[SOLUTION] Sonos TTS with NGINX SSL Reverse Proxy

JohnCardenas · June 28, 2018, 8:17am

For everyone who has had issues with getting TTS working over Sonos devices with an SSL-enabled NGINX reverse proxy, try this:

Make sure your Sonos devices have the latest firmware. Launch the Sonos app on your phone to double-check.
Set your homeassistant.http.base_url in configuration.yaml to https://your.home.assistant (obviously use your own server name) and restart Home Assistant.
In the NGINX configuration for your SSL server, make sure you’re running on port 443. Set your ciphers (and use all the usual SSL parameters from https://cipherli.st)
Change your ssl_ecdh_curve parameter to include prime256v1:
```
ssl_ecdh_curve secp384r1:prime256v1;
```
Restart your NGINX proxy and enjoy.

The strongest elliptic curve cipher that Sonos devices support is ECDHE-RSA-AES256-GCM-SHA384 (per the docs). However, what Sonos developer documents omit is that these devices do not currently support the stronger scep384r1 ECDH curve; they only support prime256v1.

I was banging my head against my desk trying to figure out why Sonos devices weren’t working with an NGINX SSL reverse proxy, until I thought to start changing cipher suites and curves. Turns out if you add prime256v1 to the list, Sonos will happily connect and play TTS sound files! As an added bonus, scep384r1 will still be used by clients that support it, as it is first in the list of choice ECDH curves, so you don’t compromise your security much by doing this.

If anyone would like to see my full NGINX config, please let me know.

marklkelly · November 14, 2018, 12:29pm

Thank you!!!

I’d been stuck on this for a while. I can confirm that this also resolves the same issue when using Traefik as a reverse proxy (with no need to modify curve params or any other TLS setting).

nVINCEble · November 30, 2018, 3:19am

can i see your full config? Yesterday I modified my configuration.yaml to include “use_x_forwarded_for: True” so that it can ban the real ip address for anyone entering the incorrect password instead of the 127.0.0.1. ever since that my text to speech seemed to stop working. i’m able to music, but the tts does not work.

marklkelly · December 5, 2018, 10:10am

Are you accessing Home Assistant over TLS? What proxy are you using?

TimothyLeeAdams · December 15, 2018, 9:00pm

I’b been struggling with this for WEEKS and your post finally helped me solve the issue. Thank you for taking the time to post this!

ControlAltMike · January 13, 2019, 3:56pm

hhhm, when I add this, NGINX wont start with the following error:

pi@raspberrypi:/etc/nginx/sites-enabled $ sudo nginx -t
nginx: [emerg] Unknown curve name "secp384r1:prime256v1" (SSL:)
nginx: configuration file /etc/nginx/nginx.conf test failed

Any ideas?

ControlAltMike · January 13, 2019, 4:15pm

Yes, I am struggling to get this to work… Would be much appreciated.

ControlAltMike · January 13, 2019, 4:33pm

Disregard, I got it to work! Still no luck with https://www.home-assistant.io/cookbook/sonos_say/ however.

coolweb · November 21, 2020, 4:42pm

Could we see the configuration, I use the nginx addon and I don’t see what should I do, create a config? with what?

Thx.