Nginx Reverse Proxy Set Up Guide – Docker

Hi guys, which is more secure. Duckdns + lets-encrypt add-on with port-forwarding or NGINX add-on?

This container includes letsencrypt as well as fail2ban, so I believe it offers more security

1 Like

Does someone know, how to get a certificate valid for subdomains AND the main domain?
When I use

- URL=itsme.duckdns.org
- SUBDOMAINS=wildcard

The browser shows a Not secure for itsme.duckdns.org.

you can not do that with duckdns. There’s an explanation on the linuxserver/letsencrypt site.

Found this on the LinuxServer.io github repo.
But when I tried the optional option ONLY_SUBDOMAINS=false it nevertheless seems to to work… Hadn’t seen, that that’s not supported for duckdns :neutral_face:

Maybe someone in this thread has any suggestions regarding this issue.

Hello @juan11perez / OP. I as about to trek down this road and through your instructions but noticed there are supported add-ons “Let’s Encrpt” and “NGINX Home Assistant SSL proxy”. What are your impressions of using the add-ons as an easy method, or still sticking with the github link you provided?

Good day, can’t really comment on the add ons as I don’t use hassio. I run what’s now called HA core in docker.
I guess the only advantage of this docker is that it’s those 2 in one. So one docker to maintain.

I don’t recall what I’m running. My Pi setup (I think that was hass.io) died from an update, didn’t want to use the Pi again (want snapshots- I mean snapshots from a higher power- ESXi) installed Home Assistant on an Ubuntu VM but it didn’t have hass.io (I guess called Supervisor now) so I guess it was core, so nuked that and installed whatever it is that uses Docker. I can’t hunt down the one thread I found were someone actually explains all the different versions and features of all these different builds. I’m feeling adventurous so I’ll try the add-ons and if it fails (90% it will as I’m a noob) I’ll use your tutorial.

Yep that didn’t work. Also found a thread about the two plugins not working with eachother:

Its probably me but I find it sad most documentation in regards to hass.io/home assistant/home assistant core/*insert new name here is pretty much just for grey beards. I’m going to give your tutorial a try.

I’ve gotten to where the docker compose runs, spits out what looks to be good (worked through and remedied things like a bad date time) but i’ve gotten to where:

  • Access to achme.foo.net was denied. You don’t have authorization to view this page. http error 403
  • I can still access via http and port 8123 (is this an antilockout feature and I should turn off port forwarding from the firewall for port 8123?)

validation is http
ports: 443:443 80:80

/config/configuration.yaml I have server_port: 80 and the ssl info commented out.

Is the 180 and 1443 a typo?

No typo. The left side is the port on the host; ie the machine running your programs, the right is the port on the docker itself.
My left side is different because my machine is already using those ports for something else.
If that’s not the case the way you did it should work for you

Did you forward (open) the ports in your router.

I made an alias for ports 80 and 443 on pfense and am port forwarding it.

I should have mentioned I did not complete that last portion of your tutorial as I did not find the file you specified, I think maybe the package calls it something else and puts it in a different path? My /user/docker/letsencrypt/config/nginx/proxy.conf does not look related to the example.

I found what looks like your example in /user/docker/letsencrypt/config/nginx/site-confs/ in a file named default.

I hate posting up shots in the dark to you guys, is there a method of temporarily enabling verbose logging to help with the chase?

Its frustrating but I have to say I’m learning a lot about docker so this has been a needed exercise.

yes the configuration needs to be added to the file named default.
I provided the example for homeassistant in the tutorial.
if you copy it in the defaul file in /config/nginx/site-confs/ it should work.

I pressume you ran the docker without this configuration and it should have done the ssl generation sequence

Will do that soon, thanks.

Also I have been using a user with sudo to do these things but I just learned to check if that user is in the docker group (and in this case is not). This is the user I input the PGID and PUID for. Would this be an issue?

Yes I installed docker compose, edited the .yaml to me domain etc and ran docker-up, it output that certs were made, stored etc.

Progress, from an outside network I can type in my subdomain.domain.net and get something (with lock pic next to it!) but the website is:
“Welcome to our server. The website is currently being setup under this address…”

Looks like I have more default modding to do?

your default.conf is still wrong. read the sample i posted. your home assistnat block should be something like this:

### HOMEASSISTANT ##############################################################
server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	server_name hass.mydomain.duckdns.org;

	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
		proxy_set_header Host $host;
		proxy_redirect http:// https://;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_buffering               off;
		proxy_ssl_verify              off;
#		include /config/nginx/proxy.conf;
		proxy_pass http://hostip:8123;
	}
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;

Im still using the same configuration after 2 years of that post and it still works.

Thats what I have except for changing duckdns to my domain.

The other thing I changed was the path after “include” when it first didn’t work to the whole pwd to that file.

I backed up the orginal default with cp default default.copy. Having that copy there could be messing it up?

my sample set up works only with a duckdns domain.
If you’re using another domain provider, you need to check the developer page to see how it should be configured.

1 Like

I transferred from bluehost to cloudflare and even contacted the devs on their discord. Was given a link to their guide which I have to say is a reall really nice guide:

https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/#authorizationmethod

I scorched earth and per the advice of one of the devs started from scratch and followed their guide, including to do nothing to the default and use the built in homeassistant subdomain proxy conf (one of the devs said that is all it took for them with their homeassistant).

I continually would get just the default www webpage, it would not proxy to homeassistant. I would tweak things here and there to no avail.

I now want this to work just for the challenge of it/stubbornness. But in the meantime I have SSL to my homeassistant by following Lawrence Systems YouTube tutorial on using acme and HAproxy plugins on pfsense. Strangely its far more steps but works, but I think its because Lawrence is the anti-typical Linux forum type, the guides are well explained. And despite how many more steps it entails I see it as being more extensible- it boils down to subdomain A records and ports (back end, front end). I might go hog wild and setup all of my internal network services to so that my pfsense webui, FreeNAS, VMware etc does not give me grief about having self signed certs (his video goes over the firewall rules to accomplish this).

So to all of your running pfsense for your home router, check out this vid- it got me SSL from both inside and outside of my network.

I’m going to keep working this LinuxServer docker though, its been a learning experience and I’m starting to drink the docker koolaid. Also google is more useful than hitting up their discord. I don’t fault them for it but I think they are burned out on noobs and just enjoy people coming in that are highly skilled and running into actual bugs for the dev team to refine.