Nginx reverse proxy (HomeAssistant beside Nextcloud)

Hello everyone,

becuase it tooked me some time to set up my server and to find the correct configuration, I likely would share my results here. Maybe it will help someone. My aim was to run HomeAssistant beside Nextcloud on the same server.

For the configuration of my Nextcloud I have followed the instructions on https://decatec.de/, so I am running NGINX as reverse proxy. HomeAssistant is installed as docker conitainer, following the installation instruction ( https://www.home-assistant.io/installation/linux#install-home-assistant-container )

The config for the virtual host (NGINX):

upstream php-handler {
    server unix:/run/php/php7.4-fpm.sock;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name nextclouddomain.xxx.com homeassistantdomain.xxx.com  YYY.YYY.YYY.YY;

    root /var/www;

    location ^~ /.well-known/acme-challenge {
        default_type text/plain;
        root /var/www/letsencrypt;
    }

        location / {
                return 301 https://$host$request_uri;
        }
}

Remind to set your correct domains and replace YYY.YYY.YYY.YY by local IP of your server.

The NGINX-config for HomeAssistant:

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name homeassistantdomain.xxx.com;

        # SSL configuration
        # RSA certificates
        ssl_certificate /etc/letsencrypt/homeassistantdomain.xxx.com/rsa/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/homeassistantdomain.xxx.com/rsa/key.pem;
        # ECC certificates
        ssl_certificate /etc/letsencrypt/homeassistantdomain.xxx.com/ecc/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/homeassistantdomain.xxx.com/ecc/key.pem;

        # This should be ca.pem (certificate with the additional intermediate certificate)
        # See here: https://certbot.eff.org/docs/using.html
        # ECC
        ssl_trusted_certificate /etc/letsencrypt/homeassistantdomain.xxx.com/ecc/ca.pem;

    # Include SSL configuration
        include /etc/nginx/snippets/ssl.conf;

        # Include headers
    include /etc/nginx/snippets/headers.conf;

    location / {
        proxy_pass http://YYY.YYY.YYY.YY:8123;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

So, NGINX is listing here for requests on homeassistantdomain.xxx.com and is forwarding this to it’s own local IP on port 8123.

For SSL I am using Letsencrypt and cerificates are generated by acme.sh (same steps like shown at website https://decatec.de/ )

And for the HomeAssistant configuration.yaml I have added:

http:
  server_port: 8123
homeassistant:
  external_url: "https://homeassistantdomain.xxx.com"
  internal_url: "http://homeassistant.local:8123"

With this config I can host both services, Nextcloud and HomeAssistant, on the same server and both services are secured by SSL.

Hope this helps.
Regards,
Lars

Hello Lars,

thank you for your tutorial. It helped me a lot with my setup. I only have problems with creating certificates for my second webserver (Home Assistant), because ACME always uses the owner name of my first domain. Due to the HSTS Security Headers I always get a SSL_ERROR_BAD_CERT_DOMAIN error when trying to access my second domain.

regards,
Andy

Hello,

it’s a long time ago, but I think I just created a new certificate.
I am using a second user called “letsencrypt” for creating all certificates.

su - letsencrypt
acme.sh --set-default-ca --server letsencrypt
exit
chmod -R 775 /var/www/letsencrypt
mkdir -p /etc/letsencrypt/homeassistant.meinedomain.de/rsa
mkdir -p /etc/letsencrypt/homeassistant.meinedomain.de/ecc
chown -R www-data:www-data /etc/letsencrypt
chmod -R 775 /etc/letsencrypt

su - letsencrypt
acme.sh --issue -d homeassistant.meinedomain.de --server letsencrypt --keylength 4096 -w /var/www/letsencrypt --key-file /etc/letsencrypt/homeassistant.meinedomain.de/rsa/key.pem --ca-file /etc/letsencrypt/homeassistant.meinedomain.de/rsa/ca.pem --cert-file /etc/letsencrypt/homeassistant.meinedomain.de/rsa/cert.pem --fullchain-file /etc/letsencrypt/homeassistant.meinedomain.de/rsa/fullchain.pem --reloadcmd "sudo /bin/systemctl reload nginx.service"

acme.sh --issue -d homeassistant.meinedomain.de --server letsencrypt --keylength ec-384 -w /var/www/letsencrypt --key-file /etc/letsencrypt/homeassistant.meinedomain.de/ecc/key.pem --ca-file /etc/letsencrypt/homeassistant.meinedomain.de/ecc/ca.pem --cert-file /etc/letsencrypt/homeassistant.meinedomain.de/ecc/cert.pem --fullchain-file /etc/letsencrypt/homeassistant.meinedomain.de/ecc/fullchain.pem --reloadcmd "sudo /bin/systemctl reload nginx.service"

exit

Be sure to replace the domain by your correct domain everywhere. Best is to copy and paste it in a texteditor and search for the string “meinedomain” to be sure.

With this you should get multiple certificates and every certificate should be stored in the folders /etc/letsencrypt/XXX

Hope this helps.

Regards,
Lars

Hey Lars,

thanks for your response, this was the way i tried. As a workaround, i first created an RSA and ECC Certificate for my base Domain (in your example “meinedomain.de”). So for all other Certificates, the owner was meinedomain.de.

Regards
Andy

Hello ElLarso,

thank you very much for sharing your information! I am quite new to HA. Before I had run OH2 and nextcloud sucessfully on one machine.

Did your config also works with a HA installation as docker composed? I want to have the benefits from the docker composed (esp. the Add-Ons).

I am running Debian 11 on a older i3-NUC that was connected to my TV, and I was quite happy to have only one PC for my Home, my (next)Cloud and looking in the Internet.

Greets,
firejuggler

Hi,

to be honest, I am not sure but I would guess that it should work. As far as I understand, the following lines, just forward your request to the local IP-address (of your server) on port 8123.

Your docker should handle everything and listen to this port. As I do understand, there should not be a difference between docker and docker-compose. Therefore, I do guess that it should work.

Regards,
Lars