SSL and reverse proxy from another host already set up with letsencrypt

Configuration
1

I’m having trouble getting my home assistant accessible from the outside, but I’m trying to do it in what I though was a much easier route than that what the official documentation instructs to do. But I can’t figure out why it isn’t working.

I have a Nethserver (all in one email, fileserver, nextcloud, webserver, etc) that is already set up with letsencrypt and working with my domain and it is already listening on ports 80 and 443. It supports reverse proxy to other hosts in my network and I set up a reverse proxy to http://:8123 from my Nethserver at https://my.registereddomain.com/ha.

It’s not working but the forwarding to my ha instance seems to be working. Does anyone know what I can do to get this going?

2

The most important question is what reverse proxy are you using? Have you configured it correctly?

3

I am not sure that HA supports being hosted from a subfolder, i.e., /ha. I haven’t tried it myself, but I remember some people quite a while back trying it and having issues. I think there are some URLs that are prefixed with a /, so they assume they are at the root.

4

You are correct. I missed that in the OP. Good catch.

5

Ok, I was hoping to not have to do it that way, but I registered a few cnames for my nethserver. I just changed the config and pointed one of the cnames to my hassio/home assistant instance.

It got me further but still no cookie. Now I actually get the home assistant logo followed by this text…

You’re about to give http%3A%2F%2Fcname1.obscuredhost.com%2F access to your Home Assistant instance.

Logging in with Home Assistant Local.
Error: invalid client id or redirect uri

The certs are loaded on the nethserver (apache) and they work fine as long as I don’t redirect to the ha instance. Do I have to load the certs on ha also?

6

No, my HA config knows nothing of certificates or HTTPS. Did you change your base_url in your HTTP configuration to match the new name?

7

Hehe… one step closer. You are correct, I had not updated my domain from the original to the new cname.

That got me to the sign on. I actually get a username and password field now, but after signing in, I get “Unable to connect to Home Assistant”.

This is what I have and I have my Nethserver set to force SSL.

http:
  # For extra security set this to only accept connections on localhost if NGINX is on the same machine
  # server_host: 127.0.0.1
  # Update this line to be your domain
  base_url: https://cname1.obscuredhost.com
  use_x_forwarded_for: true
  # You must set the trusted proxy IP address so that Home Assistant will properly accept connections
  # Set this to your NGINX machine IP, or localhost if hosted on the same machine.
  trusted_proxies: 192.168.1.5
8

Take out the https:// in front of base_url. Mine is just the DNS name, no prefix.

9

Same result. Since Nethserver is using apache should I remove the x forwarded for?

10

No, you definitely need that for things to work properly with the reverse-proxy forwarding requests.
Your http: section looks the same as mine does now.

Can’t say if it’s something specific to nethserver, because I use NGINX, but our HA config looks identical.

11

Hmm… Notification inside of HA is showing a failed login attempt with invalid credentials, but I know they are correct (I’m using the same ones to access HA except having fired up a VPN first so that I’m hitting HA directly since I’m here at work).

12

Do you have access to the nethserver config for apache at all?

13

Yes!!!

This is autogenerated using the reverse proxy plugin in Nethserver…

<VirtualHost *:443>

    ServerName cname1.obscuredhost.com

    # forcessl_redirect
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]

    #20ssl_engine
    SSLEngine On
    SSLCertificateFile "/etc/letsencrypt/live/realhostname.obscuredhost.com/cert.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/realhostname.obscuredhost.com/privkey.pem"
    SSLCertificateChainFile "/etc/letsencrypt/live/realhostname.obscuredhost.com/chain.pem"

    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    # Reverse Proxy (with exclusion of local Letsencrypt challenge path)
    ProxyPassMatch ^/.well-known/acme-challenge/ !
    ProxyPass  / http://192.168.1.7:8123/ max=3 retry=30
    ProxyPassReverse / http://192.168.1.7:8123/

   ProxyPreserveHost On

    <Location "/">
      <RequireAll>
        Require all granted
        SSLRequireSSL
      </RequireAll>
    </Location>

</VirtualHost>


#
# Virtual Host cname1.obscuredhost.com - *:80
# Description :

<VirtualHost *:80>

    ServerName cname1.obscuredhost.com

    # forcessl_redirect
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]



    # Reverse Proxy (with exclusion of local Letsencrypt challenge path)
    ProxyPassMatch ^/.well-known/acme-challenge/ !
    ProxyPass  / http://192.168.1.7:8123/ max=3 retry=30
    ProxyPassReverse / http://192.168.1.7:8123/

   ProxyPreserveHost On

    <Location "/">
      <RequireAll>
        Require all granted
        SSLRequireSSL
      </RequireAll>
    </Location>

</VirtualHost>
14

I think you also need to mod the websocket stuff with:

RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*)  ws://192.168.1.7:8123/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]

See if that helps at all.

I’ll double check my setup when I get home if this doesn’t help and post my config. :slight_smile:

15

That was the magic!

How do I give both of you solve status?

1 Like
16

the base_url stuff you’ll want to put back if you ever plan to use something like the smartthings integration. :wink: