Hi all!
First of all thank @juan11perez for the great guide!
Unfortunately I’m facing some issues with setting this thing up.
I got the swag container running and I can acces the nginx main page from mydomain.duckdns.org.
But, when I try to access homeassistant by going to hass.mydomain.duckdns.org I’m getting a 504 Gateway Time-Out error…
unfortunately it’s still not working… I think it’s something to do with swag…
home assistant is using network_mode = host while swag sits on the docker network…
maybe I didn’t set this up correctly and swag just can’t reach the host network?
this is the error I get in swag’s logs -
2021/07/08 15:49:42 [error] 502#502: *16 upstream timed out (110: Operation timed out) while connecting to upstream, client: 192.168.31.1, server: hass.mydomain.duckdns.org, request: "GET / HTTP/1.1", upstream: "http://192.168.31.5:8123/", host: "hass.mydomain.duckdns.org"
On this line in your nginx config towards the end to reference home assistant:
proxy_pass http://hostip:8123
Are you actually putting in the ip address of the host machine or leaving it “hostip”? You cannot reference it by “hostip” since Home-assistant runs in host network mode and swag doesn’t. In host mode, home assistant is not running on the same docker network as swag/nginx. If you have a container in bridge network mode (like swag) you can’t reference another docker container running in host network mode (like home assistant) by 127.0.0.1, localhost, hostip, or container name. You have to type out the whole ip of the host machine home assistant is running on, like
proxy_pass http://192.168.0.146:8123
Replacing with your machine’s ip on your lan of course.
If you are spelling out the IP and it still doesn’t work, are there any log errors when you startup swag?
Also, in Home assistant config, just try to reference the container’s IP itself and not the whole docker network. Not sure if it matters, but that’s how mine is setup and working with the new proxy block implemented in the 7.2021 release.
I am using the full ip of home assistant (192.168…)
As for the logs when swag startsup, there are no errors there… and as I mentioned, I can indeed access the swag main page by going to mydomain.duckdns.org without the subdomain at the start.
Tried setting a constant ip in the http trusted_proxies section of home-assistant… still doesn’t work
Its probably just the default NGINX default conf file. A lot in what you posted looks different then mine. You can try mine if it helps. Just replace your “mydomain.duckdns.org” with your actual duckdns domain and the IP address under Home Assistant with your actual machine’s IP address. Leave all the other IP references alone as those are loopbacks within the Swag container itself (for fast CGI and resolver)
## Version 2020/05/23 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mydomain.duckdns.org;
return 301 https://$host$request_uri;
}
# main server block
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /config/www;
index index.html index.htm index.php;
server_name mydomain.duckdns.org;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;
# enable for ldap auth
#include /config/nginx/ldap.conf;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
# enable for geo blocking
# See /config/nginx/geoip2.conf for more information.
#if ($allowed_country = no) {
#return 444;
#}
client_max_body_size 0;
location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
### HOMEASSISTANT ##############################################################
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name hass.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app homeassistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass http://192.168.0.184:8123;
}
location /api/websocket {
resolver 127.0.0.11 valid=30s;
set $upstream_app homeassistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass http://192.168.0.184:8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;
To my config and it works in 2021.6.6 but not with 2021.7 I keep getting a 400 Bad Request. I’m guessing I need to tweak something in the NGINX now but after spending a few hours on it I’ve given up and just went back to 2021.6.6. Curious if any of you guys had to make any changes to keep it working going to 2021.7?
Yes it is working fine for me still with 2021.7. Take a look at my posts above with my docker compose, NGINX config, and home assistant config to see if you have any differences you need to change. The only thing that I had to add were the same lines you just posted to the home assistant config for http: settings to keep this working. It’s possible there was something else missing in your docker compose or NGINX config though that didn’t matter before but is creating a problem for you now.
… actually I did get it to work with your config in NGINX Proxy Manager, I just put the entire locations in the Advanced section of the Proxy Host in Nginx Proxy Manager and then it came back online and was able to pass the traffic correctly. I was trying to just put the individual nginx variables at first. This is what I put in my Advanced section and it starting working again. Thanks for the quick confirmation that it works and for providing your example!
