Reverse proxy using NGINX

Disregard. Ended up being a Cloudflare setting issue (set SSL/TLS encryption mode to Full).

Thanks for the help!

1 Like

Hey. I saw you said that you can setup a minecraft server and connect it also to NGINX. I want to try that, but i researched alittle bit and i found this thread: https://www.reddit.com/r/homelab/comments/fi88cl/docker_nginx_reverse_proxy_minecraft_server/?utm_medium=android_app&utm_source=share
I am understanding something wrong and how can you do it?
Thanks

Yeah, it’s relatively new. You use a stream module to forward the udp to the server of choice.

https://www.youtube.com/watch?v=QRH1egGAlfc

If you’re using bedrock, you want to add ‘udp’ to the listen directive. Java uses TCP, so you don’t need to add anything.

You still have to port forward this listen port. Sadly I never figured out how to do it with http so I could do “mywebsite.duckdns.org/minecraft”. But I should play with it more to figure it out.

Hi,

I have the exact same setup, and the exact same problem.

I’m running 2 webservers (weewx and hass) on different ports of the raspberry pi, and I have nginx running on a “proxy”-like other rasberry.

I have generated cerificates as outlined by a blog post from nginx, for both hass and weewx. This has the additional benefit that it also alters the .conf file accordingly, and it worked flawlessly for my weewx web server.

However, for hass (which is running in a docker container), I get to the login screen (followed by my 2FA screen), and after having succesfully logged in, I get the “Unable to connect to Home Assistant.” screen. I see nothing appearing in the logs. I however see that “tokens are generated for https://marvin.[redacted].be/”, so the login was succesfull.

This is my configuration.yaml:

http:
  base_url: marvin.[redacted].be
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.86.35

This section might be related:

homeassistant:
  customize: !include customize.yaml
  packages: !include_dir_named packages
  internal_url: "http://[my_external_ip_adress]:8123"
  external_url: "https://marvin.[redacted].be"

I suspect that hass is trying to “recheck” the certificate, but fails to do so. I tried to adding the following to my configuration:

http:
  ssl_certificate: fullchain.pem
  ssl_key: privkey.pem

wth the fullchain and privkey copied from my nginx server to the root directory of hass. But although this passed the “check configuration”, hass refused to start up (not even the “safe boot” mode).

I’m basically out of ideas now…

Thank you in advance!
Erwin

Edit: typo

Hi,

May be note related : I have read somewhere that the proxy pass in the proxy config files should be set without a “/” at the end of the local IP address od the Home Assistant service.

I guess that you followed the tutorial for the proxy files “$upgrade” and so on. If not, let’s try it.

I continue my blind comments : I did not install certbot the same way as you. Yours seems simple but I can’t say whether it is a valid one or not. Here may how-to:
Independant Nginx server under Proxmox for Home Assistant and every other service with OVH subdomains - Community Guides - Home Assistant Community (home-assistant.io)

Hi,
Thanks for your idea’s!

The solution could be found in another toppic.

For future reference, this is how I got it working:

nginx .conf file:

server {
        server_name marvin.[redacted].be;
        location / {
        proxy_pass http://192.168.86.165:8123;          # IP of the machine running the HA container
        proxy_set_header  Upgrade  $http_upgrade;  # Also needed without SSL (i.e. when using proxy)
        proxy_set_header  Connection "upgrade";      # Also needed without SSL (i.e. when using proxy)
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/marvin.[redacted].be/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/marvin.[redacted].be/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = marvin.[redacted].be) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80;
        server_name marvin.[redacted].be;
    return 404; # managed by Certbot
}

Configuration.yaml:

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
# http:
#   base_url: marvin.[redacted].be

homeassistant:
  internal_url: "http://192.168.86.165:8123"
  external_url: "http://marvin.[redacted].be"

As the external url still refers to http (instead of https), I don’t think this actually plays any role.

Hopefully this can safe somebody some time in the future :slight_smile:

Kind regards,
Erwin

Edit: further clarification

2 Likes

The second server section of your .conf file redirects all http traffic to https.

Glad to hear it works now for you too.

