Unable to Access HA over Local IP after installing NGINX/DuckDNS

Greenreader9 · December 17, 2023, 10:52pm

Hello

Basically what the title says. I just installed NGINX and DuckDNS (Following this awesome guide).

The post mentioned above says that:

However, that’s not exactly what happens with my instance:

If I access domain.duckdns.com, I get the default NGINX 502 page
If I access domain.duckdns.com:8123, it works fine, albeit a bit slow
Accessing 192.168.x.xx:8123 provides the HTTP response ERR_EMPTY_RESPONSE
Accessing the external IP:8123 provides the HTTP response NET::ERR_CERT_COMMON_NAME_INVALID. Bypassing the page results in the response ERR_CONNECTION_TIMED_OUT

I want to be able to access the page over HTTPS (Which is working), but also really want access to the local IP as well. I don’t need the external IP to work, but it would be nice if it did.

Configuration:
configuration.yaml

# Loads default set of integrations. Do not remove.
default_config:

python_script:

# Text to speech
tts:
  - platform: google_translate
  - platform: edge_tts

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml


frontend:
    themes: !include_dir_merge_named themes
    
sensor:
  - platform: time_date
    display_options:
      - 'time'
      - 'date'
      - 'date_time'
      - 'date_time_utc'
      - 'date_time_iso'
      - 'time_date'
      - 'time_utc'
      - 'beat'

http:
    ssl_certificate: /ssl/fullchain.pem
    ssl_key: /ssl/privkey.pem


.......

DuckDNS Add-On Configuration:

domains:
  - domain.duckdns.org
token: token-auth-0
aliases: []
lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
seconds: 300

NGINX Add-On Configuration:

domain: domain.duckdns.org
hsts: max-age=31536000; includeSubDomains
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

Also, off-topic question:
Is there any way to get a backups slug via the UI? The few times I had to run backups via the CLI I had to get the slug via the backups list --raw-json command, but it put the backups in a random order and it took forever to find the one I wanted.

–

Thanks in advance for any assistance!

EDIT: It is taking forever to load the instance over the DuckDNS domain, and once it does load, as soon as I click a button it stops working and returns to the loading circle again. The app also won’t connect either, just displays an endless spinner.

mobile.andrew.jones · December 18, 2023, 12:42am

OK so the first thing I can see here -
You have the SSL certs in the Home Assistant config. You SHOULD NOT.

The idea is to have Home Assistant accessible over HTTP on port 8123 so it can be accessed by it’s IP address. Nginx is the magic part, it does the proxying to Home Assistant, so it receives the https requests and then proxies them to Home Assistant.

Home Assistant will need both
use_x_forwarded_for: true and also the trusted_proxies: setting so that it can receive requests from Nginx - without this setting, it will refuse the connection from Nginx.

Greenreader9 · December 18, 2023, 12:49am

Thanks for the quick reply!

Just to make sure I understand you correctly, I should modify the configuration.yaml file as follows:

Comment out http: and the items below it
Add the following to the file:

trusted_proxies:

use_x_forwarded_for: true

Thank you!

mobile.andrew.jones · December 18, 2023, 12:51am

Just had a quick look at the Nginx docs:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

Thats what your http section should look like.

Edit:

github.com

home-assistant/addons/blob/934886983860736703a36c9dcee2cc6f6eac3477/nginx_proxy/DOCS.md

# Home Assistant Add-on: NGINX Home Assistant SSL proxy

## Installation

Follow these steps to get the add-on installed on your system:

1. Navigate in your Home Assistant frontend to **Settings** -> **Add-ons** -> **Add-on store**.
2. Find the "NGINX Home Assistant SSL proxy" add-on and click it.
3. Click on the "INSTALL" button.

## How to use

The NGINX Proxy add-on is commonly used in conjunction with the [Duck DNS](https://github.com/home-assistant/addons/tree/master/duckdns) add-on to set up secure remote access to your Home Assistant instance. The following instructions covers this scenario.

1. The certificate to your registered domain should already be created via the [Duck DNS](https://github.com/home-assistant/addons/tree/master/duckdns) add-on or another method. Make sure that the certificate files exist in the `/ssl` directory.
2. In the `configuration.yaml` file, some options in the `http:` section are no longer necessary for this scenario, and should be commented out or removed:
   - `ssl_certificate`
   - `ssl_key`
   - `server_port`
3. And you need to add the `trusted_proxies` section (requests from reverse proxies will be blocked if these options are not set).

This file has been truncated. show original

Greenreader9 · December 18, 2023, 12:53am

Thanks!

Since the web UI is not loading at all, and SSH is refusing the connection, is there a way I can use nano or vim to edit the file in the CLI that appears when I plug an HDMI cable into the pi?

mobile.andrew.jones · December 18, 2023, 12:54am

Yes.
When you see the screen with the Home Assistant text and the IP addresses etc it will say ha>

Type login and press enter to get a Linux shell.

mobile.andrew.jones · December 18, 2023, 12:59am

To answer your next question you might have - because I had to go looking on my own system.

/mnt/data/supervisor/homeassistant/ is where the files are when you are in that shell.

Greenreader9 · December 18, 2023, 1:28am

Hello

Tried that, then ran “core restart”. However, that command returns “Error: No Home Assistant Core responce, assuming a fatal startup error”. Don’t know what went wrong.

But the same things as for assessing the install are still occurring as described in my first post. (I can still access the spinny-wheel via the duckdns uri).

Here is the vi editor for the configuration file:

(Please ignore the horrible quality and dusty screen)

Thanks for your help!

mobile.andrew.jones · December 18, 2023, 1:30am

I can’t fully tell - but it LOOKS to me, like that x in use_x_forwaded_for: true is a big X and not a small x…

Check that and then instead of running core restart run core check and let it do a full check of all the config and spit out the relevant errors.

The spiny thing is expected - because Home Assistant uses a service worker like all modern web apps. So the service worker is installed in the browser and is running, even though Home Assistant is not accessible

Greenreader9 · December 18, 2023, 1:48am

Yup, that could be it. The reason I must have put the big X is because I’m used to headers like this one: X-Forwarded-For - HTTP | MDN

I think it’s still broken:

Post “http://supervisor/core/check”: context deadline exceeded (Client.Timeout exceeded while awaiting headers)

EDIT: Forgot to mention that I also removed a space from before the “- 172” line. It looked like it might have been indented too much.

EDIT #2: I tried to run restart again, it returned

Error: another job is running for job group container_homeassistant

Did the “check” command get it stuck in some sort of endless loop?

mobile.andrew.jones · December 18, 2023, 2:05am

Yeah… I kinda wasn’t sure how it is working to be honest, when I saw the spacing in the file. It looks like TAB has been used rather than spaces.

it should be:

http:
  use_x_forwarded_for: true

not

http:
    use_x_forwarded_for: true

ie - each subsection should be 2 more spaces than the previous section.

The check command might still be running behind the scenes for sure, because it usually takes about 5 minutes to run, I think it builds a temporary virtual environment and then loads the config into the new homeassistant behind the scenes.

Greenreader9 · December 18, 2023, 2:11am

Gotcha. I thought it was 4 (Thinking TAB), so that’s what I used. Went back in and changed it to 2 spaces for indent instead.

Exited that and it says

Get “http://supervisor/network/info”: dial tcp 172.xx.xx.x:80 connect: connection refused

For the record, I don’t have port 80 forwarded.

Trying to “core restart”, I get

Post “http://supervisor/core/restart”: dial tcp 172.xx.xx.x:80 connect: connection refused

The IP in both messages is the same.