NGINX Reverse Proxy not loading some elements

Hi Everyone,

First up just wanted to say a big thank you to everyone’s contributions on this forum. I’ve solved many problems over the last 6 months with such a rich source of helpful info!

Unfortunately I’ve run into a problem I haven’t been able to find a solution for. I have set up an NGINX Reverse Proxy which is working fine and dandy for plex, my irrigation system, etc etc. It is also PARTIALLY working for home assistant. I am able to connect, log in, see my home page and all that good stuff - however there are some elements which will not load through the proxy (they work totally fine locally).

A prime example of this is my ‘camera.adelaideradar’ entity (Australian weather radar station).

I have HA 0.104.2 running in a FreeBSD jail (so it’s NOT hassio).

HA Config:

http:
  ssl_certificate: /home/hass/homeassistant/ssl/test2/server-selfsigned-CA.crt
  ssl_key: /home/hass/homeassistant/ssl/test2/server-selfsigned-CA.key
  base_url: https://homeassistant.MYDOMAIN
  use_x_forwarded_for: true
  trusted_proxies: 192.168.1.73
  ip_ban_enabled: true
  login_attempts_threshold: 5

My NGINX Config is as follows:

server {
    listen 443 ssl;
    server_name homeassistant.MYDOMAIN;
    ssl_certificate /usr/local/etc/letsencrypt/live/homeassistant.MYDOMAIN/fullchain.pem;
    ssl_certificate_key /usr/local/etc/letsencrypt/live/homeassistant.MYDOMAIN/privkey.pem;
    include common_ssl.conf;
    include common_general.conf;

    location / {
        proxy_pass https://192.168.1.166:8123;
        proxy_ssl_trusted_certificate /usr/local/etc/nginx/server-selfsigned-CA.crt;
        proxy_set_header Host $host;
        proxy_ssl_verify off;
        proxy_redirect http:// https://;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_buffering off;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /api/websocket {
        proxy_pass https://192.168.1.166:8123/api/websocket;
        proxy_ssl_trusted_certificate /usr/local/etc/nginx/server-selfsigned-CA.crt;
        proxy_set_header Host $host;
        proxy_ssl_verify off;
        proxy_redirect http:// https://;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_buffering off;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

When attempting to open up one of the entities that doesn’t work, the NGINX logs give a response of 444 (i.e. dropped connection):

192.168.1.1 - - [24/Jan/2020:08:49:37 +1030] "GET /api/camera_proxy/camera.adelaideradar?token=XXXX HTTP/1.1" 444 0 "https://homeassistant.MYDOMAIN/lovelace/default_view" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"

(of course in the above I have replaced my real domain with MYDOMAIN).

So it looks like NGINX is dropping some of the requests for entities - yet is allowing others to pass through… I suspect the change required will be in the NGINX config.
Any help would be greatly appreciated!

Maybe check nginx logs and look for hints there.
Other than camera, what else not work?

thanks for the reply :slight_smile:

The attached log entry is about as much as I’ve been able to find - so it’s about the only clue I’ve got!

In addition to the camera sensor:
-the state history for all entities doesn’t load:

192.168.1.1 - - [24/Jan/2020:10:07:44 +1030] "GET /api/history/period/2020-01-22T23:37:44.935Z?filter_entity_id=sensor.XXXX HTTP/1.1" 444 0 "https://homeassistant.MYDOMAIN/lovelace/default_view" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"

-the media player background images don’t load:

192.168.1.1 - - [24/Jan/2020:10:08:28 +1030] "GET /static/images/card_media_player_bg.png HTTP/1.1" 444 0 "https://homeassistant.MYDOMAIN/lovelace/home-automation" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"

Update your config like so (insert your servername and what not):

http {
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        server_name homeassistant.MYDOMAIN;
        ssl_certificate /usr/local/etc/letsencrypt/live/homeassistant.MYDOMAIN/fullchain.pem;
        ssl_certificate_key /usr/local/etc/letsencrypt/live/homeassistant.MYDOMAIN/privkey.pem;


        # These shouldn't need to be changed
        # Proxy Home Assistant
        listen :443;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        proxy_buffering off;

        location / {
            proxy_pass http://192.168.1.166:8123;
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
}

Thanks for the response :slight_smile:

Unfortunately that made no difference :frowning: Still the same elements being blocked…

I have a similar setup but I am redirecting the /api path instead of /api/websockets, so try:

    location /api {
        proxy_pass https://192.168.1.166:8123/api;
        proxy_ssl_trusted_certificate /usr/local/etc/nginx/server-selfsigned-CA.crt;
        proxy_set_header Host $host;
        proxy_ssl_verify off;
        proxy_redirect http:// https://;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_buffering off;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

And to be exact, this is what I have, which is slightly different from your config:

    location /api { # Home Assistant API SSL reverse proxy
        proxy_pass http://192.168.1.XXX:8123/api;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /auth { # Home Assistant API SSL reverse proxy
        proxy_pass http://192.168.1.XXX:8123/auth;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

hey mate thanks for the response,
I gave the above a try, but unfortunately the issue persists :frowning:

ok I think I’ve made some progress on figuring out what is wrong here. Any connections that have something in the http_referer field of the logs are blocked.

192.168.1.1 - - [24/Jan/2020:10:08:28 +1030] "GET /static/images/card_media_player_bg.png HTTP/1.1" 444 0 "https://homeassistant.MYDOMAIN/lovelace/home-automation" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"

The above is blocked, as it has “https://homeassistant.MYDOMAIN/lovelace/home-automation” in the http_referer field.

Whereas:

192.168.1.1 - - [10/Mar/2020:16:19:20 +1030] "GET /api/config HTTP/1.1" 200 607 "-" "Home%20Assistant/69 CFNetwork/1121.2.2 Darwin/19.2.0"

The above is not blocked, as it has “-” in the http_referer field. My config hasn’t changed from the above.

I’m assuming then that it should be a case of adding an extra line to my config (unchanged from above) to allow those referers through? I’ve done some googling but haven’t found anything thus far. Any suggestions?

ok well, I’ve FINALLY figured it out.
When setting up the proxy I added in some security measures as per the recommendations of some online sources - and it appears one of them was blocking these elements…

# Deny certain Referers
if ( $http_referer ~* (babes|forsale|girl|jewelry|love)){ # note: removed some of the keywords for posting on this forum
    return 444;
}

so the ‘love’ was blocking anything to do with ‘lovelace’! oh dear :stuck_out_tongue:

1 Like