I did read that i need to forward 443 to 443. But I also need to know what to change in the nginx add on. For now I just added the domain name and location for letsencrypt certificate.
What i did was as follows:-
step 1 to 4 was done via addon. so i skipped.
step 5 -
copied this code into the default file ( basically replaced everything with it)
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
# Update this line to be your domain
server_name mysubdomain.duckdns.org;
# These shouldn't need to be changed
listen [::]:80 default_server ipv6only=off;
return 301 https://$host$request_uri;
}
server {
# Update this line to be your domain
server_name mysubdomain.duckdns.org;
# Ensure these lines point to your SSL certificate and key
ssl_certificate /etc/letsencrypt/live/mysubdomain.duckdns.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysubdomain.duckdns.org/privkey.pem;
# Use these lines instead if you created a self-signed certificate
# ssl_certificate /etc/nginx/ssl/cert.pem;
# ssl_certificate_key /etc/nginx/ssl/key.pem;
# Ensure this line points to your dhparams file
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# These shouldn't need to be changed
listen [::]:443 ssl default_server ipv6only=off; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# ssl on; # Uncomment if you are using nginx < 1.15.0
ssl_protocols TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
proxy_buffering off;
location / {
proxy_pass http://127.0.0.1:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
i wonder if ssl_ciphers need to be changed.
skipped step 6.
step 7 - restart nginx docker.
forwarded port 443 to 443 and 80 to 80.
step 9 :
added this in configuration.yaml
http:
# For extra security set this to only accept connections on localhost if NGINX is on the same machine
# Uncommenting this will mean that you can only reach Home Assistant using the proxy, not directly via IP from other clients.
# server_host: 127.0.0.1
use_x_forwarded_for: true
# You must set the trusted proxy IP address so that Home Assistant will properly accept connections
# Set this to your NGINX machine IP, or localhost if hosted on the same machine.
trusted_proxies: 127.0.0.1
Result - couldnt access HA. typing duckdnsurl will forward to HASS logo and say loading and then fail.
I’m sure there are a few things i’m doing wrong.
Now i bumped into another problem. Everytime libre elec restarts, it recreates the nginx docker which causes high cpu usage. Looking for an alternative method.
And we start the container via docker start letsencrypt
After the container is started, we’ll watch the logs with docker logs letsencrypt -f. It will take a while to create the dhparams file the first time it is started, and then we will see the validation steps. After all the steps, it should print Server ready in the logs.
Welcome to our server
The website is currently being setup under this address.
For help and support, please contact: [email protected]
NOTICE: Due to a DuckDNS limitation, our cert only covers the wildcard subdomains, but it doesn’t cover the main url. So if we try to access https://subdomain.duckdns.org, we’ll see a browser warning about an invalid ssl cert. But accessing it through the www (or ha or any other) subdomain should work fine.
Reverse Proxy
Using samba, navigate to to “Storage\letsencrypt\nginx\site-confs”
Open the default file and replace the contents with the code below
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name home-assistant.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /ldaplogin;
# enable for Authelia
#include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app home-assistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass http:// "local-ip":8123;
}
location /api/websocket {
resolver 127.0.0.11 valid=30s;
set $upstream_app home-assistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass http://"local-ip":8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
restart the letsencrypt container Docker restart letsencrypt
I followed your tutorial in a Pi4 and it worked for some days. I updated HA and now I can’t access with the duckdns address locally. I can access form outside my network but not locally.
It’s an annoyance to remember the IP and the port for accessing HA.
In the past, I was accessing without problems from local lan with XXX.duckdns.org, but few days ago, stop working. It show a homepage with HA logo and a retry link below.
Accesssing in local lan with the server IP:8123 is and was possible but it’s annoying remembering the IP address, and not possible to reach from Heimdall.
I think that something change in the authentication method.
