Trying to get reverse proxy to work

Anand_Suppiah · June 9, 2020, 2:31pm

Hi. Im trying to get reverse proxy to work but cant find any recent guide. All guides appear to be outdated or doesnt work with my setup.

Problem faced : cannot access ha from android app using local ip. Can only access using duckdns. Can access local ip through browser with ssl warning.

Hardware : Raspberry pi 4 4GB
Home assistant version : 0.110.4

Current setup :

Installed on libreelec using libreelec’s docker addon.
Command used is

docker run -d --name=“home-assistant” -v /storage/hass-config:/config -v /etc/localtime:/etc/localtime:ro -p 8123:8123/tcp --net=host --restart=unless-stopped homeassistant/raspberrypi3-homeassistant:stable

Then i installed duckdns and nginx letsencrypt addon on libreelec.

Port forwarding is
80 to 80
443 to 8123

Because im using libreelec, i cant follow the existing guides. Many of the commands throw an error. Im a newbie to this.

Would appreciate any directions.

petro · June 9, 2020, 3:46pm

What settings do you have for the nginx add-on? Also, you should be port forwarding 443 to 443 if you’re using a proxy.

Anand_Suppiah · June 9, 2020, 4:23pm

I did read that i need to forward 443 to 443. But I also need to know what to change in the nginx add on. For now I just added the domain name and location for letsencrypt certificate.

I tried to follow this guide here Reverse proxy using NGINX but no luck.

Not sure if i was doing it right.

What i did was as follows:-
step 1 to 4 was done via addon. so i skipped.
step 5 -

copied this code into the default file ( basically replaced everything with it)

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    # Update this line to be your domain
    server_name mysubdomain.duckdns.org;

    # These shouldn't need to be changed
    listen [::]:80 default_server ipv6only=off;
    return 301 https://$host$request_uri;
}

server {
    # Update this line to be your domain
    server_name mysubdomain.duckdns.org;

    # Ensure these lines point to your SSL certificate and key
    ssl_certificate /etc/letsencrypt/live/mysubdomain.duckdns.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mysubdomain.duckdns.org/privkey.pem;
    # Use these lines instead if you created a self-signed certificate
    # ssl_certificate /etc/nginx/ssl/cert.pem;
    # ssl_certificate_key /etc/nginx/ssl/key.pem;

    # Ensure this line points to your dhparams file
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;


    # These shouldn't need to be changed
    listen [::]:443 ssl default_server ipv6only=off; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    # ssl on; # Uncomment if you are using nginx < 1.15.0
    ssl_protocols TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    location / {
        proxy_pass http://127.0.0.1:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

i wonder if ssl_ciphers need to be changed.

skipped step 6.

step 7 - restart nginx docker.

forwarded port 443 to 443 and 80 to 80.

step 9 :
added this in configuration.yaml

http:
  # For extra security set this to only accept connections on localhost if NGINX is on the same machine
  # Uncommenting this will mean that you can only reach Home Assistant using the proxy, not directly via IP from other clients.
  # server_host: 127.0.0.1
  use_x_forwarded_for: true
  # You must set the trusted proxy IP address so that Home Assistant will properly accept connections
  # Set this to your NGINX machine IP, or localhost if hosted on the same machine.
  trusted_proxies: 127.0.0.1

Result - couldnt access HA. typing duckdnsurl will forward to HASS logo and say loading and then fail.

I’m sure there are a few things i’m doing wrong.

Now i bumped into another problem. Everytime libre elec restarts, it recreates the nginx docker which causes high cpu usage. Looking for an alternative method.

Anand_Suppiah · June 11, 2020, 12:11pm

After alot of reading, research and trial and error. I solved my problem.

Putting up the whole guide here if some one else wants to follow and also as a reference for me in the future:-

A. Install Home Assistant

docker run -d --name="home-assistant" -v /storage/hass-config:/config -v /etc/localtime:/etc/localtime:ro -p 8123:8123/tcp --net=host --restart=unless-stopped homeassistant/raspberrypi3-homeassistant:stable

Guide modified from https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

B. Install nginx letsencrypt

Install nginx letsencrypt. Login to SSH.

docker create --name=letsencrypt --cap-add=NET_ADMIN --net=host -e PUID=1000 -e PGID=1000 -e TZ=Asia/Kuala_Lumpur -e URL=subdomain.duckdns.org -e SUBDOMAINS=www,ha -e VALIDATION=http -e [email protected] -p 443:443 -p 80:80 -v /storage/letsencrypt:/config --restart unless-stopped linuxserver/letsencrypt

Check if container installed installed.

command : Docker ps -a

And we start the container via docker start letsencrypt
After the container is started, we’ll watch the logs with docker logs letsencrypt -f. It will take a while to create the dhparams file the first time it is started, and then we will see the validation steps. After all the steps, it should print Server ready in the logs.
Now we can access the webserver by browsing to https://www.subdomain.duckdns.org.
You will see

Welcome to our server
The website is currently being setup under this address.
For help and support, please contact: [email protected]

NOTICE: Due to a DuckDNS limitation, our cert only covers the wildcard subdomains, but it doesn’t cover the main url. So if we try to access https://subdomain.duckdns.org, we’ll see a browser warning about an invalid ssl cert. But accessing it through the www (or ha or any other) subdomain should work fine.

Reverse Proxy

Using samba, navigate to to “Storage\letsencrypt\nginx\site-confs”
Open the default file and replace the contents with the code below


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name home-assistant.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app home-assistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http:// "local-ip":8123;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app home-assistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://"local-ip":8123;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

restart the letsencrypt container
Docker restart letsencrypt

Enjoy.
Can login to https://subdomain.duckdns.org
and locally
http: ip address:8123

pbu80 · June 11, 2020, 12:05pm

Hide your url

Anand_Suppiah · June 11, 2020, 12:12pm

Thanks. I missed that one.

emailforos · October 22, 2020, 4:49pm

I followed your tutorial in a Pi4 and it worked for some days. I updated HA and now I can’t access with the duckdns address locally. I can access form outside my network but not locally.

It’s an annoyance to remember the IP and the port for accessing HA.

Is your set up still working on your system?

Thank you for your help.

Anand_Suppiah · October 26, 2020, 2:48pm

Hi. To access locally, you must use your local ip and port.

http://(local ip):8123

Use the Home assistant app and set the Internal Connection URL.

emailforos · October 26, 2020, 3:06pm

Thank you for your answer.

In the past, I was accessing without problems from local lan with XXX.duckdns.org, but few days ago, stop working. It show a homepage with HA logo and a retry link below.

Accesssing in local lan with the server IP:8123 is and was possible but it’s annoying remembering the IP address, and not possible to reach from Heimdall.

I think that something change in the authentication method.

Thanking your help. I’ll keep searching.