I’m trying to setup SWAG container for reverse proxy in order to access Home Assistant from outside my LAN, but obviously I’m doing something wrong.
I have a Raspberry 4 with 4GB of memory. I run Docker with Portainer with the following containers:
Container Image Network IP
homeassistant home-assistant/raspberrypi4-homeassistant:stable host -
mqtt eclipse-mosquitto bridge 172.17.0.5
portainer portainer/portainer-ce:latest bridge 172.17.0.4
swag linuxserver/swag:latest bridge 172.17.0.3
zigbee2mqtt koenkk/zigbee2mqtt:latest bridge 172.17.0.2
I run SWAG container as follows:
docker run -d \
--name swag \
--cap-add=NET_ADMIN \
-e PGID=1000 \
-e PUID=1000 \
-e [email protected] \
-e URL=MyDomain.duckdns.org \
-e SUBDOMAINS=wildcard \
-e VALIDATION=duckdns \
-e DUCKDNSTOKEN= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
-p 443:443 \
-e TZ=Europe/Athens \
-v /home/pi/docker/swag/config:/config \
--restart=unless-stopped \
linuxserver/swag:latest
I have changed 3 files as follows:
- config/nginx/site-confs/default.conf
## Version 2022/10/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
# main server block
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name MyDomain.duckdns.org;
root /config/www;
index index.html index.htm index.php;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
location / {
# enable for basic auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
try_files $uri $uri/ /index.html /index.php$is_args$args =404;
}
location ~ ^(.+\.php)(.*)$ {
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;
- config/nginx/proxy-confs/homeassistant.subdomain.conf
## Version 2022/09/08
# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url
# As of homeassistant 2021.7.0, it is now required to define the network range your proxy resides in, this is done in Homeassitants configuration.yaml
# https://www.home-assistant.io/integrations/http/#trusted_proxies
# Example below uses the default dockernetwork ranges, you may need to update this if you dont use defaults.
#
# http:
# use_x_forwarded_for: true
# trusted_proxies:
# - 172.16.0.0/12
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name homeassistant.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
#set $upstream_app homeassistant;
set $upstream_app 192.168.1.8;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location ~ ^/(api|local|media)/ {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
#set $upstream_app homeassistant;
set $upstream_app 192.168.1.8;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
- config/dns-conf/duckdns.ini
# Instructions: https://github.com/infinityofspace/certbot_dns_duckdns#credentials-file-or-cli-parameters
# Replace with your API token from your duckdns account.
dns_duckdns_token= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Moreover, in Home Assistant configuration.yaml I have inserted:
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.1.0/24
- 172.17.0.0/24
ip_ban_enabled: true
login_attempts_threshold: 3
duckdns:
domain: MyDomain.duckdns.org
access_token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
homeassistant:
internal_url: "http://192.168.1.8:8123"
external_url: "https://homeassistant.MyDomain.duckdns.org"
For the time being, I only want to use Home Assistant subdomain, but in the future I want to access more containers.
The DuckDNS IP has been configured to re-new from inside the router, so this is ok. Also, I forward TCP port 443 to Raspberry Pi.
NOTE: Since for new users is allowed only 2 links, let there MySite=https://homeassistant.MyDomain.duckdns.org
Additionaly, in Raspberry Pi I run PiHole and PiVPN (with NoIP), none of them in docker.
I have also inserted the DuckDNS address (MySite) in Home Assistant Settings / System / Network / Internet (both in PC and mobile).
When I access the address MySite from within LAN, it’s successful and it’s asking for username / password.
When I access the address MySite from outside my LAN, it’s not successful and it only shows the following:
What am I missing here???
Any help will be highly appreciated.
UPDATE: after clearing cache, the error message is “ERR_TIMED_OUT”