Nginx Reverse Proxy Set Up Guide – Docker

Does anyone have this working still in Home Assistant 2021.7? I’ve added the


http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.18:

To my config and it works in 2021.6.6 but not with 2021.7 I keep getting a 400 Bad Request. I’m guessing I need to tweak something in the NGINX now but after spending a few hours on it I’ve given up and just went back to 2021.6.6. Curious if any of you guys had to make any changes to keep it working going to 2021.7?

Yes it is working fine for me still with 2021.7. Take a look at my posts above with my docker compose, NGINX config, and home assistant config to see if you have any differences you need to change. The only thing that I had to add were the same lines you just posted to the home assistant config for http: settings to keep this working. It’s possible there was something else missing in your docker compose or NGINX config though that didn’t matter before but is creating a problem for you now.

1 Like

… actually I did get it to work with your config in NGINX Proxy Manager, I just put the entire locations in the Advanced section of the Proxy Host in Nginx Proxy Manager and then it came back online and was able to pass the traffic correctly. I was trying to just put the individual nginx variables at first. This is what I put in my Advanced section and it starting working again. Thanks for the quick confirmation that it works and for providing your example!

location / {
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.1.104:8123;

    }

    location /api/websocket {
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.1.104:8123;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
4 Likes

@mwav3 Still nothing…
I set up a new home assistant instance from scratch without all the other services I use to see if that’s the issue but I get the same results…

I used your docker-compose example and your swag config -

docker-compose -

version: '3'
services:
  homeassistant:
    container_name: hass
    image: homeassistant/home-assistant
    volumes:
      - ./hass-config:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    network_mode: host
  swag:
    image: linuxserver/swag
    container_name: swag
    restart: unless-stopped
    cap_add:
    - NET_ADMIN
    volumes:
    - ./swag/config:/config
    - /etc/localtime:/etc/localtime:ro
    environment:
    - PGID=1000
    - PUID=1000
    - [email protected]
    - URL=MYDOMAIN.duckdns.org
    - SUBDOMAINS=wildcard
    - VALIDATION=duckdns
    - TZ=yourtimezone
    - DUCKDNSTOKEN=MYTOKEN
    ports:
    - "80:80"
    - "443:443"
    networks:
      default:
        ipv4_address: 172.11.0.2

networks:
  default:  # set up static ip to prevent HA blocking
    driver: bridge
    driver_opts:
      com.docker.network.enable_ipv6: "false"
    ipam:
      driver: default
      config:
      - subnet: 172.11.0.0/24 # 

swag default -

## Version 2020/05/23 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default

# redirect all traffic to https
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name MYDOMAIN.duckdns.org;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name MYDOMAIN.duckdns.org;
	
	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	# enable for Authelia
	#include /config/nginx/authelia-server.conf;

	# enable for geo blocking
	# See /config/nginx/geoip2.conf for more information.
	#if ($allowed_country = no) {
	#return 444;
	#}

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}


}


### HOMEASSISTANT ##############################################################
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name hass.*;
    
    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.31.5:8123;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.31.5:8123;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

homeassistant configuration.yaml -

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.11.0.2

I also tried moving home-assistant into the docker network and not setting it with network_mode=host but still nothing =/

Sorry it must be frustrating and a lot can go wrong here. The problem is we don’t know if its a Home Assistant config issue or Swag issue (or both). I’m thinking more likely a Swag issue but can’t rule anything out. Can you get the proxy to work for anything else besides Home Assistant? Home Assistant is super fussy about the proxy settings. Node red is not, here’s my node red reverse proxy config for example - a lot less settings

################################################################################
### SUBDOMAIN 1 Node Red########################################################
server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	server_name red.MYDOMAIN.duckdns.org;
	
	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.0.181:1880;
	}
}

Was it working in older versions of Home Assistant prior to 7.2021 or is this a new install? Prior to 7.2021 didn’t have the proxy block. Can you try and downgrade to an older home assistant version and see if it works with that?

Do you have portainer? You can diagnose a lot about the network and other things going on with Docker with that using the GUI. Delete any unused networks, containers, and images.

Try either using portainer or just execute docker exec -it swag /bin/bash to bash into the Swag container. Then try pinging your host 192.168.31.5 to see if the container can reach it. If not you have some sort of network configuration issue with your lan, machine, or DNS settings causing a problem.

If all else fails, try completely deleting swag, the old image, and the config folder. Pull a brand new Swag docker image to a blank config directory and try starting over from scratch.

Also make sure you’re clearing the browser cache after anything you try changing.

Thanks! This helped me a lot! It’s working again

Hi,
I’d like to get VPN access into my system which uses SWAG/NGINX and Duckdns.
Can anyone point me to a ( wireguard ?) setup help, my internet search skills aren’t very good so I keep getting the add-on guides and not a guide for docker container.

It seems to be possible to run a reverse proxy and VPN together, but there are limited instructions. This guide is pretty bare bones and not home assistant specific, but can at least give you an idea of the nginx config. You would use swag and wireguard containers in docker Securing SWAG · GitHub

While VPN and reverse proxy together would be very secure, I think most people go with one or the other. It seems like it would be difficult to get home assistant working through all these layers of security, and I don’t see any posts with examples of a successful vpn and reverse proxy setup together in the forum. Hopefully you can get it working and let us know how it went.

