Nginx Reverse Proxy Set Up Guide – Docker

I’m coming back on this conversation (item 133) of about one year ago.
I’m looking for a method to use Owntracks (or Life360) in combination with Home assistant (and evt Mosquitto broker) in a safe way. Based on your description I installed the Nginx Reverse Proxy in combination with Letsencrypt on my Docker based Ubuntu setup.
Are you still using the setup described in item 133 of this forum?
Can you provide somewhat more details of your setup?

Use the life 360 native component. Available via integrations.
No need to modify anything in your proxy

Do I have to homeassistant configured to a sub-domain?
I copied the proxy.conf from the first post and modified to match my domain.

But when I open the url with port 80, I’m redirected to my fritzbox.
When I open the url with port 443, I see the “Welcome to our server” page, but not home assistant.

yes. As per the example

Just for interest: Is that caused by the docker installation?
I had nginx (with letsencrype and duckdns) running before (native, not docker) and I could call my HA without a subdomain.

Im afraid I don’t know. I’ve only used a proxy this way.

Can someone please explain to me why I need to open port 80 in router, is 443 is just sufficient to access HA through SSL? if I’m only open for HA.

Generally because LetsEncrypt requires that to issue certificates. Depends on if NGINX supports DNS validation or not now.

1 Like

Hopefully someone is still active on this old thread and can help me. I started another thread before I found this one and didn’t really get any posts back on it. I’m trying to do this but I have some differences in my environment.

I am running Nethserver (all in one webserver/reverse proxy/email/firewall) and it is already listening on http and https ports and is working properly. I already have a DNS provider pointing my domain to that server. I have reverse proxy working from this to other hosts in my home, but when I try to get to my hassos 2.12 with latest home assistant, all I get is a blue top bar on a blank page.

I’m running hassos 2.12 in vmware… the virtual appliance one right from the HA site that runs ha in docker on the hassos instance.

Hi, my proxy knowledge is very limited, but if you’re getting at least a blue ribbon as opposed to “forbidden…” it’s possible your server block may be inconrrect. Have a look at mine and see if it helps you.

### HOMEASSISTANT SPECIAL SERVER BLOCK #########################################
server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	server_name <your domain>;

	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
		proxy_set_header Host $host;
		proxy_redirect http:// https://;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_buffering               off;
		proxy_ssl_verify              off;
		proxy_pass http://192.168.1.100:8123;
	}

	location /api/notify.html5/callback {
	    if ($http_authorization = "") { return 403; }
	    allow all;
	    proxy_pass http://192.168.1.100:8123;
	    proxy_set_header Host $host;
	    proxy_redirect http:// https://;
#		proxy_set_header Authorization $http_authorization;
#    	proxy_pass_header Authorization;
	}
}
# (HTML5) https://community.home-assistant.io/t/html5-vapid-403-forbidden/110953/13
2 Likes

Still only getting the blue ribbon, any idea? These at least show up in the log.

77.234.46.223 - - [04/Dec/2019:00:07:45 -0500] “GET / HTTP/1.1” 200 3086 “htt ps://hass.DOMAIN” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0”
77.234.46.220 - - [04/Dec/2019:00:07:46 -0500] “GET /static/icons/favicon.ico HTTP/1.1” 200 17957 “h ttps://hass.DOMAIN/static/icons/favicon.ico” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0”
77.234.46.220 - - [04/Dec/2019:00:07:46 -0500] “GET /static/icons/favicon-apple-180x180.png HTTP/1.1” 200 4359 “h ttps://hass.DOMAIN/static/icons/favicon-apple-180x180.png” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0”

I have tried to follow this guide in conjunction with this YouTube video https://youtu.be/YAgVF_6NnEI

I am really confused as after restarting Home Assistant I am only able to access my server over http:, both from within my network and from outside. https: does not work at all.

My Setup:

QNAP NAS running Home Assistantin Docker. I also have two RPi 3+ with Pi-Hole and OpenVPN.

I have also setup remote access with SSL and duckdns. That means that I can reach my server both at home and away using my duckdns logon over https. So far, so good.

Last month I had to change to a new modem that was provided by my internet provider. I installed and configured the new modem/router (Sagemcom). Everything seemed to go OK except I was no longer able to reach my server from within my network with my duckdns logon.

After a little reading and googling, I realised that my new modem/router did not support NAT Loopback. After a further period of investigation, I found a solution to the duckdns access. This involved the following steps

Disable DHCP on Sagemcom Modem/Router
Enable DHCP on Pi-Hole
Create Entry in Pi-hole HOSTS to direct duckdns queries to local address.
Also needed to add an entry in HOSTS for my OpenVPN as this was also not accessible.

So now I can access Home Assistant with https inside and outside my network using duckdns. Furthermore, VPN server also works without problem. Next problem I noticed was the Google TTS stopped working. I read on another thread that routers that do not support NAT Loopback break TTS. Therefore I thought I would try Nginx as another solution.

Is there something I am doing obviously wrong?

NGINX doesn’t solve the problem of your router not supporting NAT loopback.

Sorry I was not clear,

The reason for using NGINX was to try and get Google TTS working again. As I understand, using NGINX you can access your Home Assistant internally without https: Did I misunderstand?

How does this solve your problem with TTS?

Yes, you can use http locally behind the proxy, and publicly, use the proxy with https, but I fail to see how this fixes your problem.

This was one of a couple articles that I read that seemed to suggest that a lack of NAt Loopback was a problem for TTS

My router does not support NAT Loopback and I thought with Nginx I could get to a situation where I could use http locally.

OK, so it works locally without https. If this is the case, then yes, the reverse proxy is the proper way to go about it, unless you can replace your router.

So what I cannot understand is once I configure NGINX reserve proxy, I cannot only access HA locally with http, but externally as well. I thought the external connection should still utilise https.

Any ideas?

Kind of. What you will do is have HA listen without ssl on port 8123, and nginx on 443 ssl reverse proxing. On your firewall you do not forward port 8123. The issue here is you end up of two different ways to access Home Assistant, one http://ha.local:8123 and https://mydomain.duckdns.org from the internet.

These are all settings in your reverse proxy. Tell NGINX to redirect calls on port 80 to 443. Don’t open port 8123 on your router.