Reverse Proxy Issue with HA

I was going around and around trying to figure out why HA wasn’t allowing me to login returning 405 Method Not Allowed. After looking at logs further I was able to confirm it was the nginx reverse proxy that was giving me the issue with the websocket api.

If anyone has their HA behind a nginx reverse proxy and having issues logging in. Here is the config that worked for me.

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
#include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}


http {
log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
              '$status $body_bytes_sent "$http_referer" '
              '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on; 
keepalive_timeout   65;
types_hash_max_size 2048;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;
map $http_upgrade $connection_upgrade {
         default upgrade:
         '' close;
    }

#Let's Encrypt Challenge & HTTP => HTTPS
 server {
 listen 80;
 server_name sub1.domain.com sub2.domain.com;

location /.well-known {
        default_type "text/plain";
        alias /usr/share/nginx/html/.well-known;
 }

 location / {
    return 301 https://$host$request_uri;
}

    add_header X-XSS-Protection '1; mode=block';
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Options nosniff;
}

 server {
    listen       443 ssl;
    server_name  sub1.domain.com;

    ssl_certificate     /etc/nginx/certs/sub1_domain_com.crt;
    ssl_certificate_key /etc/nginx/certs/sub2_domain_com.key;
    ssl on;
    ssl_session_cache shared:SSL:1m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
    proxy_pass      https://192.168.1.123;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    proxy_redirect off;
    proxy_buffering off;
    proxy_set_header    x-real-IP   $remote_addr;
    proxy_set_header    x-forwarded-for $proxy_add_x_forwarded_for;
    proxy_set_header    host        $host;
    }

    error_page 404 /404.html;
    location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
      }
    }

  server {
    listen       443 ssl;
    server_name  home-assiatant.domain.com;

     ssl_certificate         /etc/nginx/certs/home-assistant/new/sub2_domain_com.crt;
     ssl_certificate_key     /etc/nginx/certs/home-assistant/new/sub2_domain_.com.key;
     ssl on;
     ssl_session_cache shared:SSL:1m;
     ssl_ciphers HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers on;

     location / {
     proxy_pass          https://192.168.1.172:8123;
     proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
     proxy_redirect off;
     proxy_buffering off;
     proxy_set_header    x-real-IP       $remote_addr;
     proxy_set_header    x-forwarded-for $proxy_add_x_forwarded_for;
     proxy_set_header    host            $host;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection $connection_upgrade;

      }

     error_page 404 /404.html;
     location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        }
      }
    }

I hope this helps for anyone having the same issue I did.

1 Like

Hey @jeff I am having the same issue but only when I tried to set up google assistant (in order to use google home for voice control).

My current config looks like this right now:

server {
    listen 80;
    server_name yourapp.com; # or server_name subdomain.yourapp.com;

    location / {
        proxy_pass http://localhost:8123;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

        # Enables WS support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_redirect off;
    }
}

Since I am using dataplicity, which already has SSL, I assume I do not need to make any encryption, therefore no need for SSL certificate, correct?

Has anyone managed to get this to work using Traefik?
My config is as follows:

debug = false
checkNewVersion = true
logLevel = "DEBUG"
defaultEntryPoints = ["https","http","ws","wss"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

[retry]
[web]
address = ":8080"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "<domain>"
watch = true
exposedbydefault = false

I can’t log in to HA because that uses websockets.

1 Like

Hey danny,

Did you ever figure out a solution for using Traefik? Just ran into the same issue.

I did figure it out, do not remember what fixed it though. Luckily I wrote a blog post about it. Hope it helps.

I did a bit more digging and I think my specific issue is actually this one:
https://github.com/containous/traefik/issues/2714

So hopefully it’ll be addressed in the next release of Traefik. Thanks anyway!t

1 Like