I’m having a hell of time getting Hass running behind Nginx. All my other services run fine but Hass has had me stumped for a couple of weeks now.
I’m hoping someone can have a look at my Nginx conf and see if they can spot the problems(s)
Blockquote
###################################################
#////////////////////////////////////////////////SERVER BLOCK\\\\\\\\\\\#
###################################################
#REDIRECT TRAFFIC FROM www.domain.com TO https://domain.com#
server {
listen 80;
listen 443 ssl http2;
server_name www.mydomain.duckdns.org; #CHANGE THIS TO YOUR DOMAIN NAME!
return 301 https://mydomain.duckdns.org$request_uri; #CHANGE THIS TO YOUR DOMAIN NAME!
}
#REDIRECT HTTP TRAFFIC TO https://[domain.com]#
server {
listen 80;
server_name mydomain.duckdns.org; #CHANGE THIS TO YOUR DOMAIN NAME!
return 301 https://$server_name$request_uri;
}
#######################################################
#////////////////////////////////////////////////MAIN SERVER BLOCK\\\\\\\\\\#
#######################################################
#MAIN SERVER BLOCK#
server {
listen 443 ssl http2 default_server;
server_name mydomain.duckdns.org; #CHANGE THIS TO YOUR DOMAIN NAME!
#Certificates from LE container placement#
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
#Strong Security recommended settings per cipherli.st#
ssl_dhparam /config/nginx/dhparams.pem; # Bit value: 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
#Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)#
add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Robots-Tag index; #SET THIS TO none IF YOU DONT WANT GOOGLE TO INDEX YOU SITE!
add_header Content-Security-Policy “frame-ancestors https://*.$server_name https://$server_name”; ## Use *.domain.com, not .sub.domain.com
add_header X-Frame-Options “ALLOW-FROM https://.$server_name” always; ## Use .domain.com, not .sub.domain.com when using this on a sub-domain that you want to iframe!
add_header Referrer-Policy “strict-origin-when-cross-origin”;
proxy_cookie_path / “/; HTTPOnly; Secure”;
more_set_headers “Server: Classified”;
more_clear_headers ‘X-Powered-By’;
#Custom error pages#
error_page 400 401 402 403 404 405 408 500 502 503 504 $scheme://$server_name/error.php?error=$status;
error_log /config/log/nginx/error.log;
#AUTHORIZATION BLOCK#
location ~ /auth-(.) {
internal;
proxy_pass http://192.168.1.134:8282/api/?v1/auth&group=$1;
proxy_set_header Content-Length “”;
}
#BLOCK ORGANIZR DASHBOARD FILES#
location ~ /loginLog.json|chat.db|users.db|org.log|org.db|organizrLog.json|organizrLoginLog.json {
return 404;
}
#ORGANIZR CONTAINER
location / {
proxy_pass http://192.168.1.134:2020;
include /config/nginx/proxy.conf;
proxy_intercept_errors on; #For custom Organizr error page
}
#####################################################
#////////////////////////////////////////////////SUBDIRECTORIES\\\\\\\\\\\#
#####################################################
#SONARR CONTAINER
location /sonarr {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.134:8989/sonarr;
}
#Radarr CONTAINER
location /radarr {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.134:7878/radarr;
}
#Sabnzbd CONTAINER
location /sabnzbd {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.134:8080/sabnzbd;
}
#OMBI CONTAINER
location /ombi {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.134:3579/ombi;
}
#Monitorr Container
location /monitorr {
proxy_pass http://192.168.1.134:3131/monitorr;
add_header X-Frame-Options SAMEORIGIN;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#tautulli CONTAINER
location /tautulli/ {
proxy_pass http://192.168.1.134:8181;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 90;
proxy_set_header X-Forwarded-Proto $scheme;
set $xforwardedssl “off”;
if ($scheme = https) {
set $xforwardedssl “on”;
}
proxy_set_header X-Forwarded-Ssl $xforwardedssl;
proxy_redirect ~^(http(?:s)?://)([^:/]+)(?::\d+)?(/.)?$ $1$2:$server_port$3;
}
}
##################################################
#////////////////////////////////////////////////SUBDOMAINS\\\\\\\\\\\\#
#################################################
server {
listen 443 ssl;
server_name hass.mydomain.duckdns.org;
location / {
proxy_pass https://192.168.1.134:8123/;
proxy_http_version 1.1;
proxy_set_header Connection “”;
}
location /api/websocket {
proxy_pass https://192.168.1.134:8123/api/websocket;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}
}
Hass Config:
http:
Secrets are defined in the file secrets.yaml
api_password: test
#Uncomment this if you are using SSL/TLS, running in Docker container, etc.
#base_url: hass.mydomain.duckdns.org
Tried:
base_url: /hass
base_url: /hass/
base_url: hass.mydomain.duckdns.org
Commented out
Blockquote
