I followed the official documentation to setup DuckDNS, and Let’s Encrypt as well as opening up port 443 directing to my HAOS machine on port 8123.
Generally this is working well, but sometimes I cannot access my system locally. I am not sure of the reason, but I assume it has something to do with the external address and the fact that enabling https disables local http access.
So I decided to try the official NGINX reverse proxy and followed the instructions to a “T”. In doing so I commented out the “http” section in my config and added the “http” section exactly from the NGINX doc. https://github.com/home-assistant/addons/blob/3d66e1d286f839a450d6ceb260c69da04438d681/nginx_proxy/DOCS.md
After changing the configuration.yaml and then starting up the NGINX reverse proxy I restarted home assistant.
After restarting I can access home assistant locally with http://homeassistant.local:8123 (I could not do this with the “let’s encrypt” settings)
Externally, with NGINX running and settings applied, I can only access home assistant via http://mydomain.duckdns.org:443 notice the “http” not “https”. Also, it does not work without the :443. When I try to access via https I get a home assistant landing page that just says “loading data”.
Several posts have said to look at the log from the NGINX reverse proxy to see the address to use in the setup. I do not see any addresses in my log. The address in the config is a local address range… is this the hard coded address range of the NGINX add on docker image? To try to make this work I added the full 10.x.x.x 192.168.x.x And 172.16-31.x.x Ranges as well as my HAOS IP address to the trusted proxies list. This has not helped.
For now I think I will fall back to closing the port down and relying on a WireGuard split tunnel “on demand” I have configured on another local machine. This implementation works when it works, but it is not as solid externally as the stand alone “let’s encrypt” settings. But locally, it is bulletproof, which is how I’m using HA primarily at the moment.
Maybe using Nabu Casa cloud would solve all of my problems, but it is not exactly the “self hosted” situation I was hoping for. I don’t find the cost prohibitive, but it seems unnecessary when I already have everything 99% of the way without it, and I do not use Alexa or Google services.
Here is the log from NGINX:
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service nginx: starting
s6-rc: info: service nginx successfully started
s6-rc: info: service crond: starting
s6-rc: info: service crond successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
[10:01:19] INFO: Running nginx…
I’m running the latest HAOS x64 on a repurposed x64 Mac mini.
- Core 2024.1.6
- Supervisor 2023.12.1
- Operating System11.4
- Frontend 20240104.0