Reverse proxy using NGINX

The second server section of your .conf file redirects all http traffic to https.

Glad to hear it works now for you too.

Here is me nginx config file just in case other people get other troubles:

server {
  listen        443 ssl;
  server_name   [my subdomain];

  include       /etc/nginx/conf.d/ssl.inc;

  location / {
    proxy_pass http://[my local IP]:8123;
    proxy_set_header Host $host;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /api/websocket {
    proxy_pass http://[my local IP]:8123/api/websocket;
    proxy_set_header Host $host;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}

As you can see, I hase several additional lines. It has been months since I settled it up (once again I’ve done it before this forum topic), but I believe several of them were needed to make my config work.

PS: I manage the ssl in a separate file so that no need to copy it in every service config file.

4 Likes

there is something I found today and I was shocked.

IPhone can not access home assistant via nginx if more secure TLS1.3 is used. You’'ll say its ok, but cheap android phone works.

     ssl_protocols TLSv1.3;
     ssl_ciphers EECDH+AESGCM:EDH+AESGCM;

So use default settings

     ssl_protocols TLSv1.2;
     ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
1 Like

Can this be used with duckdns and let’s encrypt by themselves to host multiple internal servers? I’ve been googling for the last couple days and I’ve found quite a few resources. I don’t know much about the nuts and bolts of DNS but it seems every “how-to” I find talks about using this with your own personal domain name (and say something about CNAME records).

I don’t have my own personal domain name nor know what CNAME records are but I’d really like to use my duckdns domain with added subdomains like: hassio.something.duckdns.org and plex.something.duckdns.org. Is it possible with your configuration file? If not, do you know of an example that shows this?

Thanks,
-Greg

Sorry I might not have understood your question because I said no words about DNS indeed.

Should it be “Can you use reverse proxy by nginx with duckdns subdomain name of yours”, I would say yes no matter. You just say with nginx : “if you read such an adress, then go to such local IP”.

Should it by “Can you have such wildcard certificate by lets encrypt as mine with no your onw domain”, I have not googled or tested that.

Hello! Could anyone help me with fix next error. I have Nginx installed on VPS. My Raspberry Pi connected to this VPS via Wireguard. I set up reverse proxy to get access to my HA installation. Here is my config:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name homeassistant.myserver.com www.homeassistant.myserver.com;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    # add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
    ssl_session_tickets off;

    ssl    on;
    ssl_certificate    /etc/ssl/cert.pem;
    ssl_certificate_key    /etc/ssl/key.key;

    proxy_buffering off;

    location / {
        proxy_pass http://10.66.66.2:8123;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }

     location /api/websocket {
        proxy_pass http://10.66.66.2:8123/api/websocket;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
     }
}

The problem is, that HACS doesn’t work through Nginx proxy. I’m getting error, as on screenshot, and HACS resources don’t load with error 404. Everything else seems works ok. I also have Nextcloud installed on RPI, it works perfectly via proxy. The problem is only with HACS addon. Here is same question, but no answer. Please, help me, I’m struggling for a 4 days with that and nothing…

1 Like

Hello. I followed this guide and managed to connect Home Assistant with the reverse proxy on HTTP. Is it possible to connect it with HTTPS? Because Smartthings does not work without having HTTPS connection to the reverse proxy.

## Aborted

Home Assistant is not configured correctly to receive updates from SmartThings. The webhook URL is invalid:

> http://192.168.1.100:8123/api/webhook/3fa0995ead8c548dbb53d908c14429f2e1593c03a3eccc46681b2dcddd0a6735

Please update your configuration per the [instructions](https://www.home-assistant.io/integrations/smartthings/), restart Home Assistant, and try again.

CLOSE

Hi @all,

I just can’t get any further and I need your help.

I use “nginx proxy manager” as a virtual machine and enter the host of my HomeAssistant Intanz there with an SSL certificate.

Unfortunately, when I log in, I get the error message “Unable to connect to Home Assistant.” and I don’t know what exactly has to be entered in the NGNIX PROXY MANAGER in order for it to work.

Can someone tell me step by step what I have to enter and where? Thank you very much

Hello,

I using a NGINX in LXC (Proxmox). The access is https, and I can access to differents sub-domains off my domain (xxx.xxx.duckdns.org).

My HA is install in a VM (Proxmox) and I can access via web-browser, using https://homeassistant.xxxxxxx.duckdns.org, but when I try access using the android APP, get a error: "Unable to communicate with Home Assistatn because os SSL error. Please ensure your certificate is valid.". The SLL certificate is new (Openssl) and is
self signed certificate.

