Nginx Reverse Proxy Set Up Guide – Docker

@Aephir

I do, I have hass depending on mqtt, postgress and motioneye.
It’s been working well, so far.

Annoying :confused:

Have you come upon anything else in your week-long endeavour that you think could have changed, or I could have messed up in the meantime?

I tried literally copy/pasting your config from the first post, doing a find & replace for any instance of mydomain and hostip, and added proxy_set_header x-ha-access "MY_OLD_API_PASSWORD"; under the location part of the HASS configuration.

Since the last time it was functional, all I can think of that I’ve changed is:

  • I’ve moved the config volume (in docker-compose) from /etc/letsencrypt to /home/aephir/docker/letsencrypt/config (deleted certificates, docker containers etc., and started fresh).
  • I’ve upgraded HASS form whatever version was the lates docker image in early/mid July to current (issues since at least 0.76.X).
  • I’ve started using the new auth system.
  • I’ve started using Lovelace.
  • Messed with HASS automations and components, but can’t see how that should matter…?

I don’t see errors in the docker logs for letsencrypt and duckdns. My nginx error logs just show what I posted above about 111: Connection refused. And as mentioned, HADashboard access via nginx works fine.

I havent.
It maybe unrelated but I’ve seen some other posts where people cant access the site, where they’ve been told to delete this new .storage dir and start over with the authentication

Hmmm, could be related to that the auth.

After deleting the .storage/auth, .storage/auth_provider.homeassistant and .storage/onboarding, I got to re-create my admin user, but now also browsing to the local IP shows 403: Forbidden:cry: So not getting better, but might be a pointer to where the problem is…

not good.
but if you recreated it means you could see the login.so after that 403?

then in that case sounds like its not nginx. this auth change has been painful for many…

I thought I was immensely smart, having everything backed up via rsync to an external HDD. But I made a type when I tried to restore, so now I can’t even boot the OS :roll_eyes:

I’m going to use the next few days (if I’m lucky) re-installing Ubuntu Server and go from there. Luckily I have my github that’s reasonably up to date…

One sted forward 403 steps back… And a lesson or two learned.

Thanks a lot for this @juan11perez, it’s highly appreciated indeed and saved me and others a lot of time and frustration, way to go !!

I do have a small question though :slight_smile: :

Let’s say I have the following domain names :

  1. mydomain-hass.duckdns.org
  2. mydomain-mosquitto.duckdns.org

How would I configure NGINX to be able to use TLS/SSL from the outside world given that I already forwarded the correct ports ?

Thanks a lot again

I have another question:

Should this set up automatically renew the certificates from Letsencrypt periodically?

If not then how do I renew? Do I just re-create the container occasionally?

the container renews certificates automatically. If you check the logs on restart it goes throuhgh the auto-renewal sequence.

sorry, i dont understan the question.

the container gets the certificate(s) for the domains you’ve specified.

Sorry, I’ll try to be clearer

When I try to connect to HA everything using ‘mydomain-hass.duckdns.org’ goes smooth
However, when I try to connect to my Mosquitto MQTT broker from outside my network using mydomain-mqtt.duckdns.org I fail to do so, I’m linking my default config file to clarify more

And in addition to the startup sequence of checking, there is a cronjob running

8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1

So it’ll renew even if you have it running forever without restarting it.

this is not correct.
you have a mydomain.duckdns.org that goes to the blank server page.
then you should then have for these server blocks for instance:

hass.mydomain.duckdns.org
mqtt.mydomain.duckdns.org

I’m feeling pretty stupid now, but I better share, in case anyone else has this issue, and doesn’t think twice.

I had a similar issue after the re-install, and noticed it was due to an IP ban. I’m guessing it could have been the same issue; i didn’t even check.

oh… really?
all that hassle and it was ipban? well you found the problem.
it usually turns out like that. I think it’s sometimes nature to overcomplicate things

The thing is when I come to create a sub domain containing dots, duckdns (for instance) doesn’t allow it
Can you please elaborate on how you created the sub-domains ?

exactly per my example.
you registerd a mydomain in duckdns.
so your duckdns is for exaple ohad.duckdns.org

so your hass instance would for instance be
hass.ohad.duckdns.org

mqtt would be
mqtt.ohad.duckdns.org

so in the docker compose in sub domains you 'd add
sudbdomains: hass, mqtt, etc, etc

1 Like

Ok, getting there… I’ve made the changes you suggested (I’m new to the whole sub-domain concept, my bad)
And I can get to a HASS using a domain similar in convention to what you wrote

My issue still being the MQTT broker. Should I define anything in mosquitto.conf as far as the proxy is concerned ?

I dont think so, but I cant really tell. I dont access the broker from outside.
Why do you need to access it?

Mainly for Owntracks