Unable to access HA from internal network by HTTP

Ausitn · October 11, 2024, 7:22am

Hi there, I’d like to achieve that access HA from external by HTTPS, and internal by HTTP
here is the issue

I can access HA form Https192.168.1.x:8123 and Https xxx.duckdns.org
I can’t access from Http192.168.1.x:8123

I’ve been serching on google, I tried to use the Nginx Proxy Manager and NGINX Home Assistant SSL proxy, but the result was fail.

The following are my configuration
[My hardware] :
Generic x86-64 installed HA, using duckdns for external accessing.

[Configuration.yaml]

http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24  
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

[Nginx Proxy Manager]

Tinkerer · October 11, 2024, 7:25am

Did you remove the ssl_ lines from under http: in configuration.yaml and then restart HA?

WallyR · October 11, 2024, 8:11am

These two lines change the internal web server in HA from pure HTTP to pure HTTPS.
HA have no option for a mixed setup.

If you want a mixed setup, then you need to set HA as a pure HTTP and use NGinX.
NGinX accepts HTTPS and then pass them on to HA as HTTP.

Ausitn · October 11, 2024, 9:08am

Yes, I tried to remove the ssl_certificate: /ssl/fullchain.pem and ssl_key: /ssl/privkey.pem from configuration.yaml, but the result is that

I can access by internal HTTP IP, can not access by external https IP…
File editor was fail to access, which shows 401 error

Ausitn · October 11, 2024, 9:16am

I’ve tried to many ways to achieve accessing HA from external by HTTPS, and internal by HTTP

FAIL, only can acces by internal HTTP IP

http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

FAIL, can access by HTTPS no matter from internal or external IP

http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24  
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Fail, only can connect HA by https

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

NathanCu · October 11, 2024, 10:38am

Yes, because exactly what Wally said.

HA by itself cannot do what you ask. It’s either or. Not both

So NGINX must be configured to terminate SSL and then pass back to HA as appropriate. It’s an advanced configuration. The you use the NGinX connection from outside and the internal from inside.

That said you won’t be able to use some features eye hitting from the non SSL connection so once you have SSL capability inside you may want to use that - especially if your router supports hairpin.

Tinkerer · October 11, 2024, 11:37am

Then NGINX wasn’t set up correctly, HA wasn’t set up correctly (see here), or you left the port forwarded to HA not NGINX.

Ausitn · October 11, 2024, 1:03pm

Nginx’s log, i’m wondering if the error might cause the http, https issue…

image982×348 15.9 KB
After changing the confi.yaml to the following, I can access by internal http//192.xxxx, but fail to access by external https//xx.duckdns.org

http:
 ip_ban_enabled: true
 login_attempts_threshold: 5
 use_x_forwarded_for: true
 trusted_proxies:
   - 172.30.33.0/24  
   - 192.168.2.0/24
   - 192.168.1.0/24
   - 192.168.2.100
   - 127.0.0.1
#  ssl_certificate: /ssl/fullchain.pem
#  ssl_key: /ssl/privkey.pem

Tinkerer · October 11, 2024, 2:59pm

Port is now forwarded to the proxy?
What’s in HA’s log file?
What’s in the proxy access and error log?

Please … share text as text, not images. See the sticky post.