"Unable to connect to Home Assistant" via nginx reverse proxy

post moved to correct thread

I’ve read though the thread but still can’t get my remote access to work. I’m using the Nginx Proxy Manager add-on. Getting these debug logs:

listen 80;
#listen [::]:80;

listen 443 ssl http2;
#listen [::]:443;


  server_name mydomain.se;


  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;












    # Force SSL
    include conf.d/include/force-ssl.conf;




proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;


  access_log /proc/1/fd/1 proxy;
  error_log /proc/1/fd/1 warn;



  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP		$remote_addr;
    proxy_pass       http://192.168.10.178:8123;

    

    
    

    
    # Force SSL
    include conf.d/include/force-ssl.conf;


    





    
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    


    proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
  }





  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}


[12/20/2023] [5:25:36 PM] [Nginx    ] › ℹ  info      Testing Nginx configuration
[12/20/2023] [5:25:36 PM] [Nginx    ] › ℹ  info      Testing Nginx configuration
[12/20/2023] [5:25:36 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[20/Dec/2023:17:25:56 +0100] 200 - GET http 85.229.56.34 "/" [Client 167.94.145.59] [Length 1154] [Gzip -] "-" "-"
[20/Dec/2023:17:25:59 +0100] 200 - GET http 85.229.56.34 "/" [Client 167.94.145.59] [Length 625] [Gzip 1.88] "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "-"
[20/Dec/2023:17:25:59 +0100] 400 - - http localhost-nginx-proxy-manager "-" [Client 167.94.145.59] [Length 150] [Gzip -] "-" "-"
[20/Dec/2023:17:26:00 +0100] 400 - GET http 85.229.56.34 "/favicon.ico" [Client 127.0.0.1] [Length 226] [Gzip -] "-" "-"
2023/12/20 17:26:19 [error] 352#352: *2036 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.10.1, server: mydomain.se, request: "POST /api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300 HTTP/2.0", upstream: "http://192.168.10.178:8123/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300", host: "mydomain.se"
[20/Dec/2023:17:26:19 +0100] - 502 502 - POST https mydomain.se "/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300" [Client 192.168.10.1] [Length 150] [Gzip -] [Sent-to 192.168.10.178] "Home Assistant/2023.7 (io.robbie.HomeAssistant; build:2023.471; macOS 14.1.2)" "-"
[20/Dec/2023:17:26:47 +0100] - 200 200 - POST https mydomain.se "/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300" [Client 192.168.10.1] [Length 0] [Gzip -] [Sent-to 192.168.10.178] "Home Assistant/2023.7 (io.robbie.HomeAssistant; build:2023.471; macOS 14.1.2)" "-"
[20/Dec/2023:17:27:12 +0100] - - 499 - POST https mydomain.se "/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300" [Client 192.168.10.1] [Length 0] [Gzip -] [Sent-to 192.168.10.178] "Home Assistant/2023.7 (io.robbie.HomeAssistant; build:2023.471; macOS 14.1.2)" "-"
[20/Dec/2023:17:27:20 +0100] - 200 200 - POST https mydomain.se "/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300" [Client 192.168.10.1] [Length 0] [Gzip -] [Sent-to 192.168.10.178] "Home Assistant/2023.7 (io.robbie.HomeAssistant; build:2023.471; macOS 14.1.2)" "-"
[20/Dec/2023:17:32:16 +0100] - 200 200 - POST https mydomain.se "/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300" [Client 192.168.10.1] [Length 1014] [Gzip -] [Sent-to 192.168.10.178] "Home Assistant/2023.7 (io.robbie.HomeAssistant; build:2023.471; macOS 14.1.2)" "-"
[12/20/2023] [5:36:13 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/20/2023] [5:36:27 PM] [Nginx    ] › ℹ  info      Testing Nginx configuration
[12/20/2023] [5:36:27 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[12/20/2023] [5:36:28 PM] [SSL      ] › ℹ  info      Renew Complete

My problem to access Home Assistant is only when trying to access from a mobile data connection. I have checked that the DNS is correct se-up, no Firewall blockings, my ISP have confirmed they are not blocking any ports. I forward both 80 and 443 in the router. I get my certificate from a DirectAdmin SSL challange and is confirmed to be created successfully. I have been chatting with ChatGPT 4 for 2 days now trying to solve the problem and we are out of ideas now. Please help!

Mobiledata are usually using ipv6 make sure you have enabled it.

Also your cert are going to expire soon

Wondering what web sockets support and block common exploits will change in the nginx configuration, any idé?

thank you. that solved also my problem

Yup, that was my issue. Once enabling web sockets it started working as expected. Thanks to all for the susgestion

I had this same issue , using NPM and also Authelia.

I actually turned websockets off, and added these now famous lines to the Advanced tab in the “location /” section of the boilerplate authelia code.

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;

It worked fine with and without websockets enabled.

I dont know if anyone did this but it was by asccident I set the config like so pointing to my nginx reverse proxie server ip. which still didnt get me past the login.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.3
  ip_ban_enabled: true
  login_attempts_threshold: 3

but because i banned the ip for too many failed attempts I found the docker ip
inside the op_bans.yaml file
I popped that under the nginx ip and boom all good.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.3
    - 172.18.0.1
  ip_ban_enabled: true
  login_attempts_threshold: 3

What worked for me: Raspberry Pi 5, running Home Assistant and the Nginx Proxy Manager add-on.

in configuration.yaml:

Remote Access with Enginx

http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24

Enabling the web sockets option in Nginx proxy manager

Adding the lines in define location as discribed by @cwricklee

thank you alll for the discussion , i was struggling with same errors, I have deployed HA, Frigate, mqtt all in docker in Ubuntu and was trying to setup the duckdns domain with reverse proxy and finally i am successful…

What proxy you use?

Try this… (same post here: Ingress with support for websocket - #2 by nikos445)

Configuration YAML:

http:
  server_port: 80
  use_x_forwarded_for: true
  trusted_proxies:
  - 192.168.200.100

Ingress:

kind: Ingress
metadata:
  name: home-assistant-ingress
  namespace: default
  annotations: 
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/server-snippets: |
      location /api/websocket {
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
        }
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - example.com
    secretName: home-assistant-cert
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: haas
                port:
                  # number: 80
                  name: haas

I am using nginx service

Thank you so much, been trying to fix this for ages, your solution worked a treat for me. Thank you :smiley:

Epic. This linked worked for me too :smiley:

did you get it working ? I can’t seem to find the path where the log file is stored.

did you found a solution to redirect the access log somewhere ?
I would like to use a GoAccess for nginx proxy manager addon/docker to view a website portal with statistics.
using this: GitHub - xavier-hernandez/goaccess-for-nginxproxymanager: GoAccess Docker Image for Nginx Proxy Manager and more...

I did not found a HA addon for it, but I can make it with Portainer en paste a docker compose text there in the “Add Stack”.

If I look at the Nginx Reverse Proxy Manager Addon with Portainer, I see following Volume mappings:

indeed the /mnt/data/supervisor/addon_configs/a0d7b954_nginxproxymanager is under my HA samba share undder addon_configs:

image

but the other share is not under addons directory (it is empty).

Anyone got GoAccess working with the HA NPM addon logs ?

edit: I think the logs are stored with HA under /var/log/journal ? (binary files)

with :
ha host logs --identifier addon_a0d7b954_nginxproxymanager
under supervsor ssh you can also see the log of the NPM.
Question now how to add this to the GoAccess docker compose file Volumes?

below something I tought it would be, but log is not available as file I think.

version: ‘3.3’
services:
goaccess:
image: ‘xavierh/goaccess-for-nginxproxymanager:latest’
container_name: goaccess
restart: always
ports:
- ‘7880:7880’
environment:
- TZ=Europe/Brussels
- SKIP_ARCHIVED_LOGS=False #optional
- DEBUG=False #optional
- BASIC_AUTH=False #optional
- BASIC_AUTH_USERNAME=user #optional
- BASIC_AUTH_PASSWORD=pass #optional
- EXCLUDE_IPS=127.0.0.1 #optional - comma delimited
- LOG_TYPE=NPM #optional - more information below
- ENABLE_BROWSERS_LIST=True #optional - more information below
- CUSTOM_BROWSERS=Kuma:Uptime,TestBrowser:Crawler #optional - comma delimited, more information below
- HTML_REFRESH=5 #optional - Refresh the HTML report every X seconds. GoAccess - Manual Page
- KEEP_LAST=30 #optional - Keep the last specified number of days in storage. GoAccess - Manual Page
- PROCESSING_THREADS=1 #optional - This parameter sets the number of concurrent processing threads in the program’s execution, affecting log data analysis, typically adjusted based on CPU cores. Default is 1. GoAccess - Manual Page
volumes:
- /mnt/data/supervisor/addons/data/a0d7b954_nginxproxymanager/logs:/opt/log
- /path/to/host/custom:/opt/custom #optional, required if using log_type = CUSTOM
networks:
- nginxproxymanager_default

networks:
nginxproxymanager_default:
external: true

Also very much thanks to you!
I figured out how to configure the variables in my NGINX Hyper-V VM on a clean Ubuntu 24.04.1 build.

Yes, yes yes! I’m so happy with other peoples problems. And even more with other people’s problem solving skills! :smiley:

I must commend you, Sir, on your acute olfactory abilities.

While this configuration differs somewhat from my actual setup, I am nevertheless grateful for your assistance, even after two years.

This is how to fix it on NPM, make sure http and web socket are enabled. I really struggled to find clear guidance in the thread with all the other changes I made but this is all that is needed.

I am still struggling with this issue with mobile data. I have the reverse proxy enabled, with the “Websockets support” enabled, as well as the added lines discussed here.

How would you make sure IPv6 is enabled?