Here is me nginx config file just in case other people get other troubles:

server {
  listen        443 ssl;
  server_name   [my subdomain];

  include       /etc/nginx/conf.d/ssl.inc;

  location / {
    proxy_pass http://[my local IP]:8123;
    proxy_set_header Host $host;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /api/websocket {
    proxy_pass http://[my local IP]:8123/api/websocket;
    proxy_set_header Host $host;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}

As you can see, I hase several additional lines. It has been months since I settled it up (once again I’ve done it before this forum topic), but I believe several of them were needed to make my config work.

PS: I manage the ssl in a separate file so that no need to copy it in every service config file.

4 Likes

there is something I found today and I was shocked.

IPhone can not access home assistant via nginx if more secure TLS1.3 is used. You’'ll say its ok, but cheap android phone works.

     ssl_protocols TLSv1.3;
     ssl_ciphers EECDH+AESGCM:EDH+AESGCM;

So use default settings

     ssl_protocols TLSv1.2;
     ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
1 Like

Can this be used with duckdns and let’s encrypt by themselves to host multiple internal servers? I’ve been googling for the last couple days and I’ve found quite a few resources. I don’t know much about the nuts and bolts of DNS but it seems every “how-to” I find talks about using this with your own personal domain name (and say something about CNAME records).

I don’t have my own personal domain name nor know what CNAME records are but I’d really like to use my duckdns domain with added subdomains like: hassio.something.duckdns.org and plex.something.duckdns.org. Is it possible with your configuration file? If not, do you know of an example that shows this?

Thanks,
-Greg

Sorry I might not have understood your question because I said no words about DNS indeed.

Should it be “Can you use reverse proxy by nginx with duckdns subdomain name of yours”, I would say yes no matter. You just say with nginx : “if you read such an adress, then go to such local IP”.

Should it by “Can you have such wildcard certificate by lets encrypt as mine with no your onw domain”, I have not googled or tested that.

Hello! Could anyone help me with fix next error. I have Nginx installed on VPS. My Raspberry Pi connected to this VPS via Wireguard. I set up reverse proxy to get access to my HA installation. Here is my config:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name homeassistant.myserver.com www.homeassistant.myserver.com;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    # add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
    ssl_session_tickets off;

    ssl    on;
    ssl_certificate    /etc/ssl/cert.pem;
    ssl_certificate_key    /etc/ssl/key.key;

    proxy_buffering off;

    location / {
        proxy_pass http://10.66.66.2:8123;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }

     location /api/websocket {
        proxy_pass http://10.66.66.2:8123/api/websocket;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
     }
}

The problem is, that HACS doesn’t work through Nginx proxy. I’m getting error, as on screenshot, and HACS resources don’t load with error 404. Everything else seems works ok. I also have Nextcloud installed on RPI, it works perfectly via proxy. The problem is only with HACS addon. Here is same question, but no answer. Please, help me, I’m struggling for a 4 days with that and nothing…

1 Like

Hello. I followed this guide and managed to connect Home Assistant with the reverse proxy on HTTP. Is it possible to connect it with HTTPS? Because Smartthings does not work without having HTTPS connection to the reverse proxy.

## Aborted

Home Assistant is not configured correctly to receive updates from SmartThings. The webhook URL is invalid:

> http://192.168.1.100:8123/api/webhook/3fa0995ead8c548dbb53d908c14429f2e1593c03a3eccc46681b2dcddd0a6735

Please update your configuration per the [instructions](https://www.home-assistant.io/integrations/smartthings/), restart Home Assistant, and try again.

CLOSE

Hi @all,

I just can’t get any further and I need your help.

I use “nginx proxy manager” as a virtual machine and enter the host of my HomeAssistant Intanz there with an SSL certificate.

Unfortunately, when I log in, I get the error message “Unable to connect to Home Assistant.” and I don’t know what exactly has to be entered in the NGNIX PROXY MANAGER in order for it to work.

Can someone tell me step by step what I have to enter and where? Thank you very much

Hello,

I using a NGINX in LXC (Proxmox). The access is https, and I can access to differents sub-domains off my domain (xxx.xxx.duckdns.org).

