Nginx Reverse Proxy Set Up Guide – Docker

juan11perez · April 6, 2020, 9:15pm

your default.conf is still wrong. read the sample i posted. your home assistnat block should be something like this:

### HOMEASSISTANT ##############################################################
server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	server_name hass.mydomain.duckdns.org;

	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
		proxy_set_header Host $host;
		proxy_redirect http:// https://;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_buffering               off;
		proxy_ssl_verify              off;
#		include /config/nginx/proxy.conf;
		proxy_pass http://hostip:8123;
	}
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;

Im still using the same configuration after 2 years of that post and it still works.

TokenSolution · April 6, 2020, 9:45pm

Thats what I have except for changing duckdns to my domain.

The other thing I changed was the path after “include” when it first didn’t work to the whole pwd to that file.

I backed up the orginal default with cp default default.copy. Having that copy there could be messing it up?

juan11perez · April 6, 2020, 9:48pm

my sample set up works only with a duckdns domain.
If you’re using another domain provider, you need to check the developer page to see how it should be configured.

TokenSolution · April 9, 2020, 5:57am

I transferred from bluehost to cloudflare and even contacted the devs on their discord. Was given a link to their guide which I have to say is a reall really nice guide:

https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/#authorizationmethod

I scorched earth and per the advice of one of the devs started from scratch and followed their guide, including to do nothing to the default and use the built in homeassistant subdomain proxy conf (one of the devs said that is all it took for them with their homeassistant).

I continually would get just the default www webpage, it would not proxy to homeassistant. I would tweak things here and there to no avail.

I now want this to work just for the challenge of it/stubbornness. But in the meantime I have SSL to my homeassistant by following Lawrence Systems YouTube tutorial on using acme and HAproxy plugins on pfsense. Strangely its far more steps but works, but I think its because Lawrence is the anti-typical Linux forum type, the guides are well explained. And despite how many more steps it entails I see it as being more extensible- it boils down to subdomain A records and ports (back end, front end). I might go hog wild and setup all of my internal network services to so that my pfsense webui, FreeNAS, VMware etc does not give me grief about having self signed certs (his video goes over the firewall rules to accomplish this).

So to all of your running pfsense for your home router, check out this vid- it got me SSL from both inside and outside of my network.

I’m going to keep working this LinuxServer docker though, its been a learning experience and I’m starting to drink the docker koolaid. Also google is more useful than hitting up their discord. I don’t fault them for it but I think they are burned out on noobs and just enjoy people coming in that are highly skilled and running into actual bugs for the dev team to refine.

martinezpenya · April 18, 2020, 9:34am

I have Home Assitant and Traefik working in docker with automatic Let’s Encrypt SSL following this guide:
https://medium.com/nephely/configure-traefik-for-the-dns-01-challenge-with-ovh-as-dns-provider-c737670c0434
But I can’t get telegram webhooks working… it keeps saying me:

WARNING (MainThread) [homeassistant.components.telegram_bot.webhooks] Access denied from X.X.X.X

Where X.X.X.X is the internal IP of my traefik container.

finity · April 18, 2020, 2:10pm

I don’t use either Traefik or Telegram Bot so I don’t kno how much I can help.

That said, I’m not sure why Letsencrypt/Traefik should affect the communication internal to your network unless you have all internal traffic routed thru your external proxy. But I’m not an IT guy so maybe I’m missing something in how that all works.

If you remove those programs does your telegram work again? maybe it’s something else?

martinezpenya · April 24, 2020, 8:32am

I’ve solved my problem, thank you all:

henry8866 · May 12, 2020, 2:05pm

how does letsencrypt docker update the duckdns.org if my internet gets a new ip address?

juan11perez · May 12, 2020, 7:03pm

you need to install the duckdns docker container

henry8866 · May 12, 2020, 7:17pm

Yes I have it installed and it is running fine. This morning my internet has a new ip address, but it was not updated on duckdns website. I had to manually login and update. I think it should be automatically update it but not sure how and what frequency.

juan11perez · May 12, 2020, 7:19pm

if you have to manually update duckdns, then the container is not running fiine.

henry8866 · May 12, 2020, 7:22pm

I meant it was running fine for the past several months, until this morning. Didn’t see error in docker log.

TimothyGaray · June 12, 2020, 7:54pm

What is the “main server block” doing in the default config file? server_name is just mydomain.duckdns.org;

I have my HA and addons setup with subdomains of that as instructed and they are working.

If I go to just “https://mydomain.duckdns.org” I actually get the blue bar and it tells me it cannot connect to Home Assistant.

Is it necessary to have that block? Can I have it go to some default page or empty page or something to give people no clue what it is?

I’m not sure what the “fastcgi_pass xx.xx.xx.xx:9000;” line is doing. I moved my Portainer (default port is 9000) to a different port just in case it was colliding or something.

Thanks!

TimothyGaray · June 13, 2020, 1:17am

Ok, I used IE instead of Chrome and it came up the default nginx web page so it must just be something cached in my Chrome.

So I figure I can put something different in the config/www directory so it isn’t obvious I’m running nginx?

But I am still interested in what the fastcgi_pass line to port 9000 is doing.

Thanks!

aerik · June 17, 2020, 3:46am

Hi!
Thanks for the tutorial, it’s necessary any edit on configuration.yaml actually?

crixyd · July 12, 2020, 10:15pm

It doesn’t appear to be… perhaps it once was. I have the http integration completely commented out and it works well.

kanintesova · July 14, 2020, 4:52pm

Thank you my man!

Andybluejay · July 16, 2020, 8:24pm

I tried to do a bunch of fancy crap to just edit the default linuxserver proxy-conf or take pieces of your code but in the end I just used your default.conf and it worked flawlessly, THANKS!

neliss · August 1, 2020, 9:05am

Hi guys,
I’m running into some trouble trying to set this up.

I followed the guide, I did following steps:

1 Configured router to forward ports 80/443 to my raspberry Pi (192.168.1.6)
2 Added docker-compose with the same config as in the first topic post (with march 11,2019 edit), with modifications:

Replaced mydomain with my actual duckdns domain name
Replaced [email protected] with my actual emailaddress
Replaced TZ=Asia/Dubai with TZ=Europe/Amsterdam
Replaced /home/user/docker/letsencrypt/config with a path I prefer
Replaced DUCKDNSTOKEN=XXXX with my actual duckdns token
Changed the ports section to 80:80 and 443:443

3 Let it run once to set up the docker container and generate the folder/file structure
4 Edited the config/nginx/site-confs/default file and replaced the contents with the same as provided in the topic start post, with modifications:

Replaced all occurrences of mydomain by my actual domain name
Replaced all occurrences of hostip by 192.168.1.6 (where my pi is located)

5 Did a restart of the container to load the updates

The docker log now repeatedly outputs:

letsencrypt      | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
letsencrypt      | nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 32

And if I go to hass.**.duckdns.org or sub1.**.duckdns.org (both with http and https), my browser gives:

This site can’t be reached 
hass.**.duckdns.org refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

In port 5050 I have a simple ‘hello world’ node.js webserver running (to test sub1 functionality).

On **.duckdns.org:8123 I can reach HA fine, also on **.duckdns.org:5050 I see my webserver running.

It seems I forgot an essential step, or the guide is outdated. Hope someone can point me in the right direction. Thanks!

juan11perez · August 1, 2020, 2:19pm

Hi, the first error is “normal” and regarded as unimportant in the linuxserver forums.
The second error cant commnent as dont know enouhg.
It sounds like your conf is ok.
so try get some help from linuxserver discord