Huh, wonder if this is the issue:
Disregard. Ended up being a Cloudflare setting issue (set SSL/TLS encryption mode to Full).
Thanks for the help!
Hey. I saw you said that you can setup a minecraft server and connect it also to NGINX. I want to try that, but i researched alittle bit and i found this thread: https://www.reddit.com/r/homelab/comments/fi88cl/docker_nginx_reverse_proxy_minecraft_server/?utm_medium=android_app&utm_source=share
I am understanding something wrong and how can you do it?
Thanks
Yeah, it’s relatively new. You use a stream module to forward the udp to the server of choice.
https://www.youtube.com/watch?v=QRH1egGAlfc
If you’re using bedrock, you want to add ‘udp’ to the listen directive. Java uses TCP, so you don’t need to add anything.
You still have to port forward this listen port. Sadly I never figured out how to do it with http so I could do “mywebsite.duckdns.org/minecraft”. But I should play with it more to figure it out.
Hi,
I have the exact same setup, and the exact same problem.
I’m running 2 webservers (weewx and hass) on different ports of the raspberry pi, and I have nginx running on a “proxy”-like other rasberry.
I have generated cerificates as outlined by a blog post from nginx, for both hass and weewx. This has the additional benefit that it also alters the .conf
file accordingly, and it worked flawlessly for my weewx web server.
However, for hass (which is running in a docker container), I get to the login screen (followed by my 2FA screen), and after having succesfully logged in, I get the “Unable to connect to Home Assistant.” screen. I see nothing appearing in the logs. I however see that “tokens are generated for https://marvin.[redacted].be/
”, so the login was succesfull.
This is my configuration.yaml:
http:
base_url: marvin.[redacted].be
use_x_forwarded_for: true
trusted_proxies:
- 192.168.86.35
This section might be related:
homeassistant:
customize: !include customize.yaml
packages: !include_dir_named packages
internal_url: "http://[my_external_ip_adress]:8123"
external_url: "https://marvin.[redacted].be"
I suspect that hass is trying to “recheck” the certificate, but fails to do so. I tried to adding the following to my configuration:
http:
ssl_certificate: fullchain.pem
ssl_key: privkey.pem
wth the fullchain and privkey copied from my nginx server to the root directory of hass. But although this passed the “check configuration”, hass refused to start up (not even the “safe boot” mode).
I’m basically out of ideas now…
Thank you in advance!
Erwin
Edit: typo
Hi,
May be note related : I have read somewhere that the proxy pass in the proxy config files should be set without a “/” at the end of the local IP address od the Home Assistant service.
I guess that you followed the tutorial for the proxy files “$upgrade” and so on. If not, let’s try it.
I continue my blind comments : I did not install certbot the same way as you. Yours seems simple but I can’t say whether it is a valid one or not. Here may how-to:
Independant Nginx server under Proxmox for Home Assistant and every other service with OVH subdomains - Community Guides - Home Assistant Community (home-assistant.io)
Hi,
Thanks for your idea’s!
The solution could be found in another toppic.
For future reference, this is how I got it working:
nginx .conf
file:
server {
server_name marvin.[redacted].be;
location / {
proxy_pass http://192.168.86.165:8123; # IP of the machine running the HA container
proxy_set_header Upgrade $http_upgrade; # Also needed without SSL (i.e. when using proxy)
proxy_set_header Connection "upgrade"; # Also needed without SSL (i.e. when using proxy)
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/marvin.[redacted].be/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/marvin.[redacted].be/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = marvin.[redacted].be) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name marvin.[redacted].be;
return 404; # managed by Certbot
}
Configuration.yaml
:
# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
# http:
# base_url: marvin.[redacted].be
homeassistant:
internal_url: "http://192.168.86.165:8123"
external_url: "http://marvin.[redacted].be"
As the external url still refers to http (instead of https), I don’t think this actually plays any role.
Hopefully this can safe somebody some time in the future
Kind regards,
Erwin
Edit: further clarification
The second server section of your .conf file redirects all http traffic to https.
Glad to hear it works now for you too.
Here is me nginx config file just in case other people get other troubles:
server {
listen 443 ssl;
server_name [my subdomain];
include /etc/nginx/conf.d/ssl.inc;
location / {
proxy_pass http://[my local IP]:8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/websocket {
proxy_pass http://[my local IP]:8123/api/websocket;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
As you can see, I hase several additional lines. It has been months since I settled it up (once again I’ve done it before this forum topic), but I believe several of them were needed to make my config work.
PS: I manage the ssl in a separate file so that no need to copy it in every service config file.
there is something I found today and I was shocked.
IPhone can not access home assistant via nginx if more secure TLS1.3 is used. You’'ll say its ok, but cheap android phone works.
ssl_protocols TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
So use default settings
ssl_protocols TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
Can this be used with duckdns and let’s encrypt by themselves to host multiple internal servers? I’ve been googling for the last couple days and I’ve found quite a few resources. I don’t know much about the nuts and bolts of DNS but it seems every “how-to” I find talks about using this with your own personal domain name (and say something about CNAME records).
