I’m having some strange behaviour with nginx and Home Assistant lately. The problems started when I did migrate to HassOS, but after that I was also able to reproduce it on my previous setup (I did update HA though, more details later on).
I did create a video that showcases the error:
(In case the forum doesn’t allow me to embed videos: https://youtu.be/khdQgJ3E1Yw
)
After above scenario, almost nothing loads in anymore and I have to F5 the page before everything starts working again. In the companion apps I have to force close the app and start it up again.
My setup looks like:
- Proxmox v8.1.3 running on a HP 800 G3 mini with 16GB of RAM
- Currently LXC running dockerized Home Assistant, version Core 2023.12.3, Frontend 20231208.2. Assigned 4 cores and 4GB of RAM, currently using about 700MB
- Also happens with HassOS LXC
- Now also happens with my previous setup: an ubuntu bare metal running dockerized HA
- Latest version I recall which didn’t have this issue was probably 2023.10 or 2023.11
My docker-compose.yml
file looks like the following, I have not tried to go back to 2023.11 because I don’t know if I can.
version: "3"
services:
homeassistant:
container_name: homeassistant
image: ghcr.io/home-assistant/home-assistant:stable
restart: unless-stopped
volumes:
- /etc/localtime:/etc/localtime:ro
- ./config:/config
network_mode: "host"
Relevant configuration.yml
section:
# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:
homeassistant:
external_url: https://haxxxxxxx.example.com
internal_url: https://ha.home.example.com
country: NL
allowlist_external_dirs:
- "/config/camera-snapshots/"
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- 172.16.10.21
I have an SSL Terminator running on 172.16.10.21 which requests a wildcard certificate for all of my internal stuff, which is configured like the following (showing only configuration for internal_url
, external_url
looks pretty much the same but restricts location to: location ~ ^/(auth/token|api/(google_assistant|webhook/.*))$ {
instead of location /
and obviously changes the host, I haven’t seen any errors there:
server {
server_name ha.home.example.com;
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
server {
server_name ha.home.example.com;
listen 443 ssl;
root /dev/null;
access_log /var/log/nginx/ha.access.log;
error_log /var/log/nginx/ha.error.log;
ssl_certificate /etc/letsencrypt/live/home.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/home.example.com/privkey.pem;
# disable poodle attack (sslv3)
ssl_protocols TLSv1.3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
proxy_buffering off;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://172.16.50.55:8123;
proxy_redirect off;
# Socket.IO Support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
NOTE: There might be some outdated stuff in there, but I’ve been running this exact same setup since 3+ years.
Might be worth mentioning: I run MySQL as history component which sometimes takes a good amount of time to load in, but after an F5 it loads in instantly. I also run an external MQTT server and an external zigbee2mqtt docker instance.
I see no errors in my nginx or Home Assistant error log, only some logging in the Firefox Console which is visible in the video.
I don’t know anymore where to look for errors or what to try out. Can I maybe simply rollback to 2023.11 and try that out or does the database also mark a migration internally?
Oh and probably the most important thing I forgot to mention before: if I visit HA directly on the IP then I don’t see this strange behaviour, it only happens when I visit it through the SSL terminator.
I disabled ipv6 on that LXC by changing the following in sysctl:
root@home-assistant:~# cat /etc/sysctl.d/local.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
Confirmed that ipv6 addresses are not assigned by doing ip a
.
Greetings.