No remote connection with duckdns nginx since ISP switch

I’ve recently switched ISP from BT to a local fibre provider and have spent the last few days banging my head against a wall trying to reconfigure duckdns and nginx on a pi4 with haOS to get remote access.

My issue is that the mydomain.duckdns.org goes to the router login page, and with mydomain.duckdns.org:8123 does not connect to anything.

I have confirmed that my new ISP provides a static IP, so not hidden by cgnat. They also confirmed that port forwarding is not blocked, double checked my router settings and said it ‘should’ work.
My duckdns ip has been updated.
I’ve got port 443 → 443 on my router, confirmed as open from Open Port Check Tool.
I’ve tried a fresh install on another pi3 (current setup is pi4) with same result.

Before I give up, I was just curious if anyone could offer any suggestions? I’ve spent a few days trawling through forums and reddit, trying various tweaks with no joy.

duckdns config and log:

domains:

• mydomain.duckdns.org
  token: my token
  aliases:
  lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
  seconds: 300

NOCHANGE
[08:53:40] INFO: Renew certificate for domains: mydomain.duckdns.org and aliases:
INFO: Using main config file /data/workdir/config
Processing mydomain.duckdns.org

• Checking domain name(s) of existing cert… unchanged.
• Checking expire date of existing cert…
• Valid till May 7 18:57:08 2024 GMT (Longer than 30 days). Skipping renew!
  [08:58:51] INFO: OK
  public ip

nginx config/log

domain: mydomain.duckdns.org
hsts: max-age=31536000; includeSubDomains
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
customize:
active: true
default: nginx_proxy_default*.conf
servers: nginx_proxy/*.conf

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service nginx: starting
s6-rc: info: service nginx successfully started
s6-rc: info: service crond: starting
s6-rc: info: service crond successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
[09:28:12] INFO: Running nginx…

config.yaml

http:
use_x_forwarded_for: true
trusted_proxies:

• 172.30.33.0/24
• 192.168.1.167

You mean 443 on the router to homeassistant.local:8123, right?
And you try https://mydomain.duckdns.org?

On this point, I think you’ve got your ports confused if you’re trying to access directly as described.

You’ve opened port 443 on your router but then you’re accessing mydomain.duckdns.com on port 8123, which you haven’t opened.

Then, inside your LAN, your router is sending traffic it receives from port 443 to port 443 on your Home Assistant box, which presumably also isn’t open…

Probably the easiest thing to do is change your port forward to either redirect port 443 to 8123 (so you don’t need to specify a port when you use the URL) or change both ports so 8123 goes straight through.

Thank kindly for your suggestions. the 443->443 was a typo, apologies. This is the current setting on the router:

Screenshot 2024-02-08 at 17.48.361510×120 14.6 KB

I’ve checked the logs once more and nginx has been showing this error a few times:

2024/02/08 17:30:42 [error] 152#152: *54 upstream prematurely closed connection while reading response header from upstream, client: 159.223.3.86, server: mydomain.duckdns.org, request: “GET / HTTP/1.1”, upstream: “http://172.30.32.1:8123/”, host: “mydomain.duckdns.org”

Yes, this takes me to the router log in page.

I’ve just tried accessing HA through duckdns with 4G on my phone and it works, just not when connected to the same lan as HA.

Then the issue is that you lost NAT hairpinning on you router. I guess it was changed when you switched ISP.

Thanks very much for the info. I’ve switched to the cloudfarer approach and that is working fine.