Nginx Reverse Proxy Set Up Guide – Docker

juan11perez · March 1, 2019, 10:51am

you’re very welcome. glad it still works. happy to help

jasonstevens · March 10, 2019, 11:16pm

Thank you! I have been putting off trying this for a few months. Reading it over and over again to get an better understanding of what it is doing. I finally made the plunge and tried it yesterday and today. I got it up and going with only few hiccups! Again thanks, my network is now way more secure.

juan11perez · March 11, 2019, 4:55am

you’re welcome. I know the feeling

Banditen01 · March 17, 2019, 10:10pm

Yes, it’s a working config but you ain’t using reverse proxy with your setup, it’s to independent islands who helps you get SSL cert working together

I struggle with the same as NGINX also do, have to disable proxy config in NGINX, I want to be able to use reversed proxy as it supposed, not disable the function

Same problem here, to let traffic from Sonos, Casts etc working inside reversed proxy

piotr · March 18, 2019, 6:53am

I am using reverse proxy, that;s what Traefik does. As a bonus Traefik also get’s the certificates form Let’s Encrypt. There is no portfowarding, other then to Traefik, in my router.

Try this tutorial, it will help you understand things: https://www.smarthomebeginner.com/traefik-reverse-proxy-tutorial-for-docker/

Banditen01 · March 18, 2019, 11:47am

Piotr:

omriasta · April 18, 2019, 7:38pm

Hey, how did you get fail2ban working with the homeassistant auth? I want fail2ban to check on failed logins to homeassistant… Thanks in advance!

bachya · April 18, 2019, 10:48pm

Here’s an example: https://github.com/bachya/smart-home/tree/master/nginx

I use Supervisor to launch fail2ban after NGINX starts running. I then use these settings for jails.

omriasta · April 22, 2019, 3:40pm

@bachya thanks for that! My setup is a bit different with nginx acting as a reverse proxy and fail2ban installed in the same container, I was able to use the filters though to adapt and I’ve gotten rid of a lot of entries in access.log not generated by me! Thanks again!

omriasta · April 22, 2019, 5:47pm

Actually… @bachya All the filters you have there do not check logins to hassio. What I’m trying to get to, is if someone puts in the wrong password for homeassistant 3 times they get banned. Hassio has this built in but since all the requests are coming from the proxy, it isn’t aware of the external IP’s failing to authenticate and it would only ban the nginx container ip. I have added all the bans for scripts etc and they are working but I’m wondering if the access log for nginx proxy will show a failed login for homeassistant some way? Sorry, this isn’t my forte so not sure if I’m missing something…point me out if I’m being stupid

bachya · April 22, 2019, 6:11pm

Not stupid at all!

The NGINX access log won’t show anything related to failed logs from HASS, unfortunately. I’ve “solved” this problem by having a second layer of IP banning via HASS’ built-in functionality: https://www.home-assistant.io/components/http/#ip-filtering-and-banning

omriasta · April 22, 2019, 6:16pm

@bachya be careful with that as it will ban the nginx ip and you will get locked out. If you try to login with a wrong password, you will see that hassio gives you a notification using the local ip of the letsencrypt container. It will basically lock it up completely and you won’t be able to access without removing the ban…

micronikje · April 22, 2019, 6:19pm

Thanks for the set up guide.
But I am doing something wrong. I get the following error:
problem binding to port 80: could not bind to ip4 or ip6
error: cert does not exist!

Can anyone tell me what I did wrong?
Regards

omriasta · April 22, 2019, 6:24pm

@micronikje is anything else running on port 80 on the host? Did you forward the ports from your router to the device that’s running the container? That error is either because something is already running on port 80 or 443 or because letsencrypt could not validate you. I would also check the duckdns token…

bachya · April 22, 2019, 6:50pm

Not if you list the NGINX IP address under trusted_proxies.

omriasta · April 22, 2019, 7:01pm

correct but the only ip that can reach homeassistant is that ip because of the reverse proxy so it will never trigger…

Silicon_Avatar · April 22, 2019, 7:08pm

That doesn’t need to be the case I believe. In the HTTP component, there’s the following option:

use_x_forwarded_for

(boolean)(Optional)Enable parsing of the X-Forwarded-For header, passing on the client’s correct IP address in proxied setups. You must also whitelist trusted proxies using the trusted_proxies setting for this to work. Non-whitelisted requests with this header will be considered IP spoofing attacks, and the header will, therefore, be ignored.

Default value: false

-Source

So if you enable that, and tell nginx to also forward the original IP, home assistant will see the original IP of person trying to log in.

If you’re not using the proxy manager addon, this is the commands to get that part to work, i think.

If you are using the proxy manager addon, you can use the advanced configuration menu to add the appropriate commands there.

bachya · April 22, 2019, 7:19pm

@Silicon_Avatar is correct: use_x_forwarded_for ensures that Home Assistant see’s the “true” IP address of a request, regardless of the fact that it passes through NGINX.

omriasta · April 22, 2019, 7:37pm

Yep, I just added that, was not aware of the option. THis is perfect and exactly what I was trying to get done! Thank you both @Silicon_Avatar and @bachya

micronikje · April 23, 2019, 5:13pm

@omriasta

Letsencrypt runs in a docker on a qnap nas.
The nas uses port 443 for SSL. The network uses the host function. Port 80 is used by other programs that do not run on the nas. Both Ports are forwarded in the router.
In another docker runs home assistant which I want to use SSL. I Will give the other programs another port and see if that helps.