Remote access with Docker

I don’t see this in the documentation but I just set the environment variables for the duckdns token, url, and validation=duckdns in the docker compose, and find that is enough to keep the IP updated with duckdns. I don’t have anything else installed that would set the IP in duckdns, and per the duckdns website it updated my IP within the past week. So, I’m assuming some process running within the container keeps it updated, for me at least.

I had the same problem. What solved it for me was replacing this line in homeassistant.subdomain.conf:

server_name homeassistant.*;

with this:

server_name prefix.your_sub_domain.duckdns.org;

Hi! I’m having the same problem here. When I browse to my homeassistan.duckdns.org it takes me to a swag instance web. Did you get to solve it?
This post is great and thanks Bry for your time posting it.
I managed ones to access with http:// but not with https://
I though it could be an issue with my router?
Thanks in advance for any help

Sorry I don’t have time to provide support.
I’d like to set up my config again to check but I have other projects in hand.
If you subdomain is ‘somewhere’ for example, if you connect to ‘somewhere.duckdns.org’ you get the swag instance.
homeassistant.somewhere.duckdns.org’ should take you to your homeassistant login

I had the same problem and it was because I had put the url wrong, you have put “homeassitan” and it is “homeassistant”, try it

connect with https://homeassistant.your-sub-domain.duckdns.org/

Thanks Fernando, homeassitan was a mistake writing the post. What I try is https://192.168.X.X.mysubdomain.duckdns.org and takes me to that swag instance web. Do you mean I should replace my server IP for homeassistant in the url?

Thanks Bry. I tried all ways possible in the url with the same result. I will try replacing the IP of my server for “homeassistant” but not sure if I’ll require any modification in the homeassistant.subdomain.conf file.
Anyway I’ll keep trying doing some modifications.
The thing is I can’t integrate Alexa in homeassistant till I get it.
I will post it if I get it.
Thanks

It sounds like your NGINX config specified in the homeassistant.subdomain.conf file is not correct. As mentioned in the top post, you need to replace the line set $upstream_app homeassistant with set $upstream_app 192.168.XX.XXX replacing the x’s with the actual IP address your Home Assistant is running at. You do not specify the IP in the URL you type in your browser- the proxy configured properly translates the https://homeassistant.yourduckdnsdomain.duckdns.org to your Home Assistant instance running at its IP for you.

Thanks Tim for your comments.
The line $upstream_app homeassistant Was replace with $upstream_app 192.168.XX.XXX` But I’ll try whit homeassistant in the url instead of the IP, hopefully it is was problem.
I’m not doing it with docker-compose as suggested in the post, I’m running swag container directly (I’m still have to learn about docker-compose before I migrate to it all my containers). Does any configuration change if I use the swag container directly to set it?
Thanks again. I’ll try as soon as I can and post my findings

I’m assuming you then are just using a run command. This would work but SWAG requires a lot of environment variables to be defined (see example compose in top post), and if you don’t do that through either compose or spell them out in an extremely long run command exactly right it won’t work.

You can use portainer’s stack feature instead to start a container from a docker compose if you don’t like the command line and prefer using a graphical interface.

Thanks a lot for your time Tim.
Everything UP AND RUNNING!!
I did it with docker-compose as you suggested me and it works!
I have remote access and my alexa account integrated.
Thanks again,

1 Like

Just like a lot of people here, I’ll just stop by to say a huge thanks for taking the time to write your post. Short, simple and on point :fire:.

I was able to get everything up and running in like 30mn.

I only struggled to understand what IP address I was supposed to put into the configuration.yaml of home assistant in the trusted_proxies list… But eventually I just ended up rebooting the server and looking into the logs /config/home-assistant.log. There was a line saying ERROR (MainThread) [homeassistant.components.http.forwarded] Received X-Forwarded-For header from an untrusted proxy SOME-IP-THERE and I just added to trusted_proxies’ list the one displayed there. Worked like a charm.

Thanks a lot again for your post :pray:

Thanks Maxime,
It is nice to know the guide is still uptodate.
I tried to be concise and explicit; a difficult balance.
Could you send me a private message about how I could clarify the IP address uncertainty, I can’t see where to be more explicit.

EDIT: had a typo on port forwarding, wrote 433 and not 443 :man_facepalming:
After that I’ve used @maxime1992 solution to add the error address to trusted_proxies and it worked.

First of all, thanks for the guide!

I can’t seem to get it to work properly, but I feel like I am one step away…
In the SWAG logs I don’t see any errors.

Any advice on how to start and debugging my issue?

Port forwarding on router: 443 to 443. Protocol = TCP and UDP.

