NGINX reverse proxy add-on set up, help and advice required

Hi everyone,

I could do with some very brief help with using /configuring the official NGINX Home Assistant SSL proxy add-on.

currently I use the http component to use SSL and the Duckdns add-on to get/store a certificate .

I’ve read a few threads on the forum regarding benefits of using a reverse proxy instead of the http component however I wonder if I will use some of those benefits and therefore is a reverse proxy required.

currently I have a nextcloud server on another server which uses port 443 and 80 for access , home assistant uses 8123 which is great as they never conflict .
I would eventually like to setup a wall tablet to access home assistant locally hence the interest in the reverse proxy.
If I setup the Nginx add-on and use the cert from the Duckdns add-on ,

  1. can I configure the router to still forward port 8123(external) but this time to 443(internal) instead of the current 8123 to 8123. Do I need to forward port 80 as well or can I leave that out ?

  2. Do I need to add use_x_forwarded_for: true (can some one explain what x forward for means ?) and trusted_proxies:127.0.0.1 Is this all to prevent home assisant being available on http:// on the domain name and only allow use of the proxy ? also do I need
    server_host: 127.0.0.1 ?

  3. This thread suggests that if you dont filter URL’s or require authentication then there is not much benefit to a reverse proxy , is this possible with this add-on ?

  4. I take it I can whitelist IP’s on the local network to not use the login credentials via the http component (i.e for the wall mounted tablet)

any other advice regarding this add-on would be greatly received

thanks in advance

Its actually simple, you just need to make sure which server will be the one who run the NGINX.
For example I used my RPI to run NGINX, so all my ip forward from the router will be directed to that specific server/IP local. Then you will have to setup virtual domain to specific local-IP.

Let me know if you need more help

so the proxy will be run on the same server as home assistant is running, using the add-on , I want to forward on the router port 8123 or similar to the required port 443 for the proxy running on that machine, this then keeps my existing port forwarding rules 443 and 80 pointing to my nextcloud server . But I’m wondering if I need the above additions to the http component to get the reverse proxy working .

well since you will only have one public IP (my guess) then you will not be able to port forward the same port into multiple machine. So the simplest way to is used virtual domain. For example subdomain1.mydomain.com and subdomain2.mydomain.com in order to do this you will have to direct all your port 80/443 to the server/NGINX in which will then redirect the 2 subdomain to your localIP.

For example:
subdomain1.mydomain.com -> 192.168.1.20:8123 (HASS)
subdomain2.mydomain.com -> 192.168.1.21 maybe to your nextcloud server

Now I’m not sure how you installed your NGINX so that is something you need to check furthermore you will also need to have certsbot running to make LetsEncrypt for your specific domain. I will need more info

You can check out Tinkerer blogs for NGINX proxy setup https://blog.ceard.tech/

I think I have caused a bit of confusion , my current setup of having my router forward port 8123 to 8123 for the IP of my home assistant which is using the Duckdns add-on to configure my domain and get/store my lets encrypt certificate works flawless the Http component in my config.yaml is configured to point to the certificate which is what currently gives me my SSL connection .

My nextcloud is on another server completely and has port forwarding rules for 443 and 80 set up on the router to which I already have an SSL connection .

I wanted to install the NGINX add-on in Home assistant (I haven’t yet ) to only have a reverse proxy for home assistant not for the nextcloud server . This is so I can have http access in the home for example for a wall mounted tablet and https when away .

I found this blog post that explains and answers some of questions (for example can I use port 8123 still) but doesn’t answer question 2 here

hopefully This clears up some of the confusion .

thanks for your help and advice .

Most modern routers will allow an external port to be forwarded to a different internal port.

I’ve gone through setting up the nginx proxy manager reverse proxy, which is now available as an add-on (I’m not using the community add-on, though: I installed it via docker-compose), so I could help you with that one. However, I think you may be talking about running a vanilla nginx server and configuring home assistant to use it. In either case, I can try to help answer your questions.

