NGINX with DuckDNS behind Double Nat

I’ve been having this problem for a few months and have not been able to address the issue with accessing my HA from outside my home network.

I run HA on my RPi which is on a VLan and because of limitations on my network setup, my router sits behind my service provider’s modem/router.

Internet → (ISP device) → 10.0.3.x (my router) → 10.0.63.x (my RPi)

The only way I am able to connect to my HA instance externally is if I allow in my list of trusted proxies in the config.yaml
I’m assuming the port forwarding that I’ve done is correct since at the minimum works.

  use_x_forwarded_for: true
#    -
#    -
#    -
#    -

Aside from not being able to access my HA instance, I am also wondering if this has anything to do with my problem with the Home Assistant Cast functionality
here. I am able to cast the demo, but unable to cast my own specific instance of HA. If this is a separate issue, I’ll be glad to post another thread about this.

One step at a time:

Can someone explain what is happening if I leave on the list?
Can anyone advise what is the correct way to allow access?

Next step, if it is related, what is going on with Cast?

If there’s any missing info you’d like to know to help diagnose, let me know. Thanks in advance!

The first question is: Why would you need it?
I understand you do simple port forwarding, without a reverse proxy like nginx, right ? If so, that shouldn’t even be needed.

What error / IP is logged if you remove it?

Yes, i have port forwarding setup, and I do have NGINX configured.
When i try to connect, i get this error (with the external IP blocked):


Is the external IP the one that I should be including into the list of trusted proxies?
I thought the whole point of DuckDNS was to eliminate the need to know your IP address (and yes my external IP is picked up properly by DuckDNS).

Not sure why you hide the IP.
Is it public or private? Does it ring a bell?

It’s my external IP

Edit: sorry I take that back, it’s a private IP.
It was a 172 number, which I didn’t recognize and so I thought it was external. I’ll have to check when I get home what the actual number was, but that’s odd because nothing in my network uses that range.

172 range is typically used by docker, thus your nginx.
You have to put that 172.x.x.0/24 range (the nginx, it’s IP might change) as trusted proxy.

Ok so I just added the to the list of trusted proxies and still receive the same error in the log.

Was going to paste the log from NGINX, but aside from my DuckDNS address, anything else I should be blocking out?

Also, would this mean that my ports are not correctly forwarded? Currently ports 80 and 443 are being forwarded from the ISP device WAN to my router ( and then on my router the same ports are being forwarded from the router WAN to my RPi ip address (10.63.x.x)

OkOk so definitely user error on my part!
Because I’m not familiar with the cidr notations, what I messed up is that it needed to be and not /24.

Everything works as intended it seems! Thanks @koying for pointing out that the IP is related to NGINX!

I quickly went and gave Cast a try and still not working so it seems maybe that is unrelated. Bummer :confused: