Hey, Guys, I have Nginx running on my router providing authentication to my home assistant and on first log in there is no issue but subsequent ones give me a 401 unauthorized unless I clear my cache or use a private session. the Nginx config is as follows (minus External IP and DNS name) :
server {
listen <External IP>:443 ssl;
server_name <DNS Name>;
ssl_certificate /opt/etc/nginx/certs/<DNS Name>/fullchain.pem;
ssl_certificate_key /opt/etc/nginx/certs/<DNS Name>/privkey.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-$
ssl_prefer_server_ciphers on;
ssl_dhparam /opt/etc/nginx/dhparams.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
access_log /var/log/homeassistant.log;
location / {
proxy_pass http://192.168.5.149:8123;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
auth_basic "Private Property";
auth_basic_user_file /opt/etc/nginx/.htpasswd;
}
}
chrio
May 24, 2018, 1:49pm
2
edit : see below for my current config
I only use nginx for ssl cert at home, but I have used it for auth+ssl in front of docker at work and it works as it should.
A combination of my home settings with basic auth included would be something like this (not tested):
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm;
server_name my.domain;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
location / {
proxy_http_version 1.1;
proxy_pass http://localhost:8123/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
auth_basic "Restricted";
auth_basic_user_file /auth/.htpasswd;
}
}
I think this could be a time based issue as i have created a test account and url :
https://54226.daveys.xyz/api/states/sensor.dark_sky_temperature
username : test
Tinkerer
May 24, 2018, 5:35pm
4
One option is to require authentication or a source IP range, that’s what I do :
allow 192.168.0.0/24;
allow 203.0.114.42/32;
auth_basic "Restricted"; #For Basic Auth
auth_basic_user_file /etc/nginx/.htpasswd; #For Basic Auth
Ideally I was wanting access from my mobile while I was out and about without the drain of a constant VPN
Anyone able to replicate with the above link?
better yet any solutions
chrio
May 28, 2018, 7:14pm
7
Since my last post in this thread I have tweaked my settings a bit. This is my current nginx config for ssl and basic auth (with the exception of mydomain.se being my real domain name).
I will skip the steps of nginx and letsencrypt certificate installations, there are lots of guides for that online and I want to keep this short and to the topic.
Below is my nginx site config. It will redirect any http traffic to https, and uses basic authentication before you get to home assistant. I can probably trim some parts, but since it works I have left them there for now.
/etc/nginx/sites-enabled/mydomain.se
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm;
server_name mydomain.se;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mydomain.se/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.se/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/auth/ha.passwd;
location / {
proxy_http_version 1.1;
proxy_pass http://localhost:8123/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Create the config and add a symlink to it from sites-enabled.
To create the password file you can use htpasswd that is part of the apache2-utils package:
> sudo apt-get install apache2-utils
> sudo mkdir -p /etc/nginx/auth && sudo touch /etc/nginx/auth/ha.passwd
> sudo htpasswd /etc/nginx/auth/ha.passwd user1
New password: ****
Re-type new password: ****
Adding password for user user1
To add more users or change a password you just need to repeat the htpasswd command as above.sudo service nginx restart