Nginx Reverse Proxy Set Up Guide – Docker

cowbe0x004 · December 4, 2019, 5:09am

Still only getting the blue ribbon, any idea? These at least show up in the log.

77.234.46.223 - - [04/Dec/2019:00:07:45 -0500] “GET / HTTP/1.1” 200 3086 “htt ps://hass.DOMAIN” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0”
77.234.46.220 - - [04/Dec/2019:00:07:46 -0500] “GET /static/icons/favicon.ico HTTP/1.1” 200 17957 “h ttps://hass.DOMAIN/static/icons/favicon.ico” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0”
77.234.46.220 - - [04/Dec/2019:00:07:46 -0500] “GET /static/icons/favicon-apple-180x180.png HTTP/1.1” 200 4359 “h ttps://hass.DOMAIN/static/icons/favicon-apple-180x180.png” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0”

Swiss · December 16, 2019, 4:23pm

I have tried to follow this guide in conjunction with this YouTube video https://youtu.be/YAgVF_6NnEI

I am really confused as after restarting Home Assistant I am only able to access my server over http:, both from within my network and from outside. https: does not work at all.

My Setup:

QNAP NAS running Home Assistantin Docker. I also have two RPi 3+ with Pi-Hole and OpenVPN.

I have also setup remote access with SSL and duckdns. That means that I can reach my server both at home and away using my duckdns logon over https. So far, so good.

Last month I had to change to a new modem that was provided by my internet provider. I installed and configured the new modem/router (Sagemcom). Everything seemed to go OK except I was no longer able to reach my server from within my network with my duckdns logon.

After a little reading and googling, I realised that my new modem/router did not support NAT Loopback. After a further period of investigation, I found a solution to the duckdns access. This involved the following steps

Disable DHCP on Sagemcom Modem/Router
Enable DHCP on Pi-Hole
Create Entry in Pi-hole HOSTS to direct duckdns queries to local address.
Also needed to add an entry in HOSTS for my OpenVPN as this was also not accessible.

So now I can access Home Assistant with https inside and outside my network using duckdns. Furthermore, VPN server also works without problem. Next problem I noticed was the Google TTS stopped working. I read on another thread that routers that do not support NAT Loopback break TTS. Therefore I thought I would try Nginx as another solution.

Is there something I am doing obviously wrong?

flamingm0e · December 16, 2019, 8:10pm

NGINX doesn’t solve the problem of your router not supporting NAT loopback.

Swiss · December 16, 2019, 8:18pm

Sorry I was not clear,

The reason for using NGINX was to try and get Google TTS working again. As I understand, using NGINX you can access your Home Assistant internally without https: Did I misunderstand?

flamingm0e · December 16, 2019, 8:27pm

How does this solve your problem with TTS?

Yes, you can use http locally behind the proxy, and publicly, use the proxy with https, but I fail to see how this fixes your problem.

Swiss · December 16, 2019, 8:44pm

This was one of a couple articles that I read that seemed to suggest that a lack of NAt Loopback was a problem for TTS

My router does not support NAT Loopback and I thought with Nginx I could get to a situation where I could use http locally.

flamingm0e · December 16, 2019, 8:46pm

OK, so it works locally without https. If this is the case, then yes, the reverse proxy is the proper way to go about it, unless you can replace your router.

Swiss · December 16, 2019, 8:58pm

So what I cannot understand is once I configure NGINX reserve proxy, I cannot only access HA locally with http, but externally as well. I thought the external connection should still utilise https.

Any ideas?

Andres_Arenas_Velez · December 16, 2019, 9:05pm

Kind of. What you will do is have HA listen without ssl on port 8123, and nginx on 443 ssl reverse proxing. On your firewall you do not forward port 8123. The issue here is you end up of two different ways to access Home Assistant, one http://ha.local:8123 and https://mydomain.duckdns.org from the internet.

flamingm0e · December 16, 2019, 9:47pm

These are all settings in your reverse proxy. Tell NGINX to redirect calls on port 80 to 443. Don’t open port 8123 on your router.

Swiss · December 16, 2019, 9:57pm

I have removed the port forward for 8123. How do I get NGINX to redirect call on port 80 to 443?

Swiss · December 16, 2019, 10:43pm

Solved

If I had read carefully, I would have noticed that I do not need to append the port (8123) to the new external address.

Thanks @flamingm0e and @Andres_Arenas_Velez for your support

ieatacid · December 31, 2019, 11:07pm

Does anyone know if this will work on an Odroid Xu4 running hass.io? Can I break anything if I try?

Here’s some system info:

System           Ubuntu 18.04.2 LTS
arch             armv7l
docker           true
hassio           true
os_name          Linux
python_version   3.7.5
version          0.103.5
virtualenv       false

norsemanGrey · January 22, 2020, 9:32am

I have attempted to set up an nginx reverse proxy using the linuxserver/letsencrypt docker container and the configuration in the OP. My setup is a bit different as the nginx reverse proxy is running on an Ubuntu server and my Hassio is running on a RPi, but everything seems to be working!

However, I would like to understand the HA configuration in the nginx confg file. I have tried to read up some on the nginx documentation, but I would really appreciate if someone with a bit more knowledge could explain the different directives and values and why the are used as they are for reverse proxy of the HA.

server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	server_name hass.mydomain.com;

	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
		proxy_redirect http:// https://;

		proxy_http_version 1.1;

		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";

		proxy_buffering               off;
		proxy_ssl_verify              off;

		proxy_pass http://<hassio ip>:8123;
	}
}

VGE · February 11, 2020, 11:56am

Hi guys, which is more secure. Duckdns + lets-encrypt add-on with port-forwarding or NGINX add-on?

juan11perez · February 11, 2020, 12:15pm

This container includes letsencrypt as well as fail2ban, so I believe it offers more security

hajo62 · February 12, 2020, 9:41am

Does someone know, how to get a certificate valid for subdomains AND the main domain?
When I use

- URL=itsme.duckdns.org
- SUBDOMAINS=wildcard

The browser shows a Not secure for itsme.duckdns.org.

juan11perez · February 12, 2020, 9:59am

you can not do that with duckdns. There’s an explanation on the linuxserver/letsencrypt site.

hajo62 · February 12, 2020, 12:30pm

Found this on the LinuxServer.io github repo.
But when I tried the optional option ONLY_SUBDOMAINS=false it nevertheless seems to to work… Hadn’t seen, that that’s not supported for duckdns

norsemanGrey · February 17, 2020, 3:39pm

Maybe someone in this thread has any suggestions regarding this issue.