Reverse proxy using NGINX

Tags: #<Tag:0x00007f3264c34658> #<Tag:0x00007f3264c34590>

Yeah, I should have mentioned, I have a Wordpress site hosted and working just fine via the proxy:

/etc/nginx/sites-enabled $ ls -la
total 8
drwxr-xr-x 2 root root 4096 Nov 25 10:51 .
drwxr-xr-x 9 root root 4096 Nov 25 15:04 ..
lrwxrwxrwx 1 root root   34 Nov 25 10:43 default -> /etc/nginx/sites-available/default
lrwxrwxrwx 1 root root   50 Nov 25 10:51 home.zeefarmer.com -> /etc/nginx/sites-available/home.zeefarmer.com.conf
lrwxrwxrwx 1 root root   55 Nov 25 10:48 wordpress.zeefarmer.com -> /etc/nginx/sites-available/wordpress.zeefarmer.com.conf

I even blew away this whole stack and started over on this device thinking it might have been the Magento site/config I was running on the same device. Still no dice.

You have a wordpress site? This mean you have 2 server configs both bound to port 80/443?

In your wordpress one, what ports are bound with the listen?

What is the output of “sudo nginx -t”?

It’s possible nginx just doesn’t start the 2nd server bound to the same port…meaning you didn’t actually launch the home assistant one. Though I’m kinda just guessing.

Yes, I have 2 separate config files, one for Wordpress, one for Home Assistant. This was all working fine and was able to load both before I went down the SSL path.

The Wordpress proxy config:

server {
	listen 80;
	server_name wordpress.zeefarmer.com;
	location / {
	proxy_pass http://10.0.1.113;
	}
}
sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

I just removed the Wordpress config and restarted NGINX for S&Gs, and still no luck passing home.zeefarmer.com to the RPi for Home Assistant.

Huh, wonder if this is the issue:

Disregard. Ended up being a Cloudflare setting issue (set SSL/TLS encryption mode to Full).

Thanks for the help!

1 Like

Hey. I saw you said that you can setup a minecraft server and connect it also to NGINX. I want to try that, but i researched alittle bit and i found this thread: https://www.reddit.com/r/homelab/comments/fi88cl/docker_nginx_reverse_proxy_minecraft_server/?utm_medium=android_app&utm_source=share
I am understanding something wrong and how can you do it?
Thanks

Yeah, it’s relatively new. You use a stream module to forward the udp to the server of choice.

https://www.youtube.com/watch?v=QRH1egGAlfc

If you’re using bedrock, you want to add ‘udp’ to the listen directive. Java uses TCP, so you don’t need to add anything.

You still have to port forward this listen port. Sadly I never figured out how to do it with http so I could do “mywebsite.duckdns.org/minecraft”. But I should play with it more to figure it out.

Hi,

I have the exact same setup, and the exact same problem.

I’m running 2 webservers (weewx and hass) on different ports of the raspberry pi, and I have nginx running on a “proxy”-like other rasberry.

I have generated cerificates as outlined by a blog post from nginx, for both hass and weewx. This has the additional benefit that it also alters the .conf file accordingly, and it worked flawlessly for my weewx web server.

However, for hass (which is running in a docker container), I get to the login screen (followed by my 2FA screen), and after having succesfully logged in, I get the “Unable to connect to Home Assistant.” screen. I see nothing appearing in the logs. I however see that “tokens are generated for https://marvin.[redacted].be/”, so the login was succesfull.

This is my configuration.yaml:

http:
  base_url: marvin.[redacted].be
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.86.35

This section might be related:

homeassistant:
  customize: !include customize.yaml
  packages: !include_dir_named packages
  internal_url: "http://[my_external_ip_adress]:8123"
  external_url: "https://marvin.[redacted].be"

I suspect that hass is trying to “recheck” the certificate, but fails to do so. I tried to adding the following to my configuration:

http:
  ssl_certificate: fullchain.pem
  ssl_key: privkey.pem

wth the fullchain and privkey copied from my nginx server to the root directory of hass. But although this passed the “check configuration”, hass refused to start up (not even the “safe boot” mode).

I’m basically out of ideas now…

Thank you in advance!
Erwin

Edit: typo

Hi,

May be note related : I have read somewhere that the proxy pass in the proxy config files should be set without a “/” at the end of the local IP address od the Home Assistant service.

I guess that you followed the tutorial for the proxy files “$upgrade” and so on. If not, let’s try it.

I continue my blind comments : I did not install certbot the same way as you. Yours seems simple but I can’t say whether it is a valid one or not. Here may how-to:
Independant Nginx server under Proxmox for Home Assistant and every other service with OVH subdomains - Community Guides - Home Assistant Community (home-assistant.io)

Hi,
Thanks for your idea’s!

The solution could be found in another toppic.

For future reference, this is how I got it working:

nginx .conf file:

server {
        server_name marvin.[redacted].be;
        location / {
        proxy_pass http://192.168.86.165:8123;          # IP of the machine running the HA container
        proxy_set_header  Upgrade  $http_upgrade;  # Also needed without SSL (i.e. when using proxy)
        proxy_set_header  Connection "upgrade";      # Also needed without SSL (i.e. when using proxy)
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/marvin.[redacted].be/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/marvin.[redacted].be/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = marvin.[redacted].be) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80;
        server_name marvin.[redacted].be;
    return 404; # managed by Certbot
}

Configuration.yaml:

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
# http:
#   base_url: marvin.[redacted].be

homeassistant:
  internal_url: "http://192.168.86.165:8123"
  external_url: "http://marvin.[redacted].be"

As the external url still refers to http (instead of https), I don’t think this actually plays any role.

Hopefully this can safe somebody some time in the future :slight_smile:

Kind regards,
Erwin

Edit: further clarification

The second server section of your .conf file redirects all http traffic to https.

Glad to hear it works now for you too.

Here is me nginx config file just in case other people get other troubles:

server {
  listen        443 ssl;
  server_name   [my subdomain];

  include       /etc/nginx/conf.d/ssl.inc;

  location / {
    proxy_pass http://[my local IP]:8123;
    proxy_set_header Host $host;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /api/websocket {
    proxy_pass http://[my local IP]:8123/api/websocket;
    proxy_set_header Host $host;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}

As you can see, I hase several additional lines. It has been months since I settled it up (once again I’ve done it before this forum topic), but I believe several of them were needed to make my config work.

PS: I manage the ssl in a separate file so that no need to copy it in every service config file.

1 Like

there is something I found today and I was shocked.

IPhone can not access home assistant via nginx if more secure TLS1.3 is used. You’'ll say its ok, but cheap android phone works.

     ssl_protocols TLSv1.3;
     ssl_ciphers EECDH+AESGCM:EDH+AESGCM;

So use default settings

     ssl_protocols TLSv1.2;
     ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";