location / {
set $upstream_app homeassistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass http://192.168.1.104:8123;
}
location /api/websocket {
set $upstream_app homeassistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass http://192.168.1.104:8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
@mwav3 Still nothing…
I set up a new home assistant instance from scratch without all the other services I use to see if that’s the issue but I get the same results…
I used your docker-compose example and your swag config -
Sorry it must be frustrating and a lot can go wrong here. The problem is we don’t know if its a Home Assistant config issue or Swag issue (or both). I’m thinking more likely a Swag issue but can’t rule anything out. Can you get the proxy to work for anything else besides Home Assistant? Home Assistant is super fussy about the proxy settings. Node red is not, here’s my node red reverse proxy config for example - a lot less settings
################################################################################
### SUBDOMAIN 1 Node Red########################################################
server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name red.MYDOMAIN.duckdns.org;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
# auth_basic "Restricted";
# auth_basic_user_file /config/nginx/.htpasswd;
include /config/nginx/proxy.conf;
proxy_pass http://192.168.0.181:1880;
}
}
Was it working in older versions of Home Assistant prior to 7.2021 or is this a new install? Prior to 7.2021 didn’t have the proxy block. Can you try and downgrade to an older home assistant version and see if it works with that?
Do you have portainer? You can diagnose a lot about the network and other things going on with Docker with that using the GUI. Delete any unused networks, containers, and images.
Try either using portainer or just execute docker exec -it swag /bin/bash to bash into the Swag container. Then try pinging your host 192.168.31.5 to see if the container can reach it. If not you have some sort of network configuration issue with your lan, machine, or DNS settings causing a problem.
If all else fails, try completely deleting swag, the old image, and the config folder. Pull a brand new Swag docker image to a blank config directory and try starting over from scratch.
Also make sure you’re clearing the browser cache after anything you try changing.
Hi,
I’d like to get VPN access into my system which uses SWAG/NGINX and Duckdns.
Can anyone point me to a ( wireguard ?) setup help, my internet search skills aren’t very good so I keep getting the add-on guides and not a guide for docker container.
It seems to be possible to run a reverse proxy and VPN together, but there are limited instructions. This guide is pretty bare bones and not home assistant specific, but can at least give you an idea of the nginx config. You would use swag and wireguard containers in docker Securing SWAG · GitHub
While VPN and reverse proxy together would be very secure, I think most people go with one or the other. It seems like it would be difficult to get home assistant working through all these layers of security, and I don’t see any posts with examples of a successful vpn and reverse proxy setup together in the forum. Hopefully you can get it working and let us know how it went.
Update - @Bry I may have missed what you were trying to do initially. I installed Wireguard container and it looks promising, and use it along the reverse proxy. I wrote up a more detailed guide here which includes a link to a nice video - Wireguard Container
hey mate, sorry for bothering you, but wich advanced section do you mean? i want to try this fix because with the old versions it worked without a problem. Even my other forwarded sites a working like a charm with the new Update. Only home assistant is not working correctly. I also did the thing with the trusted Proxies but no chance.
Below are some screenshots on how to get to the Advanced section I was referring to. (I don’t post much so pardon this messy post if it doesn’t come through right, ha).
You may notice I commented out the resolver line, I’m not sure that was necessary but I think it prevented the proxy from coming back online in my particular case. The final screenshot doesnt show all the text in that advanced box but my previous post has all the text that I put in there.
I’m using Home Assistant Core with Nginx Proxy Manager, both installed as Docker containers on a Pi 4. Everything worked fine remotely with SSL enabled, etc.
I’ve gotten the ‘Unable to connect to Home Assistant’ warning before and was able to get it to work with only enabling the ‘Websockets Support’ toggle in Nginx Proxy Manager (as can be seen in @cmille34’s post right above).
Recently the same error (‘Unable to connect to Home Assistant’) showed up again. In the browser console it also showed an error on wss://my.domain.com/api/websocket, which didn’t make sense since the toggle in Nginx Proxy Manager is on.
After adding only the following under ‘Advanced’ in Nginx Proxy Manager (again, see the screenshots above) everything started to work again:
So, in my case it looks like the ‘Websockets Support’ toggle doesn’t actually set this. I still need to confirm this by looking in the generated .conf file for Home Assistant in the Nginx Proxy Manager Docker container though.
I have installed a clean Hass.io 2021.8.5, and I use the Nginx Proxy Manager addon to redirect to all my resources and get a certificate. But I ran into a problem connecting to the Home Assistant by domain name.
Juan, thank you for making available in tutorial form all the time spent previously. Well, I think this is a tip for the experts, I understand that there are many people who are lazy to read, and find it easier to ask. However, there are things that are not always easy to understand, and sometimes a simple tip can open the way to full understanding. Once again I thank you because everything worked perfectly.