Update - @Bry I may have missed what you were trying to do initially. I installed Wireguard container and it looks promising, and use it along the reverse proxy. I wrote up a more detailed guide here which includes a link to a nice video - Wireguard Container

hey mate, sorry for bothering you, but wich advanced section do you mean? i want to try this fix because with the old versions it worked without a problem. Even my other forwarded sites a working like a charm with the new Update. Only home assistant is not working correctly. I also did the thing with the trusted Proxies but no chance.

Below are some screenshots on how to get to the Advanced section I was referring to. (I don’t post much so pardon this messy post if it doesn’t come through right, ha).



You may notice I commented out the resolver line, I’m not sure that was necessary but I think it prevented the proxy from coming back online in my particular case. The final screenshot doesnt show all the text in that advanced box but my previous post has all the text that I put in there.

Hope this helps.

I’m using Home Assistant Core with Nginx Proxy Manager, both installed as Docker containers on a Pi 4. Everything worked fine remotely with SSL enabled, etc.

I’ve gotten the ‘Unable to connect to Home Assistant’ warning before and was able to get it to work with only enabling the ‘Websockets Support’ toggle in Nginx Proxy Manager (as can be seen in @cmille34’s post right above).

Recently the same error (‘Unable to connect to Home Assistant’) showed up again. In the browser console it also showed an error on wss://my.domain.com/api/websocket, which didn’t make sense since the toggle in Nginx Proxy Manager is on.

After adding only the following under ‘Advanced’ in Nginx Proxy Manager (again, see the screenshots above) everything started to work again:

location /api/websocket {
    proxy_pass http://192.168.1.1:8123;
}

So, in my case it looks like the ‘Websockets Support’ toggle doesn’t actually set this. I still need to confirm this by looking in the generated .conf file for Home Assistant in the Nginx Proxy Manager Docker container though.

Hello!

I have installed a clean Hass.io 2021.8.5, and I use the Nginx Proxy Manager addon to redirect to all my resources and get a certificate. But I ran into a problem connecting to the Home Assistant by domain name.

My HTTP configuration:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 172.30.32.0/24
    - 172.30.33.0/24

My configuration Nginx Proxy Manager:


But the problem persists, after logging in, I get an error message:
Unable to connect to Home Assistant.

And the server log is empty.
Please tell me how to fix this?

This is the right answer. thanks!

Juan, thank you for making available in tutorial form all the time spent previously. Well, I think this is a tip for the experts, I understand that there are many people who are lazy to read, and find it easier to ask. However, there are things that are not always easy to understand, and sometimes a simple tip can open the way to full understanding. Once again I thank you because everything worked perfectly. :clap:

Welcome Marcio. Glad it still helps people

1 Like

Hi Juan,

Thank you for taking the time to share your learning and the detailed instruction with people like me, who struggle with HA setup in Ubuntu based server (20.04). I was able to follow it for the most part, but I don’t think I did everything right to get it working 100%. The good news is my subdomain (hass.mydomain.duckdns.org) is pointing to my server. The bad news is I can’t connect to it thru HTTPS. The only way I can connect to it is http://hass.mydomain.duckdns.org:8123. Do you have an idea what I might be missing and how I can fix it? Thanks in advance!

You say you were able to follow “most”. What did you do different?
When I put this together a few years ago I was also in Ubuntu. So it should do the same.

Hi Juan,

I followed youre guide to setup the SWAG container but something is not working as it should.
I can reach my site on http and https by using homeassistant.mydomain.duckdns.org.

i get the login screen but after that it keeps saying loading and it stays there.
In the nginx log i keep getting:

[error] 495#495: *23 homeassistant could not be resolved (3: Host not found), client: 192.168.1.1, server: homeassistant.*, request: "GET /api/websocket HTTP/1.1", host: "homeassistant.Mydomain.duckdns.org"

The strange thing is i dont have a network which contains a 192.168.1.x network.

my homeassistant.subdomain.conf

## Version 2021/10/11
# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

# As of homeassistant 2021.7.0, it is now required to define the network range your proxy resides in, this is done in Homeassitants configuration.yaml
# https://www.home-assistant.io/integrations/http/#trusted_proxies
# Example below uses the default dockernetwork ranges, you may need to update this if you dont use defaults.
#
# http:
#   use_x_forwarded_for: true
#   trusted_proxies:
#     - 172.16.0.0/12

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name homeassistant.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.2.xxx;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ ^/(api|local|media)/ {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

Can you shed some light on what i can do?

I have never been able to get the default homeassistant config file included with swag to work properly.

My suggestion would be to follow the directions in the top post of this guide and modify the default nginx config file instead. My working example is in this post higher in the thread.

There is a newer version of this guide that helped me configure remote access to HomeAssistant. I’m linking it here in case others will find it usefull.
Remote access with Docker

1 Like