA domain as one domain with ssl
I would like cameras as a separate domain with ssl
I can get one or other working but not both.
Any pointers in the right direction would be appreciated
My HA as a stand alone (not working with IP Camera):
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
# Update this line to be your domain
server_name MY.HA.DOMAIN.NAME;
# These shouldn't need to be changed
listen [::]:80 default_server ipv6only=off;
return 301 https://$host$request_uri;
}
server {
# Update this line to be your domain
server_name MY.HA.DOMAIN.NAME;
# Ensure these lines point to your SSL certificate and key
ssl_certificate /etc/letsencrypt/live/MY.HA.DOMAIN.NAME/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/MY.HA.DOMAIN.NAME/privkey.pem;
# Use these lines instead if you created a self-signed certificate
# ssl_certificate /etc/nginx/ssl/cert.pem;
# ssl_certificate_key /etc/nginx/ssl/key.pem;
# Ensure this line points to your dhparams file
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# These shouldn't need to be changed
listen [::]:443 default_server ipv6only=off http2; # if your nginx version is >= 1.9.5 you can $
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!P$
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
proxy_buffering off;
root /var/www/MY.HA.DOMAIN.NAME;
location ~ /.well-known {
allow all;
}
location / {
proxy_pass http://MYLOCALHAIP:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
What does combine config look like?
Have you look at nginx log to see error that o vur when access fail? My guess Is you not clearly define the 2 server block for Cam am HA
I have done some changes and it now works, but would still like some feedback.
The errors that I was having (the config below no longer has these errors):
2018/08/27 18:32:17 [emerg] 5283#5283: could not build server_names_hash, you should increase server_names_hash_bucket_size: 32
2018/08/27 18:33:47 [emerg] 5307#5307: could not build server_names_hash, you should increase server_names_hash_bucket_size: 32
2018/08/27 18:37:43 [emerg] 5372#5372: bind() to 0.0.0.0:443 failed (98: Address already in use)
2018/08/27 18:37:43 [emerg] 5372#5372: bind() to 0.0.0.0:443 failed (98: Address already in use)
2018/08/27 18:37:43 [emerg] 5372#5372: bind() to 0.0.0.0:443 failed (98: Address already in use)
2018/08/27 18:37:43 [emerg] 5372#5372: bind() to 0.0.0.0:443 failed (98: Address already in use)
2018/08/27 18:37:43 [emerg] 5372#5372: bind() to 0.0.0.0:443 failed (98: Address already in use)
2018/08/27 18:37:43 [emerg] 5372#5372: still could not bind()
2018/08/27 18:41:56 [emerg] 5417#5417: bind() to 0.0.0.0:443 failed (98: Address already in use)
2018/08/27 18:41:56 [emerg] 5417#5417: bind() to 0.0.0.0:443 failed (98: Address already in use)
2018/08/27 18:41:56 [emerg] 5417#5417: bind() to 0.0.0.0:443 failed (98: Address already in use)
2018/08/27 18:41:56 [emerg] 5417#5417: bind() to 0.0.0.0:443 failed (98: Address already in use)
2018/08/27 18:41:56 [emerg] 5417#5417: bind() to 0.0.0.0:443 failed (98: Address already in use)
2018/08/27 18:41:56 [emerg] 5417#5417: still could not bind()
2018/08/27 18:47:15 [emerg] 5463#5463: could not build server_names_hash, you should increase server_names_hash_bucket_size: 32
My working /etc/nginx/sites-enabled/default file:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
# Update this line to be your domain
server_name MY.HA.DOMAIN.NAME MY.CAMERA.DOMAIN.NAME;
# These shouldn't need to be changed
listen [::]:80 default_server ipv6only=off;
return 301 https://$host$request_uri;
}
server {
# Update this line to be your domain
server_name MY.HA.DOMAIN.NAME;
# Ensure these lines point to your SSL certificate and key
ssl_certificate /etc/letsencrypt/live/MY.HA.DOMAIN.NAME/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/MY.HA.DOMAIN.NAME/privkey.pem;
# Use these lines instead if you created a self-signed certificate
# ssl_certificate /etc/nginx/ssl/cert.pem;
# ssl_certificate_key /etc/nginx/ssl/key.pem;
# Ensure this line points to your dhparams file
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# These shouldn't need to be changed
listen [::]:443 ssl default_server ipv6only=off http2; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
proxy_buffering off;
root /var/www/MY.HA.DOMAIN.NAME;
location ~ /.well-known {
allow all;
}
location / {
proxy_pass http://MYLOCALIPHA:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 150;
}
}
server {
ssl on;
ssl_certificate /etc/letsencrypt/live/MY.CAMERA.DOMAIN.NAME/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/MY.CAMERA.DOMAIN.NAME/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
default_type application/octet-stream;
listen [::]:443 ssl;
server_name MY.CAMERA.DOMAIN.NAME;
root /var/www/MY.CAMERA.DOMAIN.NAME;
location ~ /.well-known {
allow all;
}
location /cam01 {
proxy_pass http://MYLOCALIPCAM/cam01;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
I unhashed this line in /etc/nginx/nginx.conf:
server_names_hash_bucket_size 64;
I also added “proxy_read_timeout 150;” to the location section in HA config as I was having trouble with viewing History.
While this is now working I would appreciate some feedback on the implications of what I have and ways to improve it.