Nginx Reverse Proxy Set Up Guide – Docker

If you look at the site default config, it is listening on port 443 on multiple lines. Does setting the port as 443 work? What do the container logs say?

Hey Bro. i’ am absolutely thank you so much for your thread. i spend two day in hell , try to configure home assistant , let’s encrypt to run on unraid. it’s make me so headache. thanks for you, i finally did it. thanks u so much. u are my hero.

you’re very welcome. glad it still works. happy to help

Thank you! I have been putting off trying this for a few months. Reading it over and over again to get an better understanding of what it is doing. I finally made the plunge and tried it yesterday and today. I got it up and going with only few hiccups! Again thanks, my network is now way more secure.

you’re welcome. I know the feeling :grinning:

Yes, it’s a working config but you ain’t using reverse proxy with your setup, it’s to independent islands who helps you get SSL cert working together

I struggle with the same as NGINX also do, have to disable proxy config in NGINX, I want to be able to use reversed proxy as it supposed, not disable the function

Same problem here, to let traffic from Sonos, Casts etc working inside reversed proxy

I am using reverse proxy, that;s what Traefik does. As a bonus Traefik also get’s the certificates form Let’s Encrypt. There is no portfowarding, other then to Traefik, in my router.

Try this tutorial, it will help you understand things: https://www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/

Piotr:

Hey, how did you get fail2ban working with the homeassistant auth? I want fail2ban to check on failed logins to homeassistant… Thanks in advance!

Here’s an example: https://github.com/bachya/smart-home/tree/master/nginx

I use Supervisor to launch fail2ban after NGINX starts running. I then use these settings for jails.

1 Like

@bachya thanks for that! My setup is a bit different with nginx acting as a reverse proxy and fail2ban installed in the same container, I was able to use the filters though to adapt and I’ve gotten rid of a lot of entries in access.log not generated by me! Thanks again!

Actually… @bachya All the filters you have there do not check logins to hassio. What I’m trying to get to, is if someone puts in the wrong password for homeassistant 3 times they get banned. Hassio has this built in but since all the requests are coming from the proxy, it isn’t aware of the external IP’s failing to authenticate and it would only ban the nginx container ip. I have added all the bans for scripts etc and they are working but I’m wondering if the access log for nginx proxy will show a failed login for homeassistant some way? Sorry, this isn’t my forte so not sure if I’m missing something…point me out if I’m being stupid :slight_smile:

Not stupid at all! :+1:

The NGINX access log won’t show anything related to failed logs from HASS, unfortunately. I’ve “solved” this problem by having a second layer of IP banning via HASS’ built-in functionality: https://www.home-assistant.io/components/http/#ip-filtering-and-banning

@bachya be careful with that as it will ban the nginx ip and you will get locked out. If you try to login with a wrong password, you will see that hassio gives you a notification using the local ip of the letsencrypt container. It will basically lock it up completely and you won’t be able to access without removing the ban…

Thanks for the set up guide.
But I am doing something wrong. I get the following error:
problem binding to port 80: could not bind to ip4 or ip6
error: cert does not exist!

Can anyone tell me what I did wrong?
Regards

@micronikje is anything else running on port 80 on the host? Did you forward the ports from your router to the device that’s running the container? That error is either because something is already running on port 80 or 443 or because letsencrypt could not validate you. I would also check the duckdns token…

Not if you list the NGINX IP address under trusted_proxies.

correct but the only ip that can reach homeassistant is that ip because of the reverse proxy so it will never trigger…

That doesn’t need to be the case I believe. In the HTTP component, there’s the following option:

use_x_forwarded_for

(boolean)(Optional)Enable parsing of the X-Forwarded-For header, passing on the client’s correct IP address in proxied setups. You must also whitelist trusted proxies using the trusted_proxies setting for this to work. Non-whitelisted requests with this header will be considered IP spoofing attacks, and the header will, therefore, be ignored.

Default value: false

-Source

So if you enable that, and tell nginx to also forward the original IP, home assistant will see the original IP of person trying to log in.

If you’re not using the proxy manager addon, this is the commands to get that part to work, i think.

If you are using the proxy manager addon, you can use the advanced configuration menu to add the appropriate commands there.

1 Like

@Silicon_Avatar is correct: use_x_forwarded_for ensures that Home Assistant see’s the “true” IP address of a request, regardless of the fact that it passes through NGINX.