Trouble getting NGINX to work

I have HA running internally on my network at 8123. Can access it just fine locally with http://aaa.bbb.ccc.ddd:8123.

I want to access it externally, so I set up a forwarded port (8123) to the container’s IP. As I have a domain of my own I added a DNS record ha.<mydomain> → my static IP.

This works fine for the app and also for web access via http://ha.<mydomain>:8123. However I get the warning that it’s not secure, it’s not, and safari won’t autofill my password.

So … I got an SSL certificate for ha.<mydomain> and installed the NGNIX addin. Reasonably sure I have the cert and key PEMs correct. I set ha.<mydomain> as the domain in the NGINX config.

To my main config.yaml I added

  use_x_forwarded_for: true
  trusted_proxies:
    - 10.13.0.0/16

my HA server runs on the 10.13.x net, I can tighten that up later but started with something broad.

I forwarded 443 into the HA container, the same way that 8123 was forwarded.
I cannot however make it work. Accessing https://ha.<mydomain> gives me

‘400 Bad Request’

I have tested with openssl and curl and I see correct certificate validation, I feel however that NGINIX isn’t forwarding to 8123 but to 80 (eg I don’t see where to tell it that 8123 is where the server is running and the documentation seems to indicate it forwards 443 to 80). What piece of config am I missing here and/or what else can I do to debug.

openssl s_client -connect ha.<mydomain>:443 ...

SSL handshake has read 3975 bytes and written 401 bytes
Verification: OK
curl -I https://ha.<mydomain>
HTTP/2 400 
server: nginx
date: Tue, 17 Jun 2025 06:57:11 GMT
content-type: text/plain; charset=utf-8
content-length: 16
strict-transport-security: max-age=31536000; includeSubDomains

You’re trying to access it externally and its coming up as not secure?

http://ha.:8123 ← this isn’t secure anyways. Notice the http?

Couldn’t tell you how the add ins work though, I’m running it all on bare metal and a container, but maybe start with nginx logs and see why its not resolving.

Can you post your entire http section from the configuration.yaml?

That was my whole http section …

Yes I know that 8123 isn’t secure. 8123 via http was what I did first, it’s not secure (works for the HA app though). Then I got a certificate for my domain and added a 443 port and set up NGNIX, the HTTPS bit is working, the certificate validates, but I get no content.

The NGNIX logs show nothing except the service starting and stopping again. Are there more logs apart from the one you can get on addin web page? I hunted around using the console but couldn’t find anything else.

The request is definitely going to the NGNIX as you can see the 400 error message returned is from that server.

Did you set up the addon configuration as the documentation state?

ok this was easy. I read the instructions, saw the trusted network was … whatever it was … and changed it for my own. Of course nginx runs in a container and its IP is in the range stated in the docs. So the IP I whitelisted was not the IP forwarding requests.

In the end I set nginx up on my mac and pointed everything there, then I can set up a number of sites and forward them where I want.