My configuration nginx file is:

upstream proxmox {
  server xxx.xxx.xxxxxx:8006;
}

#Block all unknown HTTP requests
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 444;
}

#Block all unknown HTTPS requests
server {
        listen 443 default_server ssl;

        ssl on;
        ssl_certificate /etc/nginx/ssl/xxxxxx.crt;
        ssl_certificate_key /etc/nginx/ssl/xxxxxx.key;
        return 444;
}

# Redirect to HA-Server
server {
        listen 443;
        server_name https://homeassistant.xxxxxxx.duckdns.org;
        ssl on;
        ssl_certificate /etc/nginx/ssl/xxxxxx.crt;
        ssl_certificate_key /etc/nginx/ssl/xxxxxx.key;
        ssl_protocols TLSv1.3 TLSv1.2;

        ssl_prefer_server_ciphers on;
	

        location / {
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        proxy_set_header Host $host;
                        proxy_pass http://xxx.xxx.xxx.xxx:8123
                }
        location /api/websocket {


                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
			proxy_set_header Host $host;
			proxy_pass http://xxx.xxx.xxx.xxx:8123/api/websocket;
        }
}

Any sugestion?

Thks

Ok, I find my solution.

I install new SSL certificates from Let’s Encrypt.

Thanks

Do I need to do anything special to get naba cloud working with nginx?, it use to work but broke a release or 2 ago. Any help appreciated

This is my nginx configuration.
Ubuntu 20.04 Host
HA on kvm vm (hassio)

server {

    # SSL configuration

    listen 10.10.5.15:31566 ssl http2;
    server_name    my.domain.net;
    include snippets  /ssl-my.domain.net.conf;
    include snippets  /ssl-params.conf;
    access_log   /var/log/nginx/access-my.domain.net.log;
    error_log     /var/log/nginx/error-my.domain.net.log;
	

    
	location / {
    
		### force timeouts if one of backend is died ##
               proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
               proxy_set_header        Accept-Encoding   "";
	       proxy_set_header        Host            $host;
	       proxy_set_header        X-Real-IP       $remote_addr;
 	       proxy_set_header        X-Forwarded-Proto $scheme;
	      add_header                  Front-End-Https   on;
              add_header 		   Strict-Transport-Security "max-age=15552000";
              proxy_http_version 1.1;
              proxy_set_header        Upgrade $http_upgrade;
              proxy_set_header        Connection "upgrade";
  
             proxy_pass  http://192.168.110.178:8123;
	     proxy_redirect     off;
	}
   location /api/websocket {

          proxy_pass http://192.168.110.178:8123/api/websocket;
          proxy_set_header        Accept-Encoding   "";
	   proxy_set_header        Host            $host;
	   proxy_set_header        X-Real-IP       $remote_addr;
           proxy_set_header        Host $host;
	   proxy_set_header        X-Forwarded-Proto $scheme;
	   add_header                 Front-End-Https   on;
           add_header 		  Strict-Transport-Security "max-age=15552000";

           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
	      
           proxy_redirect     off;

    
      }
   }

Did you add THE iP of your reverse proxy to the trusted proxies? E.g.

http:
  use_x_forwarded_for: true
  trusted_proxies: 
    - 192.168.0.5

Hi Guys.
I have a question. What I need to change in my config when my Proxy Server is in different network than my Home Assistant?

Here is my HA config:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.2

and here is my proxy conf:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name ha.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.160.9;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /api {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.160.9;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }

    location /local {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.160.9;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

In the past, when trusted_proxies aren’t needed in HA this configuration worked but now I get:

# 504 Gateway Time-out

Both, Proxy Server and Home Assistant are in docker containers but in different networks (Proxy Server is in proxynet network 172.18.0.0/16 and HA is in vlan network 192.168.160.0/24.

I banged my head on this for a couple hours! The trick was the section in configuration.yaml file for the http setting! Thank you so much!

Thank you for the nice discription.

I run my own private proxy server (Nginx) in my home, connected via my fritz.box to the WWW (https://mypage.spdns.org/). My Homeassistant server is installed on a Raspberry via Docker and it works fine in the home-network (http://192.168.178.35:8123/).

Now I also want to connect the Homeassistant device to the WWW without connecting it to a dyndns via the fritz.box because this way is already blocked for my private server.

This is my concept:

Whats not working is the proxying/routing from https://mypage.spdns.org/hass/ to the internal
https://192.168.178.35:8123/ Could you help me here please?

1. Get a domain name forwarded to your IP
:heavy_check_mark:https://mypage.spdns.org/subfolders/

2022/01/03 21:46:04 [error] 91661#91661: *1 upstream prematurely closed connection while reading response header from upstream, client: 89.14.97.35, server: leisa.spdns.org, request: "GET /hass/ HTTP/2.0", upstream: "http://192.168.178.21:8123/", host: "leisa.spdns.org"

Why?

