Proxy on a different host

Tags: #<Tag:0x00007f73ad0a3d68>

Have a relatively complicated network setup and can’t seem to get HA (Supervised VM) to allow forwarded SSL requests from my NGINX Proxy Manager instance on another host.

Network setup is:

  • (Untagged) Management/Private VLAN [192.168.1.x]: NGINX Proxy Manager + a bunch of other utility containers (Unifi controller, MariaDB, etc).
  • (99) IoT VLAN [192.168.99.x]: Home Assistant VM + all my IoT devices.
  • Gateway is 192.168.1.1, DNS is set to supplied DNS from provider.
  • Firewall rules to allow all connections from HA host to private VLAN
  • Firewall rules to allow all connections from private VLAN to all VLANs
  • Internal and External URL in HA set to my external address (assume this is correct when using a reverse proxy)

NGINX Proxy Manager is setup and working on a Docker container spawned on 192.168.1.20. My settings for it are:


I know that it’s working, because I used to run NPM as an addon on the HA host. So if I use the manual ssl_certificate and ssl_key in my http configuration for HA, it serves just fine. However, these certs are no longer being updated, and I want to move all my network config off HA.

I’ve tried adding the following configuration to allowing proxy forwarding, but to no avail.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.20
    - 192.168.1.1

However, when restarting using this configuration, log just fills with the following:

2020-07-18 08:47:07 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 275, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp\_http_parser.pyx", line 523, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: invalid HTTP method

It seems like something within HA isn’t receiving the SSL certificates from the NPM instance, but at a bit of a loss now as to where to look next to solve this problem.

TIA for any direction!

It looks to me like you mixed up HTTP and HTTPS. Eg you’re sending https to HA but haven’t configured HA for that. I think you want the proxy host side to be HTTP, not HTTPS.

I don’t understand what you mean. I definitely want HTTPS. Or do you mean that without a certificate in the http config, HA won’t accept direct HTTPS connections? Can you explain yourself more?

You want HTTPS, which is what the NGINX Proxy is for. But what protocol do you want NGINX to use to talk to your HA? It doesn’t need to be HTTPS. Usually, you would just use HTTP from the proxy to the server.

From your screenshot and the error message, I think NGINX is talking HTTPS to HA, but HA is only expecting HTTP. Try turning off the “force SSL” in the “edit proxy host” screen.

Riiiiight, I get it now. Your solution didn’t fix it, but it got me thinking more logically about it.

The proper way to set it up was as follows:

  • Scheme: set to HTTP (not HTTPS)
  • SSL: Leave “Force SSL” on

This was what was tripping me up. It still forces all connections there to be via the HTTPS protocol, but it directs all traffic (internally) via HTTP. Working fine now. Thanks for helping!