honestly not sure about GA https. but didnt work till I added the http block. In fact I’'ve been using a chromcast to issue TTS notifications for almost a year. when I set up the proxy last week it stopped working. Today after setting up http it started working again.
Certs are auto-renewed by the container.
Not yet, had some problems with my Traefik docker-compose setup because it was in the wrong docker network. Will share it, if it works
It does. Http settings have nothing to do with GA
I wonder if the initial authorization is done via http which is why that block is needed, then everything else is https.
Dear God I hope not. That defeats the purpose of using https, to keep your credentials from prying eyes…
Agreed. Just odd that if I have the default configs for Ngnix set and it doesn’t authorize with https, then adding in that http block allows it to work, makes you wonder.
Ah nice. I run nginx directly (letsencrypt too), but if I get some spare time think I’ll switch to this.
Couple of docker tweaks I would do (for additional security):
tie it down to a specific ip (if you have multiple network interfaces)
-p 192.168.11.200:80:80
read-only mode! I imagine the linuxserver containers won’t support running in read-only mode though, as they modify the filesystem on startup (setting the UID and GID). I always run all my containers in read-only mode if possible (including homeassistant)
--read-only
lock down any privileges
--security-opt="no-new-privileges:true"
I use this container as well and have http redirecting to https for the times I have port 80 port forward enabled. I don’t have issues with GA.
What’s really odd is that unless you are forwarding port 80 through your router, that block wouldn’t do anything…and GA wouldn’t be able to use http over https…
Thanks @juan11perez for this detailed instructions … this is exactly what this board needs. Some of us, although somewhat technically inclined are not experts in security. Passing your knowledge to other is greatly appreciated.
I can follow, in my mind, how this thing works but I do have a question.
How does the following line know how to associate Hass to it’s IP Address and port, and also respectively for “conf” or “graf” etc. to https://hass.mydomain.duckdns.org?
Same for other subdomains like Node-red, Configurator etc. etc.
I must be missing something in my understanding on how one can get access to these other docket installs.
hostnames are not associated with ports. It is tied to the IP address only (The public IP)
OK, but how does “hass” translates to my Home Assistant install … and “graf” to my Grafana install etc. etc. How do I know what names I need to put in my SUBDOMAIN statement? Is it related to my docker container_name? This still seems a little fuzzy for me.
I am using Traefik as a reverse proxy. It handles Let’s Encrypt certificates (and auto-renewal). I don’t understand why people got through the hassle of using Nginx. Traefik is super-easy and secure.
It doesn’t. It merely points hass.domain.com to your public IP.
you add whatever subdomains you want to use for various purposes. You don’t NEED any other domain names.
no
As someone who has been running NGINX servers for 6+ years, I find it super simple…since I am running other websites (not just proxied instances), it’s just natural.
@berniebl the Subdomain command provides the instruction to the letsencrypt element of the container to issue the associated Subject Alternative Name (SAN) certificate(s).
After that when you configure your default file in Nginx, the server block points the url to wherever you decide.
for example below block points https://conf.mydomain.duckdns.org to proxy_pass http://192.168.1.XXX:3218;
server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name conf.mydomain.duckdns.org;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.XXX:3218;
}
Trust i understood the question
@juan11perez … YES! that was exactly what I was missing and looking for. Thanks for the great post and reply !
Happy to help. I’m by no means an expert and only managed to get this working through intense perseverance.
Could you post a working configuration file for traefik. I’d like to try it out. I might be able to figure it out (maybe…
) but if you already have a working config then why reinvent the wheel! 
I have no idea what happened (I also didn’t test from an external IP initially) but I got everything working and even got GA to sync. Now when I tried to reach my site via an external IP, I get nothing. I reverted to test back to my site:port and its fine. Any ideas? Do I need to allow all in the location settings?
Are your router ports set 80 to 80 and 443 to 443.?