SSL outside and http localy

panzo19 · July 25, 2021, 5:16pm

Hi need some help to config the HA to work with SSL outside and http localy ia have already get an duckdns domain and config it i have also set the prot forward to the router 8123 to 8123 and 443 to 8123 and in config http:

base_url: https://<myurl duckdns>
   server_port: 8123
   ssl_certificate: /ssl/fullchain.pem
   ssl_key: /ssl/privkey.pem

but with the above i can only access it from https if i comment the 2 ssl then i can access it only localy

elfrinjo · July 25, 2021, 5:19pm

Short answer:
Don’t put the certificate into configuration.yaml but install the nginx add-on and use it as a reverse proxy and configure the certificate there.
Afterwards you’ll have SSL on a different port.

panzo19 · July 25, 2021, 5:27pm

Thanks for your responce

with this option the error from outside is
Unable to connect to Home Assistant.

RETRY

config of ngix

domain: mydomain.duckdns.org
certfile: fullchain.pem
keyfile: privkey.pem
hsts: max-age=31536000; includeSubDomains
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

elfrinjo · July 25, 2021, 5:33pm

Would be good to know what the error is…
However, did you set the trusted_proxies as described in the nginx docs?

panzo19 · July 25, 2021, 5:36pm

i have set the following

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.0/24

nginx: [emerg] PEM_read_bio_DHparams("/data/dhparams.pem") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: DH PARAMETERS)
[cmd] /run.sh exited 1

elfrinjo · July 25, 2021, 5:44pm

uff, sorry - this is the end of my expertise…
Other seem to have solved this by reinstalling the addon.

panzo19 · July 25, 2021, 5:46pm

I made an unistall and reinstall of the addon and error disappeared from the logs now when i try to access from outside returns 400: Bad Request

aceindy · July 25, 2021, 5:49pm

No need for nginx proxy

outside, use https://my.duck.dns
inside use https://my.duck.dns:8123

provided you:

add duck.dns domain in your router
add dhcp reservation for 192.168.x.y (ha’s ip address) and name it ‘my’

with the dhcp reservation you ensure that your local dns resolves my.duck.dns as 192.168.x.y

elfrinjo · July 25, 2021, 5:55pm

http/400 is a message from the webserver - thats good.
In my case, I added the docker network to the trusted proxies:

172.30.33.0/24

panzo19 · July 25, 2021, 5:57pm

ho i can find the docker network ?
im running hassio on a PI

elfrinjo · July 25, 2021, 6:01pm

Actually, I just copied the trusted proxy settings from the nginx-addon docs. If you are running the hassio image I’d expect that to be the same on all installations:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

panzo19 · July 25, 2021, 6:01pm

already reserved ith no luck. im frustated with this errors

panzo19 · July 25, 2021, 6:05pm

i ll give it a try now

panzo19 · July 25, 2021, 6:10pm

GREAT!! this was the solution everything up and running Thanks alot for your effort