My HA is install in a VM (Proxmox) and I can access via web-browser, using https://homeassistant.xxxxxxx.duckdns.org, but when I try access using the android APP, get a error: "Unable to communicate with Home Assistatn because os SSL error. Please ensure your certificate is valid.". The SLL certificate is new (Openssl) and is
self signed certificate.

My configuration nginx file is:

upstream proxmox {
  server xxx.xxx.xxxxxx:8006;
}

#Block all unknown HTTP requests
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 444;
}

#Block all unknown HTTPS requests
server {
        listen 443 default_server ssl;

        ssl on;
        ssl_certificate /etc/nginx/ssl/xxxxxx.crt;
        ssl_certificate_key /etc/nginx/ssl/xxxxxx.key;
        return 444;
}

# Redirect to HA-Server
server {
        listen 443;
        server_name https://homeassistant.xxxxxxx.duckdns.org;
        ssl on;
        ssl_certificate /etc/nginx/ssl/xxxxxx.crt;
        ssl_certificate_key /etc/nginx/ssl/xxxxxx.key;
        ssl_protocols TLSv1.3 TLSv1.2;

        ssl_prefer_server_ciphers on;
	

        location / {
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        proxy_set_header Host $host;
                        proxy_pass http://xxx.xxx.xxx.xxx:8123
                }
        location /api/websocket {


                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
			proxy_set_header Host $host;
			proxy_pass http://xxx.xxx.xxx.xxx:8123/api/websocket;
        }
}

Any sugestion?

Thks

Ok, I find my solution.

I install new SSL certificates from Let’s Encrypt.

Thanks

Do I need to do anything special to get naba cloud working with nginx?, it use to work but broke a release or 2 ago. Any help appreciated

This is my nginx configuration.
Ubuntu 20.04 Host
HA on kvm vm (hassio)

server {

    # SSL configuration

    listen 10.10.5.15:31566 ssl http2;
    server_name    my.domain.net;
    include snippets  /ssl-my.domain.net.conf;
    include snippets  /ssl-params.conf;
    access_log   /var/log/nginx/access-my.domain.net.log;
    error_log     /var/log/nginx/error-my.domain.net.log;
	

    
	location / {
    
		### force timeouts if one of backend is died ##
               proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
               proxy_set_header        Accept-Encoding   "";
	       proxy_set_header        Host            $host;
	       proxy_set_header        X-Real-IP       $remote_addr;
 	       proxy_set_header        X-Forwarded-Proto $scheme;
	      add_header                  Front-End-Https   on;
              add_header 		   Strict-Transport-Security "max-age=15552000";
              proxy_http_version 1.1;
              proxy_set_header        Upgrade $http_upgrade;
              proxy_set_header        Connection "upgrade";
  
             proxy_pass  http://192.168.110.178:8123;
	     proxy_redirect     off;
	}
   location /api/websocket {

          proxy_pass http://192.168.110.178:8123/api/websocket;
          proxy_set_header        Accept-Encoding   "";
	   proxy_set_header        Host            $host;
	   proxy_set_header        X-Real-IP       $remote_addr;
           proxy_set_header        Host $host;
	   proxy_set_header        X-Forwarded-Proto $scheme;
	   add_header                 Front-End-Https   on;
           add_header 		  Strict-Transport-Security "max-age=15552000";

           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
	      
           proxy_redirect     off;

    
      }
   }
1 Like

Did you add THE iP of your reverse proxy to the trusted proxies? E.g.

http:
  use_x_forwarded_for: true
  trusted_proxies: 
    - 192.168.0.5

Hi Guys.
I have a question. What I need to change in my config when my Proxy Server is in different network than my Home Assistant?

Here is my HA config:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.2

and here is my proxy conf:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name ha.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.160.9;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /api {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.160.9;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }

    location /local {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.160.9;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

In the past, when trusted_proxies aren’t needed in HA this configuration worked but now I get:

# 504 Gateway Time-out

Both, Proxy Server and Home Assistant are in docker containers but in different networks (Proxy Server is in proxynet network 172.18.0.0/16 and HA is in vlan network 192.168.160.0/24.