MrSir
January 23, 2020, 11:00pm
1
Hi Everyone,
First up just wanted to say a big thank you to everyone’s contributions on this forum. I’ve solved many problems over the last 6 months with such a rich source of helpful info!
Unfortunately I’ve run into a problem I haven’t been able to find a solution for. I have set up an NGINX Reverse Proxy which is working fine and dandy for plex, my irrigation system, etc etc. It is also PARTIALLY working for home assistant. I am able to connect, log in, see my home page and all that good stuff - however there are some elements which will not load through the proxy (they work totally fine locally).
A prime example of this is my ‘camera.adelaideradar’ entity (Australian weather radar station).
I have HA 0.104.2 running in a FreeBSD jail (so it’s NOT hassio).
HA Config:
http:
ssl_certificate: /home/hass/homeassistant/ssl/test2/server-selfsigned-CA.crt
ssl_key: /home/hass/homeassistant/ssl/test2/server-selfsigned-CA.key
base_url: https://homeassistant.MYDOMAIN
use_x_forwarded_for: true
trusted_proxies: 192.168.1.73
ip_ban_enabled: true
login_attempts_threshold: 5
My NGINX Config is as follows:
server {
listen 443 ssl;
server_name homeassistant.MYDOMAIN;
ssl_certificate /usr/local/etc/letsencrypt/live/homeassistant.MYDOMAIN/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/homeassistant.MYDOMAIN/privkey.pem;
include common_ssl.conf;
include common_general.conf;
location / {
proxy_pass https://192.168.1.166:8123;
proxy_ssl_trusted_certificate /usr/local/etc/nginx/server-selfsigned-CA.crt;
proxy_set_header Host $host;
proxy_ssl_verify off;
proxy_redirect http:// https://;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/websocket {
proxy_pass https://192.168.1.166:8123/api/websocket;
proxy_ssl_trusted_certificate /usr/local/etc/nginx/server-selfsigned-CA.crt;
proxy_set_header Host $host;
proxy_ssl_verify off;
proxy_redirect http:// https://;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
When attempting to open up one of the entities that doesn’t work, the NGINX logs give a response of 444 (i.e. dropped connection):
192.168.1.1 - - [24/Jan/2020:08:49:37 +1030] "GET /api/camera_proxy/camera.adelaideradar?token=XXXX HTTP/1.1" 444 0 "https://homeassistant.MYDOMAIN/lovelace/default_view" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
(of course in the above I have replaced my real domain with MYDOMAIN).
So it looks like NGINX is dropping some of the requests for entities - yet is allowing others to pass through… I suspect the change required will be in the NGINX config.
tmjpugh
January 23, 2020, 11:28pm
2
Maybe check nginx logs and look for hints there.
MrSir
January 23, 2020, 11:48pm
3
thanks for the reply
The attached log entry is about as much as I’ve been able to find - so it’s about the only clue I’ve got!
In addition to the camera sensor:
192.168.1.1 - - [24/Jan/2020:10:07:44 +1030] "GET /api/history/period/2020-01-22T23:37:44.935Z?filter_entity_id=sensor.XXXX HTTP/1.1" 444 0 "https://homeassistant.MYDOMAIN/lovelace/default_view" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
-the media player background images don’t load:
192.168.1.1 - - [24/Jan/2020:10:08:28 +1030] "GET /static/images/card_media_player_bg.png HTTP/1.1" 444 0 "https://homeassistant.MYDOMAIN/lovelace/home-automation" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
firstof9
January 24, 2020, 12:31am
4
Update your config like so (insert your servername and what not):
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name homeassistant.MYDOMAIN;
ssl_certificate /usr/local/etc/letsencrypt/live/homeassistant.MYDOMAIN/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/homeassistant.MYDOMAIN/privkey.pem;
# These shouldn't need to be changed
# Proxy Home Assistant
listen :443;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
proxy_buffering off;
location / {
proxy_pass http://192.168.1.166:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
MrSir
January 24, 2020, 1:35am
5
Thanks for the response
Unfortunately that made no difference
tjntomas
January 24, 2020, 12:53pm
6
I have a similar setup but I am redirecting the /api path instead of /api/websockets, so try:
location /api {
proxy_pass https://192.168.1.166:8123/api;
proxy_ssl_trusted_certificate /usr/local/etc/nginx/server-selfsigned-CA.crt;
proxy_set_header Host $host;
proxy_ssl_verify off;
proxy_redirect http:// https://;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
tjntomas
January 24, 2020, 1:02pm
7
And to be exact, this is what I have, which is slightly different from your config:
location /api { # Home Assistant API SSL reverse proxy
proxy_pass http://192.168.1.XXX:8123/api;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /auth { # Home Assistant API SSL reverse proxy
proxy_pass http://192.168.1.XXX:8123/auth;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
MrSir
January 26, 2020, 9:31pm
8
hey mate thanks for the response,
MrSir
March 10, 2020, 6:06am
9
ok I think I’ve made some progress on figuring out what is wrong here. Any connections that have something in the http_referer field of the logs are blocked.
192.168.1.1 - - [24/Jan/2020:10:08:28 +1030] "GET /static/images/card_media_player_bg.png HTTP/1.1" 444 0 "https://homeassistant.MYDOMAIN/lovelace/home-automation" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
The above is blocked, as it has “https://homeassistant.MYDOMAIN/lovelace/home-automation ” in the http_referer field.
Whereas:
192.168.1.1 - - [10/Mar/2020:16:19:20 +1030] "GET /api/config HTTP/1.1" 200 607 "-" "Home%20Assistant/69 CFNetwork/1121.2.2 Darwin/19.2.0"
The above is not blocked, as it has “-” in the http_referer field. My config hasn’t changed from the above.
I’m assuming then that it should be a case of adding an extra line to my config (unchanged from above) to allow those referers through? I’ve done some googling but haven’t found anything thus far. Any suggestions?
MrSir
March 10, 2020, 6:54am
10
ok well, I’ve FINALLY figured it out.
# Deny certain Referers
if ( $http_referer ~* (babes|forsale|girl|jewelry|love)){ # note: removed some of the keywords for posting on this forum
return 444;
}
so the ‘love’ was blocking anything to do with ‘lovelace’! oh dear
1 Like
Still the same elements being blocked…