[SOLVED] DNS Rewrite for internal (domain) access blocks connection

Hey there! I set up my HA docker to use SSL. I set my configuration like in the docs:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.32.0/23            # In Home Assistant we need to add the Docker subnet
    - 127.0.0.1                 # Add the localhost IPv4 address
    - ::1                       # Add the localhost IPv6 address
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

In the UI i set:

internal: https://mydomain.de
external: https://mydomain.de

Everything works well with my external domain (inside my LAN and external it uses the external domain). But internal I want to use the direct IP instead of the domain. Therefore I created I DNS rewrite in adguard like in the docs. The adguard log shows me a correct forwarding to the IP but HA companion app doesn’t connect to HA anymore. The app tries loading and after few seconds i get a connection problem warning and i should check my cert.
Only if I remove the rewrite rule the app works over the domain again. Router DNS rebind protection is off for this domain.
for the internal url i tried multiple combinations like: mydomain.de or mydomain.de:8123 or <m:8123.

my domain is a cloudflare domain. except adguard, i do not have any other addon. No reverse proxy etc… Adguard works fine and was set to local DNS server.
i spent days on this issue but can’t find the solution. I also posted here.

Where is my fault? Any help is appreciated!

@Mariusthvdb @Burningstone @odwide Do you have any ideas?

If you are not using a reverse proxy why the use_x_forwarded_for and trusted_proxies entries?

To resolve the internal IP inside the LAN your DNS server needs to map the domain to that IP. What does nslookup of dig show for your domain inside the LAN?

Long story short import certs to your mob.
Longer version…
Don’t expose your ha instance to the internet until you master it. I’m not preaching you just saying.
Use nabu casa instead. Nabu casa is not bullet proof solution but it’s kinda better for them to worry about some basic security.
In my opinion you have some wrong configurations here.
Let’s say like this. What is reverse proxy? Well as I understand it is a proxy that you use to access some internal network from out side.
Trusted proxy like this

 trusted_proxies:
    - 172.30.32.0/23 

should point to your internal docker network. And that is all, because you want to access your docker containers running in you docker network from outside. And that outside can be your local network or internet doesn’t matter. You can’t made up this numbers as they are defined in you docker configuration.
I have a domain and I created subdomains for it to use it for some docker containers. I got ssl cert for them using nginx with lets encrypt container. And i use nabu casa for remote access.
This is my configuration.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.0/16

This is mine nginx docker-compose configration for container

  nginx:
    container_name: nginx_proxy
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - /opt/nginx/data:/data
      - /opt/letsencrypt:/etc/letsencrypt

In nginx create proxy host ie. mydomain.com using http scheme for ha ip forwaring hadefault port, 8123. For ssl certs I use letsencrypt dns cahllange inside nginx gui.
Do dns rewrite for it in ad guard and there you have it. All certs are renewed automatically every 3 months I think.
And I forgot to write.
You have to set up your router dns settings to point to you ha instance running dns server ie. adguard.

nslookup mydomain.de

Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name:   mydomain.de
Address: 192.168.1.100
dig mydomain.de

answers also to 192.168.1.100.

@ddaniel if i understand it correctly, i have to redirect the domain to the internal docker ip, right? and for ssl i need the proxy forcibly, right? or is it also possible without a proxy server? if possible, i want to keep it as simple as possible

My domain is not resolvable over the net as there is no ip address for it. I use adguard and router dns settings to resolve it back to my ha ip address. I think that this setup will not work if I use this domain for internet access because I don’t think that is possible for domain to have two different ip addresses.
As for nginx and ssl goes I use it for proxy hosts + ssl certs. This is not that difficult to set up and get ssl certs for it.
The key here is to point your router dns resolvers back to your ha ip running dns server like adguard that will resolve your domain and subdomains.
In adguard I done something like dns rewrite for adgurad.mydomain.com to my ha ip address.
In nginx I made proxy host adguard.mydomain.com using http scheme for forwarding ha ip and adgurad port, think its 3000.
But this thing can work also with internet access. I tried it with cloudflare tunneling and it is working. You can’t obviously have dns rewrite back to your ha ip address as domain has to have ip that is accessible over the net.

I’m sry, but i do not understand your setup.

My attemp was:

  • setup ssl for HA istance
  • setup my router dns server to only use HA DNS server 192.168.1.100 (Adguard) (works fine)
  • set static ipv4 for the HA instance
  • setup cloudflare (which works fine with external domain mydomain.de)
  • write an adguard dns rewrite rule from mydomain.de to HA DNS server 192.168.1.100. (Is this the problem you mentioned, because of the second ip? like in the docs it should be working)

I thought the rule automatically forward the domain to the internal ip 192.168.1.100. But obviously not, because the HA connection hangs and the page isn’t loading.
I would like to use https internal and external if possible.

Is this setup possible?

Thats oke, as sometimes I don’t understan it either: :smiley:

OK, I looked at the docs and yes it should be working as they said in the docs. What you want to do is that your domain is accessed remotely using cloudfalre tunnel when you are not using your local network. When you are connected to your local wifi use adguard dns settings and resolve that domain to ha ip.
I tried cloudfalre tunneling a year ago and it was working. I can’t remember all the details.
I think that your problem might be in ssl certs.
Try to access it locally and remotely using your browser. If this is working than probably problem lies in ssl cert. This is my guess.
And if you look their docs you will see that they commented out lines that you are using

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

And this is for nginx proxy. I think that you should use nginx for this to work. I didn’t saw their doc and set it up by myself. And my system is reachable both by http and https as they are talking in the docs.

THANKS for the hint! It was the ssl cert! What i’ve done:

  • after the rewrite rule i could connect to HA via https://mydomain:8123
    → so the rewrite rule is working! but i got also the cert invalid warning.
  • i installed the letsencrypt addon and got a certified cert
  • installed the new cert and set in the HA UI https://mydomain.de as internal domain (with the rewrite rule i don’t need the external url anymore.)
  • on the mobile devices with companion app i installed the new cert
  • in the companion app i set “https://mydomain.de:8123” as internal and “https://mydomain.de” as external url

now everything works as expected!

thanks for all! :+1:

No problem.
But just out of curiosity…I think that both urls in companion app should be the same. You can test this easily buy connecting to internet over sim card and connecting your mob on local wifi network.
I think that is what they are talking in the docs. And it should work because you have resolvable domain that you can reach over the internet. But if you are connected to your local wifi than this domain will resolve to your ha ip address using dns rewrite.

I’ll check this at home, but as i remember it didn’t work without port. I think because on external access the cloudflare addon forwards the demand to the correct port. On internal access only the domain is rewritten without port. So the url should be like https://<MY-HA-IP> instead of https://<MY-HA-IP>:8123