Remote access to hadashboard using nginx


#1

Hello

I’m running HA in a virtual env on a PI using hassbian.

I want to start using HAdashboard and to allow appdaemon to connect locally I set up NGINX and moved SSL from HA to NGINX. After (finally) succeeding in setting up app daemon, nginx and hadashboard I’m having trouble setting up remote access for HAdashboard.

Using the config described here: https://www.home-assistant.io/docs/ecosystem/nginx/ I’m able to access both front end and hadashboard locally and the fron tend remotely, but how do I set remot access for HAdashboard?

I guess I need to set up an additional forward to port 5050 where hadashboard is running. I tried copying and pasting the whole server entry in the nginx config, only changing the ports, but then NGINX won’t start. nginx -t yields:

[emerg] 2669#2669: BIO_new_file("/home/homeassistant/dehydrated/certs/[myhass].duckdns.org/fullchain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen(’/home/homeassistant/dehydrated/certs/[myhass].duckdns.org/fullchain.pem’,‘r’) error:2006D002:BIO routines:BIO_new_file:system lib)

In the hadashboard docs SSL support is mentioned, but SSL should still be handled by NGINX in this setup, right?

Hope someone can help, thanks!


#2

you are right, SSL should be handled by nginx.

i am no nginx expert, but i think that the most easy way should be adding a second server to nginx.

in the dir /etc/nginx/sites-enabled you probably now have a file that connects to HA and it has the name from your outside DNS (probably duckdns?)

you can duplicate that file and name it

yourname2.duckdns.org
edit that file for your AD configuration
and then create a second duckdns connection

thats 1 option i can think of that might work.

the second one is that you forward port 8123 on the dns to 8123 (HA) and port 5050 to port 5050.
but then you also need to forward those ports from your router to nginx.
in the server config from nginx you start to listen to those ports instead of 443 (but still ssl on).

you could also use different locations, for example:
yourname.duckdns.org/hass forwards to port 8123
yourname.duckdns.org/dashboard forwards to 5050

all these options are available, but i dont have the exact settings for them.
because i dont use dashboard outside my home network.

you could also just use dashboard at home, and create a lovelace page for outside. then you only need to use nginx for HA.


#3

yeah, that’s what I’ve been trying to do, but when I add the second server entry to the config file I can’t get NGINX to run (see error message in my first post). Seems to be an issue with the SSL certificate. I’m trying to use the same cert for both connections, maybe that’s what’s wrong…?


#4

no you can use the certs for several servers.
maybe while editing you screwed up the filerights.
or you did start nginx as a user that has no filerights for those files.
the error shows that nginx doesnt have permission to use the cert files.


#5

Hm, I don’t think I messed up the rights or the active user. I basically did this:

  • NGINX is running, everything is fine

  • opened the hass config file with sudo nano hass, copied the whole 443 server entry, pasted it at the bottom and changed the server name to [myhass].duckdns.org:5050, listening port to 5050 and proxypass to localhost:5050, close and save.

  • Try to restart NGINX with sudo /etc/init.d/nginx start/stop
    get error above.

  • open the config file same way as before, remove the added server, save and close.

  • Restart NGINX, same way as before, works fine


#6

in that case the error is confusing, but what you tried to do cant work.

you had nginx listen to duckdns port 443 and forward that to HA port 8123
you copied that and only changed the port.

now you have a listener for incoming on 443 and it must be rederected to 8123 and 5050

you need to listen to something else then 443 or you need seperate locations or you need seperate urls to listen, but the incoming cant be 2 times the same.


