Setting up forwarding ports with NGINX?

MartyB · August 7, 2021, 2:02pm

Hi all!

Very informative posts here have helped me with my setup. One thing I don’t think I’ve seen though is what I can best describe as port forwarding within NGINX. Maybe I’m using the wrong terminology.

First, my setup:

my-domain.duckdns.org

→ Router
—> port forwarding external 443 to internal 443 @ IP *.201
—> port forwarding external 30000 to internal 30000 @ IP *.202

→ @ IP *.201 rPi 4 running HassOS, duckdns & NGINX

→ @ IP *.202 windows 10 machine running game server on port 30000.

So HassOS works great, I can connect locally and externally via duckdns with no issue.

However when I try to get to my-domain.duckdns.org:30000, I get “SSL Protocol Error”. If I try using my WAN IP I can connect no issue. However I would like to have SSL encryption, since I have it.

So I’m guessing I need to have external port 30000 forwarded to internal 443 at IP *.201, have NGINX validate the SSL and forward the connection to port 30000 at IP *.202?

Or is there a way to configure subdomains with NGINX? Kinda like:
Hass.my-domain.duckdns would point IP *.201 port 443, and
gameserver.my-domain.duckdns point to IP *
.202 port 30000?

MartyB · August 7, 2021, 2:24pm

Well, I think I found a related post here:

I’m going to give this a try.

MartyB · August 8, 2021, 7:18am

Alright, for others in my boat, here’s what I needed to do. Hopefully I get it all right.

Duck DNS configuration: this will get a wild card cert from Let’s encrypt, allowing all sub-sub domains to use the same SSL encrypting.

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: your-token-here
domains:
  - '*.my-domain.duckdns.org > my-domain.duckdns.org'
aliases: []
seconds: 300

Then in NGINX Home Assistant SSL proxy, change:

customize:
  active: true

Also, create a file called nginx_proxy.conf in /share/nginx_proxy

server {
    listen       443 ssl http2;
    server_name  subsubdomain.my-domain.duckdns.org;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_certificate /ssl/fullchain.pem;
    ssl_certificate_key /ssl/privkey.pem;

    # dhparams file`
    ssl_dhparam /data/dhparams.pem;

	ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
	
	proxy_buffering off;
	
    location / {
        # enter your own info on next line
        proxy_pass http://192.168.50.202:30000;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }


    location /api/websocket {
        # enter your own info on next line
        proxy_pass http://192.168.50.202:30000/api/websocket;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }
}

I copy/pasted the block above multiple times in the same file, changing the server_name and proxy_pass info for each.

And that about did it!

michib · July 15, 2022, 6:19am

Hi everyone,

although the topic was solved, I want to reopen it because I’d like to discuss another solution.
If on is not able to use subdomains, could one also forward port 30000 to nginx and setup a server configuration that listens to this port and forwards to the windows machine?

Related question: Is there a way to query the actual port of the request. Say, I listen to 443 and to 30000 in the same server section, could I do something like if $port==443 then proxy pass to .201:433 and if $port==30000 then prox pass to .202:30000?

michib · July 18, 2022, 3:04pm

I just recognized the following: The listen directive requires Nginx to run on the host with the physical interface (if not otherwise virtualized). However, if the add-on runs in a docker container, HA needs to expose the respective port to the HA host. Which it seems does not.

I think, for most HA users, the limitation to the ssl relevant port 443 and using subdomains is pretty fine.