This is going to cause issues, since letsencrypt is going to query port 80 to validate the domain before issuing the certificate.

The purpose of the reverse proxy is to expose only one service externally, and have it handle the security and encryption of http traffic. Then, your configuration would allow for a different sub-subdomain, or a different location (url path) to direct traffic to the appropriate internal network device.

So you’d want to architect your network around that idea. Nginx can run on either machine, you’d have only 443 and 80 forwarded on your router to nginx, and then have nginx forward traffic to nextcloud to that machine’s IP address, port 80, and forward home assistant traffic to that machine’s IP address at port 8123.

This way you can keep internal traffic running locally, and all external traffic will be routed via nginx to an appropriate connection.

These are used since nginx appends that header to web traffic. use_x_forwarded_for would allow home assistant to validate the traffic against the external IP address, rather than the machine running nginx, by checking that header instead of the nginx server’s IP.

This assumes that nginx and home assistant are running on the same host machine. If so, this will tell home assistant to trust traffic that’s coming from the internal (or “mock”) network that’s running inside the host machine itself. Since nginx is handling all the security, you’re telling home assistant not to force nginx to attempt to log in.

I think that’s just a comment to tell you that in the example, the server host IP address is 127.0.0.1, which is a specific IP address that references the host machine itself.

1 Like

I think I’ve managed to cause more confusion :thinking:,

hopefully I can clear it up a bit more .

the Nginx add-on suggests using the Duckdns add-on as described here which I currently use and have configured , this doesnt require port 80 to be open as it uses a dns-01 challenge in a TXT format as described here in much better detail than I can.

so I dont have an issue with getting and storing a certificate for nginx to use , however as I understand it port 80 can be opened to this Nginx addon so as to redirect back to an SSL connection, should you accidentally forget to putt https:// at the beginning of your domain, info found here and therefore I believe its possible to have the port 8123 on my router forward to port 443 on the home assistant server and drop the use of port 80 as I have IP’s saved as bookmarks or I use the official app.

Thankyou so much for answering question 2 , you have definitely cleared up a few details.

I really appreciate the advice .

First of all your home router usually will only be able to route your public IP to your port and you will have to redirect that specific port to you NGINX machine. Maybe if you have more then 1 public IP this is possible.

Your info about not having port 80 open/forward is not correct because in order for you to create an SSL cert you will need port 80 else Letsencrypt will fail. There are some way to do it but it will be messy. Furthermore if you have a domain why you requred duckDNS?

Furthermore you get it backward, you want your router forward 443 to your NGINX and NGINX will forward your virtual domain to your local IP:8123 The new HASS you will allow to have external url and internal url.

My recommendation is to install NGINX on your RPI and have port 80/443 to your RPI. Using NGINX you will be able to assign it to your HASS and Nextcloud. If you have domain you can directed sub1.yourdomain.com and sub2.yourdomain.com to a different local machine

I don’t want to cause an argument here, but I don’t think you read the post I linked it is on the home assistant blog and specifically says

Thanks to a blog post by Andreas Gohr I realized that DuckDNS supports setting TXT records, making it compatible with the DNS-01 challenge of Let’s Encrypt. The DNS-01 challenge is using the DNS record of the domain instead of interacting with the server. This means that it’s not needed for the user to open any ports!

and as I said before I don’t have port 80 open on my router to my home assistant server only port 8123 and so far I have had my certificates renewed by the Duckdns addon for the last 2 years.

also in the other link I posted it says

Set up Port Forwarding

  1. Log in to your router to set up port forwarding. For the simplest possible setup, forward port TCP 443 to port 443 on your Raspberry Pi running Hass.io. This way you would be able to access your Hass.io dashboard from anywhere at https://my-domain.duckdns.org.
  2. You may want to choose a more obscure port for access from the outside world, for example: https://my-domain.duckdns.org:7654. In that case, forward TCP port 7654 on your router to port 443 on the RPi.
  3. You can optionally forward port 80 on your router to port 80 on the RPi. Nginx serves up a redirect on port 80 as a convenience in case you forget to type https in front of the URL.
  4. From inside your network, you can continue to access Hass.io at http://hassio.local:8123

it also says on the NGINX addon docs

The NGINX Proxy add-on is commonly used in conjunction with the Duck DNS add-on to set up secure remote access to your Home Assistant instance. The following instructions covers this scenario.