Something to start with maybe:
If I go to “mydomain.duckdns.org” from my local network I am reaching my router page, same behavior as if I go to 192.168.1.1.
My home assistant server sits on 192.168.1.133.

Thank you :slight_smile:

Hey guys, I can clarify a bit and actually give a better solution that what I said in my last post because it kept breaking from time to time.

Instead here’s what I’ve done.

In my docker-compose on the swag container I’ve added these lines at the end:

    networks:
      default:
        # fixing this IP address so that home assistant list of trusted proxies doesn't
        # need to be updated every time we recreate that container
        # https://community.home-assistant.io/t/nginx-reverse-proxy-set-up-guide-docker/54802/289?u=maxime1992
        ipv4_address: 172.10.0.10

and in my configuration.yaml here’s what I now have

http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies:
    # local IP
    - 192.168.1.100
    # IP fixed for the swag docker container so that we don't have
    # to update it every time the swag container is rebuilt
    - 172.10.0.10

Please note the IP 172.10.0.10 is the same in both configs ofc.

I haven’t had any issue ever since I made that change :slight_smile:

1 Like

Great write up! I’ve gotten much farther with this than anything else I’ve played around with.

I have a similar issue. Trying all kinds of different variations of what’s written up here, but when I go to homeassistant.xxxxx.duckdns.org I get a “404 bad request”.

The HomeAssistant GUI is starting in safe mode and just showing the log when I login.

home-assistant.log shows all kinds of "setup failed for dependencies : " errors and the below message

“2022-11-11 17:57:51.505 ERROR (MainThread) [homeassistant.components.http.forwarded] A request from a reverse proxy was received from 172.10.0.2, but your HTTP integration is not set-up for reverse proxies”

I’m a newbie at all of this, so any help would be appreciated

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.0.0/16

Hi,

I’ve followed the steps outlined above but I’m running into some problems.

  • I’m running an ISP modem/router/AP combo in bridge modus to my router/firewall.
  • It seems the ISP device hands an IP of 192.168.178.185 to the WAN port of my router/firewall. According to the ISP, bridge modes disables firewall, portforwarding and everything. It should even expose the external WAN IP from the ISP to the router/firewall. But an 192.xx IP might indicate CGNAT.
  • checking whatismyip.com gives an external IPv4 IP which is not in private space. 94.xx.xx.xx
  • Port 80 and 443 have been forwarded in the router/firewall. Homeassistant is (locally) on 192.168.1.2.

I was able to compose swag and get it up and running, I’ll post the files below. It was able to communicate the external IP to DuckDNS, passing the external IP. Except connecting to homeassistant.[subdomain].duckdns.org leads to timeouts, not a HomeAssistant login page.

docker-compose.yaml

version: '3'
services:
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /home/[user]/hass:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    privileged: true
    network_mode: host

  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Europe/[region]
      - URL=[subdomain].duckdns.org
      - VALIDATION=duckdns
      - DUCKDNSTOKEN=[token]
      - SUBDOMAINS=wildcard
    volumes:
      - /home/[user]/swag:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped


# set trusted docker internal network
networks:
  default:
      ipam:  
        config: 
         - subnet: 172.10.0.0/24

hass/configuration.yaml

# Loads default set of integrations. Do not remove.
default_config:

homeassistant:
  auth_mfa_modules:

http:
  ip_ban_enabled: true
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24  #Local Lan
    - 172.10.0.0/24  #Docker network

duckdns: 
 domain: [subdomain **without .duckdns.org suffix**]
 access_token: [token]

# Text to speech
tts:
  - platform: google_translate

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

running ip a gives a couple networking adapters, with docker0 on 172.17.0.1 and an br-d0758f95adee on 172.10.0.1.

homeassistant.subdomain.conf

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name homeassistant.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.2;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /api {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.2;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

Interestingly though, I’ve installed Tailscale VPN in the mean time, and when I put the VPN IP-address(100.x) of my server in the browser of my phone, I get presented with the swag webpage!

It appears your nginx config is not properly setup for websockets which home assistant relies on to connect/stay open.

See my sample config here, the important thing to add I believe are these lines to “upgrade” the connection and keep websockets open.

location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.0.184:8123;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

Websocket config is explained more in this article

https://www.google.com/amp/s/www.nginx.com/blog/websocket-nginx/amp/

I will try this, thank you for the quick reply. I’ll definitively read out the websocket explanation.

Other than that I just found out my ISP modem/router is apparently not in bridge mode after all… I will fix this first before delving further in nginx. Although I’ve requested this more than a week ago at my ISPs customer service…