I have removed the port forward for 8123. How do I get NGINX to redirect call on port 80 to 443?
Solved 
If I had read carefully, I would have noticed that I do not need to append the port (8123) to the new external address.
Thanks @flamingm0e and @Andres_Arenas_Velez for your support
Does anyone know if this will work on an Odroid Xu4 running hass.io? Can I break anything if I try?
Here’s some system info:
System Ubuntu 18.04.2 LTS
arch armv7l
docker true
hassio true
os_name Linux
python_version 3.7.5
version 0.103.5
virtualenv false
I have attempted to set up an nginx reverse proxy using the linuxserver/letsencrypt docker container and the configuration in the OP. My setup is a bit different as the nginx reverse proxy is running on an Ubuntu server and my Hassio is running on a RPi, but everything seems to be working!
However, I would like to understand the HA configuration in the nginx confg file. I have tried to read up some on the nginx documentation, but I would really appreciate if someone with a bit more knowledge could explain the different directives and values and why the are used as they are for reverse proxy of the HA.
server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name hass.mydomain.com;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
proxy_ssl_verify off;
proxy_pass http://<hassio ip>:8123;
}
}
Hi guys, which is more secure. Duckdns + lets-encrypt add-on with port-forwarding or NGINX add-on?
This container includes letsencrypt as well as fail2ban, so I believe it offers more security
1 Like
Does someone know, how to get a certificate valid for subdomains AND the main domain?
When I use
- URL=itsme.duckdns.org
- SUBDOMAINS=wildcard
The browser shows a Not secure for itsme.duckdns.org.
you can not do that with duckdns. There’s an explanation on the linuxserver/letsencrypt site.
Found this on the LinuxServer.io github repo.
But when I tried the optional option ONLY_SUBDOMAINS=false it nevertheless seems to to work… Hadn’t seen, that that’s not supported for duckdns 
Maybe someone in this thread has any suggestions regarding this issue.
Hello @juan11perez / OP. I as about to trek down this road and through your instructions but noticed there are supported add-ons “Let’s Encrpt” and “NGINX Home Assistant SSL proxy”. What are your impressions of using the add-ons as an easy method, or still sticking with the github link you provided?
Good day, can’t really comment on the add ons as I don’t use hassio. I run what’s now called HA core in docker.
I guess the only advantage of this docker is that it’s those 2 in one. So one docker to maintain.
I don’t recall what I’m running. My Pi setup (I think that was hass.io) died from an update, didn’t want to use the Pi again (want snapshots- I mean snapshots from a higher power- ESXi) installed Home Assistant on an Ubuntu VM but it didn’t have hass.io (I guess called Supervisor now) so I guess it was core, so nuked that and installed whatever it is that uses Docker. I can’t hunt down the one thread I found were someone actually explains all the different versions and features of all these different builds. I’m feeling adventurous so I’ll try the add-ons and if it fails (90% it will as I’m a noob) I’ll use your tutorial.
Yep that didn’t work. Also found a thread about the two plugins not working with eachother:
Its probably me but I find it sad most documentation in regards to hass.io/home assistant/home assistant core/*insert new name here is pretty much just for grey beards. I’m going to give your tutorial a try.
I’ve gotten to where the docker compose runs, spits out what looks to be good (worked through and remedied things like a bad date time) but i’ve gotten to where:
- Access to achme.foo.net was denied. You don’t have authorization to view this page. http error 403
- I can still access via http and port 8123 (is this an antilockout feature and I should turn off port forwarding from the firewall for port 8123?)
validation is http
ports: 443:443 80:80
/config/configuration.yaml I have server_port: 80 and the ssl info commented out.
Is the 180 and 1443 a typo?
No typo. The left side is the port on the host; ie the machine running your programs, the right is the port on the docker itself.
My left side is different because my machine is already using those ports for something else.
If that’s not the case the way you did it should work for you
Did you forward (open) the ports in your router.
I made an alias for ports 80 and 443 on pfense and am port forwarding it.
I should have mentioned I did not complete that last portion of your tutorial as I did not find the file you specified, I think maybe the package calls it something else and puts it in a different path? My /user/docker/letsencrypt/config/nginx/proxy.conf does not look related to the example.
I found what looks like your example in /user/docker/letsencrypt/config/nginx/site-confs/ in a file named default.
I hate posting up shots in the dark to you guys, is there a method of temporarily enabling verbose logging to help with the chase?
Its frustrating but I have to say I’m learning a lot about docker so this has been a needed exercise.
yes the configuration needs to be added to the file named default.
I provided the example for homeassistant in the tutorial.
if you copy it in the defaul file in /config/nginx/site-confs/ it should work.
I pressume you ran the docker without this configuration and it should have done the ssl generation sequence
Will do that soon, thanks.
Also I have been using a user with sudo to do these things but I just learned to check if that user is in the docker group (and in this case is not). This is the user I input the PGID and PUID for. Would this be an issue?
Yes I installed docker compose, edited the .yaml to me domain etc and ran docker-up, it output that certs were made, stored etc.
Progress, from an outside network I can type in my subdomain.domain.net and get something (with lock pic next to it!) but the website is:
“Welcome to our server. The website is currently being setup under this address…”
Looks like I have more default modding to do?