The thing is when I come to create a sub domain containing dots, duckdns (for instance) doesn’t allow it
Can you please elaborate on how you created the sub-domains ?
exactly per my example.
you registerd a mydomain in duckdns.
so your duckdns is for exaple ohad.duckdns.org
so your hass instance would for instance be
hass.ohad.duckdns.org
mqtt would be
mqtt.ohad.duckdns.org
so in the docker compose in sub domains you 'd add
sudbdomains: hass, mqtt, etc, etc
1 Like
Ok, getting there… I’ve made the changes you suggested (I’m new to the whole sub-domain concept, my bad)
And I can get to a HASS using a domain similar in convention to what you wrote
My issue still being the MQTT broker. Should I define anything in mosquitto.conf as far as the proxy is concerned ?
I dont think so, but I cant really tell. I dont access the broker from outside.
Why do you need to access it?
Mainly for Owntracks
I just got it working ! Thanks so much @juan11perez for all the hard work done on this and generally for answering and being a kind human being, here’s my config for others’ reference :
In mosquitto.conf (Mosquitto MQTT broker configuration)
port 1883
protocol mqtt
...
listener 1884
protocol websockets
Additionally, you should map the container port 1884 to external port 1884
In NGINX default conf
server {
server_name mqtt.obenita.duckdns.org;
listen 443 ssl;
location / {
proxy_pass http://10.0.0.9:1884/; # The server you want to redirect to
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
The configuration in OwnTracks would be then :
- Host name - mqtt.yourdomain.duckdns.org
- TLS enabled
- Websockets enabled, port is 443 (NGINX port)
- Authentication - depends on what was previously configured
Thanks @rbray89 for the guidance in one of your replies to this post
2 Likes
Glad you got it working.
Im not sure If im completely wrong, but I didnt think you needed to expose mqtt to the outside for owntracks.
I dont use the owntracs mobile app, but I do use the hass owntracks component in conjunction with a custom component someone developed to use life360.
So effectively the life360 app on the phone uses the owntracks mqtt component to talk to hass.
I’ve been using it for about a year without exposing mqtt externally.
Im far from an expert so my explanation may not be entirely accurate, but i definitely dont have mqtt esposed and life360 is using it.
1 Like
Fxxxing unbelievable. I spent awful time trying to fix this issue. Recently I moved my HA from RPi to unRAID. I added a new config file for HA in nginx/proxy-confs folder but that didn’t work. I changed that file so many times but after following your version of default.conf (nginx/site-confs) this issue was resolved right away.
I still don’t understand why Linuxserver docker looks for sub-subdomain.subdomain.duckdns.org. Earlier when I used LetsEncrypt/Nginx on RPi, I used subdomain.duckdns.org and it worked with no issues.
I have one suggestion for you. Please move instructions to Github where it’s easy to read. It was a bit confusing to read with different formatting.
Once again, thanks for sharing this guide.
1 Like
Glad it helped you. I’ll have a look at github.
Hey, anyone got the config from the original post working with auth_basic enabled ? It seems to work fine until I hit up against an api interface call.
E.g. going to the Developer-Tools Events page or the Dev-Info page results in a failed api call and a 401 error message showing up in Chrome Dev Tools.
GET https://ha.[mydomain].com/api/events 401 (Unauthorized) fetch-with-auth.js:8
If I turn off nginx authentication then all works as expected. I have tried the suggestion from [Turbulence ahead - fasten your seatbelt] but it made no difference. I’m on HA 0.78.3 for what it is worth.
anyone done this recently that can help me out i think im close just need to the configuration right ive currently got my HA accessable from duckdns and the container running
I have nginx with Let’s Encrypt running on a VM and it works nicely. But I’d like to move that over to docker or switch to Traefik. Any reasons why I should stick with nginx? It seems a lot of people prefer Traefik.
I don’t know what Traefik involves, but I assume it has something similar to server blocks? Is this the “lablels” values in a docker-compose file? What do I do if I want to setup a reverse proxy for something that isn’t in a docker container? Is it just possible to add something like foo.example.com and point to ip:1234?
I cant really comment on which one is better. I just chose to go this way.
The server block works with the ip:port address regardless of whether docker or not. So should be fine.
so what’s the problem?
I’m having a problem with basic auth alongside the new auth system as well. From what I’ve been able to determine, the Authentication header is being re-written from “Basic xxxxxxx” to “Bearer [token]” somewhere by the new auth methods. This results in me being constantly asked for my Basic Auth creds, and ends up with a sort of interactive redirect loop between basic auth and the new HA auth.
For a yet unconfirmed reason, it works in Fully Kiosk Browser. I’m assuming it’s how FKB inserts it’s own auth headers when you tell it to use basic auth but I don’t really know because I haven’t figured out how to look at FKB traffic or even error logs.
At this point my trying to figure this out is mostly aimless tinkering, so if someone has suggestions to try to fix it, I’d love to be a semi-capable guinea pig, but otherwise will shift focus back to the floorplan and alarm plugins.
I want to get nginx and Let’s Encrypt working in docker (is a firewall needed)? I haven’t jumped into trying yet because I want nginx to reverse proxy not only my docker services, but some local network services that will never go into docker. Most of the nginx and Let’s Encrypt docker stuff (what are they called on docker hub, repos?) I’ve seen appears to be targeted towards docker services.
I’m tagging @flamingm0e on this, because he seems to know his docker better than most and IMO he’s a hero of this community.
1 Like
I would try this then.
https://hub.docker.com/r/linuxserver/letsencrypt/
All you need is for your NGINX docker to see the certs from the LetsEncrypt whether you use lets encrypt in its own docker or in the same docker container.
NGINX doesn’t care what you are proxying. The fact that it is running in Docker means nothing to the way reverse proxy works. You simply point the config to what you want to proxy.
I have seen others mention Caddy and Traefik around here as being easier to configure. You could try those too. See what you like.
Thanks, but I don’t think I am a hero. 
1 Like
This is great! I was finally able to get HA up without a hitch.
Has anyone gotten node-red set up to be able to be accessed from its own subdomain and/or from within the HA subdomain within this framework? I have tried several things I have dug up from various nginx posts but haven’t been able to get it to work…I keep getting timed out
Thanks!
1 Like
Anybody have any luck with iframes ? Could sometimes get it to work, other times it would give “no auth header received”. Any ideas ? This is a side panel configurator iframe.