  1. The certificate to your registered domain should already be created via the Duck DNS add-on or another method. Make sure that the certificate files exist in the /ssl directory.

and also at the end it says

By default, port 80 is disabled in the add-on configuration in case the port is needed for other components or add-ons like emulated_hue

currently I use duckdns.org for my domain name and as you say I have two sub domains named as

nextcloud.duckdns.org

and the other as

homeassisatnt.duckdns.org:8123

obviously these are examples but that is my current setup .
what I am trying to do is transition from my current setup to a reverse proxy using the official NGINX add-on

just for clarification if you do not use the Duckdns addon and just use let’s encrypt I am aware that port 80 need to be open for cert renewal . But as I said the Duckdns add-on takes care of this for me with no port open !

I believe you dont need :8123 if you go through NGINX. The question is which one of your server contain the NGINX? HASS or NextCloud

Again I know how to used dehydrated from the document which I also concurs that its possible, however it will be messy. If you ISP did not block port 80 you should allow it in which will make your life easier. So you only need two port open 80/443 (both for webserver) in your case NGINX. All port 80 will be redirected to 443 anyway. Then using NGINX proxy it will allow you to move it to your localip:8123

This way you will have nextcloud.duckdns.org and homeassistant.duckdns.org

I hope this will clear up the confusion.

1 Like

it does clear a few things up , thanks .

also I must apologise I should have mentioned in my original post that I do have individual domains setup using duckdns.org , I re- read your second post which is exactly what I have except as you say I currently add 8123 to the end of my domain name to access home assistant externally

I think I will do some testing to see how I get on and pos tmy findings back here .

thanks for your help though it is very appreciated .

I hope you will understand what I’m trying to let you know, because this is what I will do with my setup.
Also for home-assistant NGINX Config you will be able to follow this guide Reverse proxy with NGINX using a subdomain

Goodluck and please let me know, how I can be more help. I know its confusing…

1 Like

Sorry for resurrecting… I am trying something similar and could use a bit of help.
I already use Nginx reverse proxy with Let’s Encrypt SSL certs on a separate physical machine (Win 10) in my network (call it 192.168.111). I’d like to implement another entry to my Nginx config for Home Assistant running in Docker on Ubuntu on a different server (call it 192.168.112).

I think I’ve wrapped my head around the Nginx config piece, but I’m confused as to any Home Assistant config I may need. My plan as it stands:

  1. Register a DDNS domain (currently use no-ip, but could use Duck if needed)
  2. Update the DDNS service on my router to reflect the new url to update dynamic IP changes
  3. Generate SSL certs and store on the Nginx machine (192.168.1.111) with my other certs
  4. Update Nginx config file to reflect the new domain and point to the 192.168.1.112 Home Assistant machine. Not sure of any special needs of the Docker container that runs HA?
  5. What needs to be done on the Home Assistant side to accept this config? Anything?

Thanks! Much appreciated.

@ptrsnja is possible to use a docker ngix vanilla container to serve home assistant running on different docker container?

It should be, yes. I’m running Home Assistant and nginx proxy manager in docker on my home server, alongside other containers as well as add-ons. I’m using docker-compose to retain my setup, and portainer for management.

Check out https://github.com/postlund/hassio-compose if you’re curious about my setup, and cheers to the repo author for putting it together.

I’m using DuckDns now with port forward 8123 and thinking to install the NGINX proxy addon. Currently I have Duckdns domain in my configuration yaml. Do I have to remove the url in my configuration.yaml?

Any suggestion how to configure nginx and configuration in HA to be able to access HA from outside only through https?
I managed to configure https access in nginx and have domain with letsencrypt…but I’m still able to access via http.
Thank you for you help in advance!