"Unable to connect to Home Assistant" via nginx reverse proxy

mhackdo18 · June 8, 2023, 5:23am

Hi It is possible to use nginx using 8123 port,

ex. https://mydomain.duckdns.org:8123, i don’t like to use directly

saffrey · July 28, 2023, 3:23am

Thanks for this, worked for my situation too.

TomMcDee · August 16, 2023, 7:03pm

Same for me! Thank you so much!

RexYuan · September 6, 2023, 6:18pm

If you’re using Nginx Proxy Manager be sure to turn on websocket support

yousaf465 · November 29, 2023, 5:48am

post moved to correct thread

Peter_Westerlund · December 20, 2023, 4:40pm

I’ve read though the thread but still can’t get my remote access to work. I’m using the Nginx Proxy Manager add-on. Getting these debug logs:

listen 80;
#listen [::]:80;

listen 443 ssl http2;
#listen [::]:443;


  server_name mydomain.se;


  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;












    # Force SSL
    include conf.d/include/force-ssl.conf;




proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;


  access_log /proc/1/fd/1 proxy;
  error_log /proc/1/fd/1 warn;



  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP		$remote_addr;
    proxy_pass       http://192.168.10.178:8123;

    

    
    

    
    # Force SSL
    include conf.d/include/force-ssl.conf;


    





    
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    


    proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
  }





  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}


[12/20/2023] [5:25:36 PM] [Nginx    ] › ℹ  info      Testing Nginx configuration
[12/20/2023] [5:25:36 PM] [Nginx    ] › ℹ  info      Testing Nginx configuration
[12/20/2023] [5:25:36 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[20/Dec/2023:17:25:56 +0100] 200 - GET http 85.229.56.34 "/" [Client 167.94.145.59] [Length 1154] [Gzip -] "-" "-"
[20/Dec/2023:17:25:59 +0100] 200 - GET http 85.229.56.34 "/" [Client 167.94.145.59] [Length 625] [Gzip 1.88] "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "-"
[20/Dec/2023:17:25:59 +0100] 400 - - http localhost-nginx-proxy-manager "-" [Client 167.94.145.59] [Length 150] [Gzip -] "-" "-"
[20/Dec/2023:17:26:00 +0100] 400 - GET http 85.229.56.34 "/favicon.ico" [Client 127.0.0.1] [Length 226] [Gzip -] "-" "-"
2023/12/20 17:26:19 [error] 352#352: *2036 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.10.1, server: mydomain.se, request: "POST /api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300 HTTP/2.0", upstream: "http://192.168.10.178:8123/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300", host: "mydomain.se"
[20/Dec/2023:17:26:19 +0100] - 502 502 - POST https mydomain.se "/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300" [Client 192.168.10.1] [Length 150] [Gzip -] [Sent-to 192.168.10.178] "Home Assistant/2023.7 (io.robbie.HomeAssistant; build:2023.471; macOS 14.1.2)" "-"
[20/Dec/2023:17:26:47 +0100] - 200 200 - POST https mydomain.se "/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300" [Client 192.168.10.1] [Length 0] [Gzip -] [Sent-to 192.168.10.178] "Home Assistant/2023.7 (io.robbie.HomeAssistant; build:2023.471; macOS 14.1.2)" "-"
[20/Dec/2023:17:27:12 +0100] - - 499 - POST https mydomain.se "/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300" [Client 192.168.10.1] [Length 0] [Gzip -] [Sent-to 192.168.10.178] "Home Assistant/2023.7 (io.robbie.HomeAssistant; build:2023.471; macOS 14.1.2)" "-"
[20/Dec/2023:17:27:20 +0100] - 200 200 - POST https mydomain.se "/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300" [Client 192.168.10.1] [Length 0] [Gzip -] [Sent-to 192.168.10.178] "Home Assistant/2023.7 (io.robbie.HomeAssistant; build:2023.471; macOS 14.1.2)" "-"
[20/Dec/2023:17:32:16 +0100] - 200 200 - POST https mydomain.se "/api/webhook/89ad14f94b8ae4027281dfdbd1617cf7e4a83e292b228226323e1402c55bf300" [Client 192.168.10.1] [Length 1014] [Gzip -] [Sent-to 192.168.10.178] "Home Assistant/2023.7 (io.robbie.HomeAssistant; build:2023.471; macOS 14.1.2)" "-"
[12/20/2023] [5:36:13 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/20/2023] [5:36:27 PM] [Nginx    ] › ℹ  info      Testing Nginx configuration
[12/20/2023] [5:36:27 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[12/20/2023] [5:36:28 PM] [SSL      ] › ℹ  info      Renew Complete

My problem to access Home Assistant is only when trying to access from a mobile data connection. I have checked that the DNS is correct se-up, no Firewall blockings, my ISP have confirmed they are not blocking any ports. I forward both 80 and 443 in the router. I get my certificate from a DirectAdmin SSL challange and is confirmed to be created successfully. I have been chatting with ChatGPT 4 for 2 days now trying to solve the problem and we are out of ideas now. Please help!

rstolpe · December 30, 2023, 11:28am

Mobiledata are usually using ipv6 make sure you have enabled it.

Also your cert are going to expire soon

rstolpe · January 7, 2024, 11:37am

Wondering what web sockets support and block common exploits will change in the nginx configuration, any idé?

milan.l · January 9, 2024, 5:09am

thank you. that solved also my problem

mnelson23 · January 11, 2024, 4:25am

Yup, that was my issue. Once enabling web sockets it started working as expected. Thanks to all for the susgestion

majorgear · January 17, 2024, 4:43am

I had this same issue , using NPM and also Authelia.

I actually turned websockets off, and added these now famous lines to the Advanced tab in the “location /” section of the boilerplate authelia code.

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;

It worked fine with and without websockets enabled.

CodingButter · February 4, 2024, 4:36am

I dont know if anyone did this but it was by asccident I set the config like so pointing to my nginx reverse proxie server ip. which still didnt get me past the login.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.3
  ip_ban_enabled: true
  login_attempts_threshold: 3

but because i banned the ip for too many failed attempts I found the docker ip
inside the op_bans.yaml file
I popped that under the nginx ip and boom all good.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.3
    - 172.18.0.1
  ip_ban_enabled: true
  login_attempts_threshold: 3

Midifreakz · April 1, 2024, 4:16pm

What worked for me: Raspberry Pi 5, running Home Assistant and the Nginx Proxy Manager add-on.

in configuration.yaml:

Remote Access with Enginx

http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24

Enabling the web sockets option in Nginx proxy manager

Adding the lines in define location as discribed by @cwricklee