Reverse proxy Http --> Https

Hi All

I managed to get Synology working with auto updating letsencrypts certficates for all my servers
I then pointed the built in reverse proxy to my new HA RASP3

sub.domain.dk (443) --> 192.168.0.10: 8123

And I now get a green cert. on my login page to HA BUT when I try to login it says " unable to connect"
Is there any configuration I need to do on the HA?
HA
It works for every other server I have running?

Best regards
Casperse

1 Like

Configure nginx like this: https://www.home-assistant.io/docs/ecosystem/synology/

Perfect that did it (No changes to HA Hassio just works after this change)

Synology NAS are the perfect companion to running Home Assistant. But by default, the DSM Reverse Proxy does not configure its NGINX settings to allow WebSocket, and some extra configuration will be required to get the Home Assistant frontend working with the DSM.

TEMPLATE CHANGE
To allow WebSocket by default for all service exposed by NGINX, you can enable it in the template file located in /usr/syno/share/nginx/Portal.mustache. Please be really careful in editing this file since you may break access to the DSM UI. Please backup this file before any edition.

Open /usr/syno/share/nginx/Portal.mustache and add the followings in the Location section:

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;

Then restart the NGINX daemon:

sudo synoservicecfg --restart nginx

ONE THING: I would still like to know if I could make some kind of redirect for all HTTP to HTTPS on the HA
So any access to the a HTTP://IP:PORT is redirected to the new default working HTTPS://DOMAIN.COM
That part is still not working (Only port open is 8123)

that could be done from nginx
try to adapt this for synology to have a persistent config: https://serverfault.com/questions/629045/nginx-redirect-ip-address-to-domain-name

Hmm I seem to be having some problems

Only made the change to the Synology, and didnt install nginx on the Home Assistant
and I could see that if I tried to access the https domain on the local wlan it would hang on the login screen

So I installed NGINX on Hassio and wanted to do the proposed changes listed here:

Couldnt find the files they talk about here:

HTTP Configuration
Copy the Home Assistant specific Reverse Proxy settings from the existing /etc/nginx/app.d/server.ReverseProxy.conf file to /usr/local/etc/nginx/conf.d/http.HomeAssistant.conf.
Include these lines in the location declaration:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;

But I am not sure on how to do this, in the Hass.io config for “NGINX Home Assistant SSL proxy” I have changed this by adding the last lines:

{
  "domain": "home.masterstorage.dk",
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "hsts": "max-age=31536000; includeSubDomains",
  "customize": {
    "active": false,
    "default": "nginx_proxy_default*.conf",
    "servers": "nginx_proxy/*.conf"
  }
}

Your link to prevent access to port 80 link was this code (Thanks):

 server {
     listen 178.62.136.230:80;
     server_name 178.62.136.230 isitmaintained.com;
 
     rewrite  ^/(.*)$  http://www.isitmaintained.com/$1 permanent;
 }
 server {
     listen 80;
     server_name www.isitmaintained.com;
     # Serve Stuff Here.
 }

It dont really have the skills to combine or even create the correct NGINX config on the hass.io

not sure I understand why you need a second nginx …
I’m using hass on docker, maybe you can try it as well

you don’t need 2 NGINX instances. You only need ONE.

Sorry so the additional changes is to the built in NGINX on the Synology?

The changes need to be made wherever you want to use the proxy.

Think about this.

You have a reverse proxy, that is proxying all requests back to a backend endpoint. You need all the settings to be correct on your entry point which is your proxy, in order for it to pass through the data.

If you try to stick another reverse proxy behind a reverse proxy, you still are not passing the data through to the client correctly.

Yes, any changes you make need to be made on the instance that is actually performing the reverse proxy.

I followed the VI editing on the Synology guide (Link above)

So you are saying that I need to make additional changes in another file on NGNIX on the server?
Can you point me in the right direction?

The Synology UI for the proxi is rather limited

If you want to add in this ability to your NGINX instance, yes.

I know nothing about Synology. I have always built my own NAS boxes.

1 Like

For the latest Synology DSM update 6.2 (6.2.1) its not needed to modify the Portal.mustache file anymore :slight_smile:

New option in the reveres proxy rules.
Capture

9 Likes

I tried to find this menu on my DSM 212j (6.2.2xxx), but I cant find it. Could you please point me in the right direction?

Control Panel --> Application Portal --> Reverse Proxy Then edit rule and choose Custom Header

If you are on 6.2-23739-2 its to old. Must have 6.2.1-23824. So 6.2-build 2xxx is older than v 6.2.1.

Can download latest here:
https://www.synology.com/en-global/support/download/DS212j#utilities

Dont think 6.2.1 is available for download in all regions yet in the control panel. So download latest version and install manually.

1 Like

In my setup I had to manually add the “proxy_read_timeout 86400;” line to Portal.mustache to get Home Assistant up and running correctly.

Thanks. Running 6.2.1-23824 now with the custom header rules! I haven`t added the timeout to get HA running, but we will see what happens :slight_smile:

After, the new, update 1 I had connection problems with https-connections (even within my LAN). Removing the manually added proxy_read_timeout line (see two posts above) did solve this problem. HA seems running perfectly now.

You cant remove the proxy_read_timeout on the synology but you can adjust the timeout from 60 to 120?

I’ve edit my original post. The proxy_read_timeout I was referring was the one in the portal.mustache file, what I added before the 6.2.1 release.