Nginx Reverse Proxy Set Up Guide – Docker

I’m having a problem with basic auth alongside the new auth system as well. From what I’ve been able to determine, the Authentication header is being re-written from “Basic xxxxxxx” to “Bearer [token]” somewhere by the new auth methods. This results in me being constantly asked for my Basic Auth creds, and ends up with a sort of interactive redirect loop between basic auth and the new HA auth.
For a yet unconfirmed reason, it works in Fully Kiosk Browser. I’m assuming it’s how FKB inserts it’s own auth headers when you tell it to use basic auth but I don’t really know because I haven’t figured out how to look at FKB traffic or even error logs.
At this point my trying to figure this out is mostly aimless tinkering, so if someone has suggestions to try to fix it, I’d love to be a semi-capable guinea pig, but otherwise will shift focus back to the floorplan and alarm plugins.

I want to get nginx and Let’s Encrypt working in docker (is a firewall needed)? I haven’t jumped into trying yet because I want nginx to reverse proxy not only my docker services, but some local network services that will never go into docker. Most of the nginx and Let’s Encrypt docker stuff (what are they called on docker hub, repos?) I’ve seen appears to be targeted towards docker services.

I’m tagging @flamingm0e on this, because he seems to know his docker better than most and IMO he’s a hero of this community.

1 Like

I would try this then.

https://hub.docker.com/r/linuxserver/letsencrypt/

All you need is for your NGINX docker to see the certs from the LetsEncrypt whether you use lets encrypt in its own docker or in the same docker container.

NGINX doesn’t care what you are proxying. The fact that it is running in Docker means nothing to the way reverse proxy works. You simply point the config to what you want to proxy.

I have seen others mention Caddy and Traefik around here as being easier to configure. You could try those too. See what you like.

Thanks, but I don’t think I am a hero. :wink:

1 Like

I’ve got the same issue as you @Garrett.Raney, I’ve downgraded to 0.76.2 for now

This is great! I was finally able to get HA up without a hitch.
Has anyone gotten node-red set up to be able to be accessed from its own subdomain and/or from within the HA subdomain within this framework? I have tried several things I have dug up from various nginx posts but haven’t been able to get it to work…I keep getting timed out

Thanks!

1 Like

Anybody have any luck with iframes ? Could sometimes get it to work, other times it would give “no auth header received”. Any ideas ? This is a side panel configurator iframe.

Hello,
First, thanks to everyone for all of this useful info.
I can’t get this to work and I’m kinda realizing I might not be able to figure this out.
Here’s the error message that I’m getting from the NGINX container log in Portainer:
Here’s the basics:

  1. I have a domain from Google Domains that I will call here: “MYDOMAIN.com;”
  2. I have dynamic dns set up with my router (Untangle UTM - local ip x.x.x.1). Untangle updates Google Domains with any changes to my public IP.
  3. I added CNAME records hass.MYDOMAIN.com and portainer.MYDOMAIN.com. I entered, “MYDOMAIN.com” in both the data fields for hass.MYDOMAIN.com and portainer.MYDOMAIN.com. Google Domains appends a ‘.’ to the end of the data fields – so, the field become MYDOMAIN.COM. rather than MYDOMAIN.com I don’t know if this is significant.
  4. I successfully got certs from Let’s Encrypt for the domain and subdomains.
  5. Homeassistant (via Hass), portainer, and nginx are all running in docker on an Ubuntu VM in esxi
  6. I noticed above that the docker network might be important. Portainer is on “bridge” and listens on port 9002 (host) -> 9000 (container). NGINX is on the “bridge” network, also. Home Assistant is on the “host” network. I don’t know if I can change Home Assistant’s network, since it is started by Hass.
  7. I saw above that others were confused about the fastcgi pass line. So, I made mine point to the internal IP of the Ubuntu VM which runs the NGINX container (I only used port 9000 because that’s the port used by OP. I moved the Portainer port to 9002 (host) > 9000 (container). That doesn’t work and the log gives this error:

nginx: [emerg] invalid host in upstream "http://x.x.x.168:9000/" in /config/nginx/site-confs/default:47

  • The local IP of the Ubuntu VM which runs Docker/NGINX/HA/etc. is 192.168.1.168
  • The local IP of esxi server which runs the Ubuntu VM is 192.168.1.132.

I was having the very same problem. In the end I decided to turn off nginx basic authentication and use Home Assistant’s authentication system, ip_ban_enabled and use TOTP 2FA.

use_x_forwarded_for: true
ip_ban_enabled: true
login_attempts_threshold: 3

I’ve tested the ip ban and it works as planned. Probably more secure now that is was before.

Try mapping port 9000 to 9000 instead of 9002 (as a start)

To me Traefik is a confusing black box. It takes longer to read the home page of Traefik than it does to get nginx working.

From what I can tell, Traefik does everything automatically, but how do I tell it what I want it to do? I dunno, it is just “easy”. Gah.

Oh yeah, they have a cute cartoon and some flowcharts. OK.

1 Like

Thanks for sharing your great insights. Maybe it’s just above your head.

you asked why more people don’t use Traefik, I guess you were just being rhetorical. Seriously there are hundreds of examples of working nginx configurations. Traefik is hard to find one example that is actually easy to implement – and easy to understand what it is really doing so it can be fixed if something goes wrong.

That’s why.

it’s definitely above my head, sorry I was trying to be funny and serious and self-deprecating all at once but just came across as a jerk.

@ piotr
I would say that the more options we have the better. Perhaps you could put together a small guide (aimed at ha users) like this one. No doubt it would be welcome by all.

1 Like

This worked great! Thanks a lot, what an ordeal to iron out the kinks on my end; being new to this it took longer as basic things I had to learn and absorb about linux, but its finally working. :slight_smile: Now to get loopback working on my Asus router to access my install without needing to switch urls on my iOS device.

Cheers

what file is the default file? its confusing really. Are we talking about editing the /letsencrypt/nginx/nginx.conf or /letsencrypt/nginx/site-confs/default ?

also I am not using subdomains as I have put my subdomains as wildcard. has anyone got this kind of configuration? if yes can you please share your “default” file that I need to change and access HA on https://XXX.duckdns.org ?

Thanks.

I think its the second.

There is a recent youtube video on getting Nginx up and running with lets encrypt. Try typing in LetsEncrypt with NginX for Home Assistant. That helped me a lot recently, and I don’t know anything about this stuff.

1 Like

well it seems like @juan11perez hastebin files i.e. docker compose files show that he is not using subdomains anymore. Maybe his default file needs updating and sharing it on here?

@juan11perez, thanks for the excellent instructions! I tried this several times before using different instructions and each time I ran into an SSL protocol error. Also this time unfortunately. Does anyone know what I did wrong? I followed the steps in this post, but when I go to my home assistant url, I get an ERR_SSL_PROTOCOL_ERROR.

Apologies but can’t add much more. I’m just a keen enthusiast that got this working via trial and error and this guideline worked for me on the mentioned OS.

There are a couple of YouTube videos on this container you can check.
One by a gentleman Techno Dad Life and another by BurnsHA