I had been running HA with basic auth in the config yaml (ver 0.4 on a RPi3 with Raspnian) using SSL with let’sencrypt and duckdns without any problems for a long time (but as my router doesn’t allow loopback/hairpinning I needed to use https://192.168.xx.xxx:8123 to access HA from inside and https://xxx.duckdns.org to access from outside since ever).
Today I decided to set up nginx as I think I’m not able to succesfully run Appdeamon without it.
The thing is that after successfully install nginx and configure it exactly as the docs, the following is happening;
If I use my “regular” form to access HA internally using httpS://192.168.1.20:8123 it works as usual
_ The strangest thing to me; If I use http://xx.duckdns.org (without the S) from inside my network, it now shows the routers config webpage (the one that I should acess with 192.168.1.1_*
If I use httpS://xx.duxkdns.org (using the S) from inside my network it says that the webpage it’s not accessible (the same message as ever)
If I try to acces the duckdns URL (with http:// or with https://) from the outside it’s impossible access to HA
So can someone please help me to know what am I doing wrong? (My nginx config file it’s posted at the end)
Thanks
server {
# Update this line to be your domain
server_name xxx.duckdns.org;
# These shouldn't need to be changed
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
server {
# Update this line to be your domain
server_name xxx.duckdns.org;
# Ensure these lines point to your SSL certificate and key
ssl_certificate /etc/letsencrypt/live/xxx.duckdns.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.duckdns.org/privkey.pem;
# Use these lines instead if you created a self-signed certificate
# ssl_certificate /etc/nginx/ssl/cert.pem;
# ssl_certificate_key /etc/nginx/ssl/key.pem;
# Ensure this line points to your dhparams file
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# These shouldn't need to be changed
listen 443 default_server;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
If you use the https (defaults to port 443) URL and land on your router config portforwarding does not work. Maybe your router does not allow forwarding of 80/443?
Actually it only lands on my router’s page when I use the http (http://xxx.duckdns.org) (which previously to nginx doesn’t lead to somewhere.
Because when I use the https://xxx.duckdns.org, as usual it returns “connection refused”
And the port fowarding on my router do work, because before nginx I was able to access HA form the outside with port fowarding seted up on 443 and also for set up letsencrypt/duckdns this was necessary and worked ok
Sorry I am unable to help you out here. If you did everything like you said it should work. I have this setup myself and this works perfectly. Your mentioned behaviour does not fit your nginx config whatsoever. Would you mind sharing you HA http config? Maybe this would bring some light. But from my perspective it looks like your port forwarding does not work correctly.
No I hadn’t removed the certificates rows because it doesn’t say that in the docs
After doing that (remove the 2 cert rows in the http section of my config.yaml I’m able to access internally with the IP of the RPi3 witout using any port or the “s” in http, so I can use 192.168.xx.xx and works
The only really strange thing and wich actually is preventing me to use AppDeamon is;
if I use http://xxx.duckdns.org internally sends me directly to my router’s webpage
And if I use httpS://xxx.duckdns.org it doesn’t work as always
Do you know why this could be and how to fix it? (Just as a reminder my router don’t support loopback)
@PhyberApex below you can find the thhp part of my config.yaml file with the certs nad base_url commented. with this is everything ok? (By the way now the “trusted network” line doesn’t work, is that normal?)
I don’t know what you mean by “Just as a reminder my router don’t support loopback”. But if you get different results from within your network then outside of your network with a domain you have a problem with the DNS-Server. Did you by chance configure a DNS server? Or what is the router model that you are using?
Sounds like your router is occupying ports 80 and 443
You can disable router external access(best) or move router external access port to a different port(good). Basically what @PhyberApex is saying.
I do not use duckdns but forwarding external port 8181(or any port) to nginx Server 443 should get around router issue.
You would need to point duckdns to https://<your_external>_ip:8181 for example
You really need to disable http access to your router(and likely https)!!
EDIT: nginx logs will show if there was an attempt to access site and where request was forwarded.