I don’t have my own personal domain name nor know what CNAME records are but I’d really like to use my duckdns domain with added subdomains like: hassio.something.duckdns.org and plex.something.duckdns.org. Is it possible with your configuration file? If not, do you know of an example that shows this?
Thanks,
-Greg
Sorry I might not have understood your question because I said no words about DNS indeed.
Should it be “Can you use reverse proxy by nginx with duckdns subdomain name of yours”, I would say yes no matter. You just say with nginx : “if you read such an adress, then go to such local IP”.
Should it by “Can you have such wildcard certificate by lets encrypt as mine with no your onw domain”, I have not googled or tested that.
Hello! Could anyone help me with fix next error. I have Nginx installed on VPS. My Raspberry Pi connected to this VPS via Wireguard. I set up reverse proxy to get access to my HA installation. Here is my config:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name homeassistant.myserver.com www.homeassistant.myserver.com;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
ssl_session_tickets off;
ssl on;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.key;
proxy_buffering off;
location / {
proxy_pass http://10.66.66.2:8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
location /api/websocket {
proxy_pass http://10.66.66.2:8123/api/websocket;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
The problem is, that HACS doesn’t work through Nginx proxy. I’m getting error, as on screenshot, and HACS resources don’t load with error 404. Everything else seems works ok. I also have Nextcloud installed on RPI, it works perfectly via proxy. The problem is only with HACS addon. Here is same question, but no answer. Please, help me, I’m struggling for a 4 days with that and nothing…
Hello. I followed this guide and managed to connect Home Assistant with the reverse proxy on HTTP. Is it possible to connect it with HTTPS? Because Smartthings does not work without having HTTPS connection to the reverse proxy.
## Aborted
Home Assistant is not configured correctly to receive updates from SmartThings. The webhook URL is invalid:
> http://192.168.1.100:8123/api/webhook/3fa0995ead8c548dbb53d908c14429f2e1593c03a3eccc46681b2dcddd0a6735
Please update your configuration per the [instructions](https://www.home-assistant.io/integrations/smartthings/), restart Home Assistant, and try again.
CLOSE
Hi @all,
I just can’t get any further and I need your help.
I use “nginx proxy manager” as a virtual machine and enter the host of my HomeAssistant Intanz there with an SSL certificate.
Unfortunately, when I log in, I get the error message “Unable to connect to Home Assistant.” and I don’t know what exactly has to be entered in the NGNIX PROXY MANAGER in order for it to work.
Can someone tell me step by step what I have to enter and where? Thank you very much
Hello,
I using a NGINX in LXC (Proxmox). The access is https, and I can access to differents sub-domains off my domain (xxx.xxx.duckdns.org).
My HA is install in a VM (Proxmox) and I can access via web-browser, using https://homeassistant.xxxxxxx.duckdns.org, but when I try access using the android APP, get a error: "Unable to communicate with Home Assistatn because os SSL error. Please ensure your certificate is valid.". The SLL certificate is new (Openssl) and is
self signed certificate.
My configuration nginx file is:
upstream proxmox {
server xxx.xxx.xxxxxx:8006;
}
#Block all unknown HTTP requests
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
#Block all unknown HTTPS requests
server {
listen 443 default_server ssl;
ssl on;
ssl_certificate /etc/nginx/ssl/xxxxxx.crt;
ssl_certificate_key /etc/nginx/ssl/xxxxxx.key;
return 444;
}
# Redirect to HA-Server
server {
listen 443;
server_name https://homeassistant.xxxxxxx.duckdns.org;
ssl on;
ssl_certificate /etc/nginx/ssl/xxxxxx.crt;
ssl_certificate_key /etc/nginx/ssl/xxxxxx.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_pass http://xxx.xxx.xxx.xxx:8123
}
location /api/websocket {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_pass http://xxx.xxx.xxx.xxx:8123/api/websocket;
}
}
Any sugestion?
Thks
Ok, I find my solution.
I install new SSL certificates from Let’s Encrypt.
Thanks
Do I need to do anything special to get naba cloud working with nginx?, it use to work but broke a release or 2 ago. Any help appreciated
This is my nginx configuration.
Ubuntu 20.04 Host
HA on kvm vm (hassio)
server {
# SSL configuration
listen 10.10.5.15:31566 ssl http2;
server_name my.domain.net;
include snippets /ssl-my.domain.net.conf;
include snippets /ssl-params.conf;
access_log /var/log/nginx/access-my.domain.net.log;
error_log /var/log/nginx/error-my.domain.net.log;
location / {
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
add_header Strict-Transport-Security "max-age=15552000";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://192.168.110.178:8123;
proxy_redirect off;
}
location /api/websocket {
proxy_pass http://192.168.110.178:8123/api/websocket;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
add_header Strict-Transport-Security "max-age=15552000";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
}
}
Did you add THE iP of your reverse proxy to the trusted proxies? E.g.
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.0.5