@bachya thanks for that! My setup is a bit different with nginx acting as a reverse proxy and fail2ban installed in the same container, I was able to use the filters though to adapt and I’ve gotten rid of a lot of entries in access.log not generated by me! Thanks again!
Actually… @bachya All the filters you have there do not check logins to hassio. What I’m trying to get to, is if someone puts in the wrong password for homeassistant 3 times they get banned. Hassio has this built in but since all the requests are coming from the proxy, it isn’t aware of the external IP’s failing to authenticate and it would only ban the nginx container ip. I have added all the bans for scripts etc and they are working but I’m wondering if the access log for nginx proxy will show a failed login for homeassistant some way? Sorry, this isn’t my forte so not sure if I’m missing something…point me out if I’m being stupid 
Not stupid at all! 
The NGINX access log won’t show anything related to failed logs from HASS, unfortunately. I’ve “solved” this problem by having a second layer of IP banning via HASS’ built-in functionality: https://www.home-assistant.io/components/http/#ip-filtering-and-banning
@bachya be careful with that as it will ban the nginx ip and you will get locked out. If you try to login with a wrong password, you will see that hassio gives you a notification using the local ip of the letsencrypt container. It will basically lock it up completely and you won’t be able to access without removing the ban…
Thanks for the set up guide.
But I am doing something wrong. I get the following error:
problem binding to port 80: could not bind to ip4 or ip6
error: cert does not exist!
Can anyone tell me what I did wrong?
Regards
@micronikje is anything else running on port 80 on the host? Did you forward the ports from your router to the device that’s running the container? That error is either because something is already running on port 80 or 443 or because letsencrypt could not validate you. I would also check the duckdns token…
Not if you list the NGINX IP address under trusted_proxies.
correct but the only ip that can reach homeassistant is that ip because of the reverse proxy so it will never trigger…
That doesn’t need to be the case I believe. In the HTTP component, there’s the following option:
use_x_forwarded_for
(boolean)(Optional)Enable parsing of the
X-Forwarded-Forheader, passing on the client’s correct IP address in proxied setups. You must also whitelist trusted proxies using thetrusted_proxiessetting for this to work. Non-whitelisted requests with this header will be considered IP spoofing attacks, and the header will, therefore, be ignored.Default value: false
So if you enable that, and tell nginx to also forward the original IP, home assistant will see the original IP of person trying to log in.
If you’re not using the proxy manager addon, this is the commands to get that part to work, i think.
If you are using the proxy manager addon, you can use the advanced configuration menu to add the appropriate commands there.
1 Like
@Silicon_Avatar is correct: use_x_forwarded_for ensures that Home Assistant see’s the “true” IP address of a request, regardless of the fact that it passes through NGINX.
Yep, I just added that, was not aware of the option. THis is perfect and exactly what I was trying to get done! Thank you both @Silicon_Avatar and @bachya
1 Like
Letsencrypt runs in a docker on a qnap nas.
The nas uses port 443 for SSL. The network uses the host function. Port 80 is used by other programs that do not run on the nas. Both Ports are forwarded in the router.
In another docker runs home assistant which I want to use SSL. I Will give the other programs another port and see if that helps.
Yes, you definitely need those 2 ports forwarded to the docker host otherwise it will not work.
What a legend! Thank you.
Not used hass before/yet (haven’t even setup a device yet), but I now have it running in docker, alongside my own domain/DDNS, with this letsencrypt reverse-proxy setup on my ubuntu server.
Now to add some devices…
2 Likes
please help me
Can anybody guide me to edit
include /config/nginx/proxy.conf; I can’t find this file
This file is for editing
default.conf
I use docker to edit
This is my installation path
cd / docker
cd / docker / docker-compose
sudo nano /docker/docker-compose.yml
#letsencrypt
letsencrypt: # https://github.com/linuxserver/docker-letsencrypt
container_name: letsencrypt
image: linuxserver / letsencrypt: latest
restart: unless-stopped
cap_add:
- NET_ADMIN
volumes:
- / docker / letsencrypt / config: / config
- / etc / localtime: / etc / localtime: ro
…
I can’t navigate to the edit file
please help me
So I followed this guide and got NGINX working perfectly on my synology NAS. I can get to all my docker containers fine, both with or without authentication through nginx.
The only thing I cant get working again is getting node-red to talk to home assistant. I cant get it to make a connection with the server.
Did you have to make any changes to allow this?
Thanks
Sorry dont use node-red. do search on node-red and nginx
Just connect node red to the local IP
Thats what I have done to get it working (local nodered ip to local hass ip). But if I access nodered through nginx, it cant connect even to the local ip.
I don’t see why not.
Your connection to node red has no bearing on whether or not node red can connect to a local IP.
When you access node red, it’s facilitating the connection on its “backend”.