2 Install NGINX on your server
:heavy_check_mark:Installed my own private proxy server (192.168.178.96)
:heavy_check_mark:Other apps are running fine in different subfolders like https://mypage.spdns.org/phpmyadmin/ or https://mypage.spdns.org/nextcloud/ etc.

upstream php-handler {
    server unix:/run/php/php7.4-fpm.sock;
}

#what is this doing?
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

#########################################
server {
    listen 80 default_server;
    listen [::]:80 default_server;
	server_name XXX.spdns.org 192.168.178.96;
 
	root /var/www;

    location ^~ /.well-known/acme-challenge {
        default_type text/plain;
        root /var/www/letsencrypt;
    }

	location / {
		return 301 https://$host$request_uri;
	}
}
#########################################

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name XXX.spdns.org;

	# SSL configuration
	# RSA certificates
	ssl_certificate /etc/letsencrypt/xxx.spdns.org/rsa/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/xxx.spdns.org/rsa/key.pem;
	# ECC certificates
	ssl_certificate /etc/letsencrypt/xxx.spdns.org/ecc/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/xxx.spdns.org/ecc/key.pem;

	# This should be ca.pem (certificate with the additional intermediate certificate)
	# See here: https://certbot.eff.org/docs/using.html
	# ECC
	ssl_trusted_certificate /etc/letsencrypt/xxx.spdns.org/ecc/ca.pem;

	# Include SSL configuration
	include /etc/nginx/snippets/ssl.conf;

	# Include headers
	include /etc/nginx/snippets/headers.conf;
.
.
.
	##########################################
	# Homeassistant Wifi
	#
	location ^~ /hass/ {
        proxy_pass https://192.168.178.35:8123/;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Real-IP $remote_addr;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
	}
	
.
.
.	
}

3. Obtain an SSL certificate
:heavy_check_mark:Installed on my own private proxy server (192.168.178.96) via lets encrypt
There is no root installation of nginx on my raspberry also no ssl encryption in the local lan at the moment

4. Create dhparams file
:heavy_check_mark:works fine on my own private proxy server (192.168.178.96)

5. Install configuration file in NGINX

  1. I don’t get the map to the connection-Variable
  2. Whats differrent to your discription:
  • add_header Strict-Transport-Security max-age is on 63072000
  • ssl_protocols supported: TLSv1.2 AND TLSv1.3
  • ssl_session_cache shared:SSL:50m ANSTEAD of 10m;
  • I don’t have proxy_buffering off;

6. Enable the Home Assistant NGINX configuration
:heavy_check_mark:works fine on my own private proxy server (192.168.178.96)

7. Start NGINX

:heavy_check_mark:other apps work fine on my own private proxy server (192.168.178.96)

? whats not working is https://mypage.spdns.org/hass/

8. Port forwarding

  • 443 and 80 for my own private proxy server (192.168.178.96)
  • Open port for my raspberry homeassistant 192.168.178.35:8123/

My hassio config on my raspberry

http:
  use_x_forwarded_for: true
  trusted_proxies: 
  - 192.168.178.96 #/24
  ssl_certificate: config/certs/fullchain.pem
  ssl_key: /config/certs/privkey.pem

Edit: in a earlier Version a didn’t use SSL-Certificates on my Raspberry. Now I use self signed certificates. But it is still not working

Your network for trusted_proxies needs to be 2 space indented. I’m still haveing Gateway Timeout problems so not 100% sure if this is your issue, but it could be.

trusted_proxies: 
  - 192.168.178.96 #/24

Thank you @Flyguy86, unfortunately it was not the solution.

Any other approach? This is what the Browser Inspector is spitting out:

Hi! I setup home assistant using docker-compose and it works fine when accessing via local ip, however when I setup reverse proxy using nginx, I can’t access the page. In network tab I see 404 errors for websocket and token. What’s wrong with it? This is my nginx config file:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    server_name home.mydomain.com;

    listen [::]:80 default_server ipv6only=off;
    return 301 https://$host$request_uri;
}

server {
    server_name home.mydomain.com;

    include /etc/nginx/ssl.conf;

    listen [::]:443 ssl default_server ipv6only=off; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    # ssl on; # Uncomment if you are using nginx < 1.15.0
    ssl_protocols TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    location / {
        proxy_pass http://127.0.0.1:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

does your router support NAT loopback/hair pinning?

(without it, the router is unlikely to allow you to access anything on your LAN when using the public address of your connection. )

1 Like