Trouble - issues with HASS + nginx as proxy, both in docker

sineverba · August 25, 2021, 10:24am

Hi there,
I need a hint from somebody that uses my same setup.

I have nginx on docker as reverse proxy (it manages also SSL certificates) and hass, same in docker.

They are NOT in same docker-compose, but in different docker-compose (they are linked via Raspberry’s local IP 192.168.1.100)

They work as charme. Only trouble is when I try to update nginx container. Suddenly, so many resources of frontend of Hass doesn’t work anymore.

I did try also via incognito mode, with Chrome and Firefox.

Somebody got my same issue and solved it?

GlennHA · August 25, 2021, 1:19pm

Are you accessing HA only via the reverse proxy or do you have local http access also?
Do you have HA in host mode for the network?
How are you updating via CLI or Portainer or Watchtower, etc.
Is the PI set with a static IP?

sineverba · August 25, 2021, 2:05pm

I can access HA also via static IP (192.168.1.100:8133) but I access via my custom domain also from local network.
HA is in network_mode: host
Every update is via CLI:

a) docker-compose stop
b) docker container rm nginx
c) upgrade version on docker-compose
d) docker-compose up -d

PI has a static IP.

These are the two docker-compose file, in two different folders, nginx and ha (I prefer use docker-compose also for single containers 'cause I can manage them faster)

version: "3.8"
services:

  homeassistant:
    container_name: homeassistant
    image: homeassistant/home-assistant:2021.8.8
    restart: unless-stopped
    volumes:
      - ./config:/config
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Rome
    network_mode: host

And this is NGINX:

version: "3.8"
services:

  nginx:
    image: nginx:1.19.6-alpine
    container_name: nginx
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./config:/etc/nginx/conf.d/
      - ./cloudflare:/etc/nginx/cloudflare
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - /var/log/nginx:/var/log/nginx
      - /home/sineverba/cfhookbash/data/certs:/etc/ssl/private
    networks:
      - nginx

networks:
  nginx:
    driver: bridge

This is the relevan configuration for nginx

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    server_name www.example.com;
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
}

server {
    server_name www.example.com;

    ssl_certificate /etc/ssl/private/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/ssl/private/www.example.com/privkey.pem;    
    listen 443 default_server ssl;
    listen [::]:443 default_server ssl;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    location / {
        proxy_pass http://192.168.1.100:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

}

mwav3 · August 25, 2021, 2:21pm

Are you getting a warning about a mis-configured proxy on the Home Assistant side when you try and connect?

I had issues after the new requirement added in release 2021.6 to require additional configuration settings in config.yaml for reverse proxy:

HTTP (using reverse proxies)

Home Assistant will now warn when a misconfigured reverse proxy, or misconfigured Home Assistant instance when using a reverse proxy, has been detected.

These warnings will become an error in Home Assistant 2021.7.

If you are using a reverse proxy, and see these warnings, please make sure you have configured use_x_forwarded_for and trusted_proxies in your HTTP integration configuration.

For more information, see the HTTP integration documentation

I use the SWAG container, which uses NGINX, and had to specify the docker IP address of Swag in my config.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.21.0.2

I also had to specify a static IP in the docker compose so that the IP address of the container wouldn’t shift around on me and break the proxy. I did that by adding this to the compose:

    networks:
      default:
        ipv4_address: 172.21.0.2

Not an expert on the network compose here but I beleive yours would replace “default” with “nginx”. You’d have to replace the IP with the one that works now and matches the IP on the config.yaml - I used portainer to find mine.

See discussion here - Nginx Reverse Proxy Set Up Guide – Docker - #285 by mwav3

sineverba · August 25, 2021, 2:24pm

Thank you for your time. No, no errors displayed. Simply, blank pieces of page; I need to hit F5 to see them. So, a cache issues (IMHO!).

mwav3 · August 25, 2021, 2:48pm

So it works fine when you refresh? Sounds like a cache issue, but could be websockets aren’t configured right or won’t stay open. Home Assistant is fussy about websockets and nginx config. I use two different lines one for ‘default location /’ and another for ‘location /api/websocket’ in my nginx config.

Also when you “roll back” to the older NGINX image you have no issues, and this only happens when you try and upgrade to the latest NGINX container image? I don’t use the container but if that’s the case you’ll want to look closely at what they changed in the change log.

Its not going to translate direct because I’m on the SWAG container to your setup using the NGINX container, but here’s my nginx config if it helps and you’re still having issues. If there are still issues hopefully others can chime in who use the same exact setup as you.

## Version 2020/05/23 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default

# redirect all traffic to https
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name mydomain.duckdns.org;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name mydomain.duckdns.org;
	
	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	# enable for Authelia
	#include /config/nginx/authelia-server.conf;

	# enable for geo blocking
	# See /config/nginx/geoip2.conf for more information.
	#if ($allowed_country = no) {
	#return 444;
	#}

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}


}


### HOMEASSISTANT ##############################################################
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name hass.*;
    
    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.0.184:8123;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.0.184:8123;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

GlennHA · August 25, 2021, 4:10pm

Look into Portainer for container management. That is what I use and updates are as simple as two mouse clicks.