#7

ehm, no I don’t think so. I also changed the listen port. My intention is that …duckdns.org:443 should be forwarded to localhost:8123 and …duckdns.org:5050 should be forwarded to localhost:5050. I’ll paste my config below:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    # Update this line to be your domain
    server_name [myhass].duckdns.org;

    # These shouldn't need to be changed
    listen [::]:80 default_server ipv6only=off;
    return 301 https://$host$request_uri;
}

server {
    # Update this line to be your domain
    server_name [myhass].duckdns.org;

    # Ensure these lines point to your SSL certificate and key
    ssl_certificate [certdir]/fullchain.pem;
    ssl_certificate_key [certdir]/privkey.pem;
    # Use these lines instead if you created a self-signed certificate
    # ssl_certificate /etc/nginx/ssl/cert.pem;
    # ssl_certificate_key /etc/nginx/ssl/key.pem;

    # Ensure this line points to your dhparams file
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;


    # These shouldn't need to be changed
    listen [::]:443 default_server ipv6only=off; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    location / {
        proxy_pass http://localhost:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

# below lines added for HAdashboard

server {
    # Update this line to be your domain
    server_name [myhass].duckdns.org:5050;

    # Ensure these lines point to your SSL certificate and key
    ssl_certificate [certdir]/fullchain.pem;
    ssl_certificate_key [certdir]/privkey.pem;
    # Use these lines instead if you created a self-signed certificate
    # ssl_certificate /etc/nginx/ssl/cert.pem;
    # ssl_certificate_key /etc/nginx/ssl/key.pem;

    # Ensure this line points to your dhparams file
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;


    # These shouldn't need to be changed
    listen [::]:5050 default_server ipv6only=off; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    location / {
        proxy_pass http://localhost:5050;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

#8

…tried something else now, it occurred to me that server_name probably shouldn’t include the port, so I removed that and now I’m getting a new error; systemctl status ngninx.service yields:

● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2019-01-14 14:57:20 UTC; 18s ago
     Docs: man:nginx(8)
  Process: 24570 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=2)
  Process: 24617 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
  Process: 24614 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 2809 (code=exited, status=0/SUCCESS)

Jan 14 14:57:17 hassbian nginx[24617]: nginx: [emerg] bind() to [::]:5050 failed (98: Address already in use)
Jan 14 14:57:18 hassbian nginx[24617]: nginx: [emerg] bind() to [::]:5050 failed (98: Address already in use)
Jan 14 14:57:18 hassbian nginx[24617]: nginx: [emerg] bind() to [::]:5050 failed (98: Address already in use)
Jan 14 14:57:19 hassbian nginx[24617]: nginx: [emerg] bind() to [::]:5050 failed (98: Address already in use)
Jan 14 14:57:19 hassbian nginx[24617]: nginx: [emerg] bind() to [::]:5050 failed (98: Address already in use)
Jan 14 14:57:20 hassbian nginx[24617]: nginx: [emerg] still could not bind()
Jan 14 14:57:20 hassbian systemd[1]: nginx.service: Control process exited, code=exited status=1
Jan 14 14:57:20 hassbian systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Jan 14 14:57:20 hassbian systemd[1]: nginx.service: Unit entered failed state.
Jan 14 14:57:20 hassbian systemd[1]: nginx.service: Failed with result 'exit-code'.

#9

i think you cant listen to the port 5050 because then it needs to be a server on that port.
so you should listen to 5049 (for example) and the forward to 5050


#10

The previous errors were fixed by stopping appdaemon which was currently using port 5050. After that I was able to successfully start NGNIX and restart appdaemon.

However, new problems arise. When I try to access hadashboard either via my local_ip:5050 or my ducdns.org:5050 I get “400 Bad Request The plain http request was sent to HTTPS port”

I also tried changing the listen port to 5049 as you suggested, but then I get a “502 Bad gateway”


#11

those 2 can only give the same when it comes from AD.
and AD only can expect https if you have set SSL inside AD (which you shouldnt.)

local_ip:5050 should always work without https because it doesnt go through nginx and AD shouldnt have SSL


#12

Now it works.

Looks like listening to the same port as hadash was running on was the mistake. I now have listen port set to 5049 and proxy_pass to port 5050 which is port hadash is hosted on. With listen port 5050 hadash wasn’t even available locally, so I guess NGNIX was blocking hadash. I had to restart appdaemon to get rid of the “502 bad gateway”, so I guess the hadash was blocked from port 5050 at startup. The restart of appdaemon is basically all I effectively did since my last post.

@renetode thanks for your help!


#13

your welcome.
glad you got it working