Unable to connect with Nginx reverse proxy

Tags: #<Tag:0x00007f73962bee70>

Guys, I’m trying to setup NGINX as proxy for HA (version 0.41) but when I try to open HA http://thisismydomain.com after a long loading I have the login with an error message “Unable to connect” and even if I type again the password the result is the same. I’m stuck and I cannot figure out what is the problem, can you help?

Here my /etc/nginx/site-available/default:

 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
}

server {

    server_name thisismydomain.com;


    ssl_certificate /etc/letsencrypt/live/thisismydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/thisismydomain.com/privkey.pem;
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    listen 443 default_server;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    location / {
        proxy_pass http://localhost:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
    }
}

and my configuration.yalm

...

http:
  api: thisismypassword

...

I use this configuration.

Let me know if you have any questions.

Unfortunately, even with new configuration the problem is remained. I notice in HA log this line:

INFO:homeassistant.components.http:Serving /api/websocket to 127.0.0.1 (auth: False)

Can be a problem related to websocket?

I had the same issue, and I think it was definitely web sockets related. Adding this to the nginx.conf, in the http section, worked for me:

    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

I had already the lines you mentioned. Here my nginx.conf

user www-data;

# As a thumb rule: One per CPU.
worker_processes 4;

# Maximum file descriptors that can be opened per process
# This should be > worker_connections
worker_rlimit_nofile 100;

events {
    worker_connections 50;
}

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

http {
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    charset utf-8;

    # + Nginx - To avoid 2MB upload error: https://github.com/Fourdee/DietPi/issues/546
    client_max_body_size 100M;

    # Upstream to abstract back-end connection(s) for PHP
    upstream php {
        server unix:/run/php5-fpm.sock;
    }

    # Set the mime-types via the mime.types external file
    include mime.types;

    # And the fallback mime-type
    default_type application/octet-stream;

    # Click tracking!
    access_log off;

    # Hide nginx version
    server_tokens off;

    # ~2 seconds is often enough for HTML/CSS, but connections in
    # Nginx are cheap, so generally it's safe to increase it
    keepalive_timeout 65;

    # You usually want to serve static files with Nginx
    sendfile on;

    tcp_nopush on; # off may be better for Comet/long-poll stuff
    tcp_nodelay off; # on may be better for Comet/long-poll stuff

    server_name_in_redirect off;
    types_hash_max_size 2048;

    gzip off;
    gzip_http_version 1.0;
    gzip_comp_level 1;
    gzip_min_length 512;
    gzip_buffers 4 8k;
    gzip_proxied any;
    gzip_types
        # text/html is always compressed by HttpGzipModule
        text/css
        text/plain
        text/x-component
        application/javascript
        application/json
        application/xml
        application/xhtml+xml
        application/x-font-ttf
        application/x-font-opentype
        application/vnd.ms-fontobject
        image/svg+xml
        image/x-icon;

    # This should be turned on if you are going to have pre-compressed copies (.gz) of
    # static files available. If not it should be left off as it will cause extra I/O
    # for the check. It would be better to enable this in a location {} block for
    # a specific directory:
    # gzip_static on;

    gzip_disable "msie6";
    gzip_vary on;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

Looking at your original post, maybe try adding “proxy_set_header Connection $connection_upgrade;” after upgrade? Below is what I have under location

	location / {                                              
        proxy_pass https://192.168.1.250:8123/;  
		proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
2 Likes

Thank you now works!!!

This helped me a lot. When applying these settings to the location directive as @shire210 suggested, I also had to make sure $connection_upgrade was defined in the http directive as @mikeg1130 suggested .

map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

hello,
Is anyone using nginx in docker container? I have tried https://github.com/linuxserver/docker-letsencrypt but I am having a lot of errors in home-assistant.log like these:

2020-03-06 11:09:56 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
File “/usr/local/lib/python3.7/site-packages/aiohttp/web_protocol.py”, line 275, in data_received
messages, upgraded, tail = self._request_parser.feed_data(data)
File “aiohttp_http_parser.pyx”, line 523, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: invalid HTTP method

@Slash yes I’m using the linuxserver/letsencrypt docker container on an Unraid server. It comes bundled with a valid sample configuration file for HomeAssistant:

...\letsencrypt\nginx\proxy-confs\homeassistant.subdomain.conf.sample

However, you may find that file is for the basic/core HomeAssistant install, and HassIO needs additional proxy configuration for many add-ons to work correctly via websocket connections to the api/hassio_ingress endpoint… so you will need to add another location mapping (in addition the /api/websockets one already in the sample):

More details can be found here on the Github forum for HassIO add-ons, but basically adding this block to the sample in the docker enables HassIO add-ons to work properly also…

# Duplicate websocket configuration specifically for HassIO add-ons (e.g. /api/hassio_ingress)
# Details of how this config works can be read here:
# https://www.serverlab.ca/tutorials/linux/web-servers-linux/how-to-proxy-wss-websockets-with-nginx/
location /api/hassio_ingress {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app 192.168.1.???;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
}

Note: For security & best practices (narrow scope), I added this section to specifically only hanlde the hassio_ingress route, as opposed to just allowing all requests at my root location (wildcard for any request to my HomeAssistant) to be upgraded as websockets which was mentioned in the HomeAssistant forum.

Also, for posterity I’ve posted this as a blog to my wiki at github here…

FYI I have just installed Nginx Proxy Manager (NPM) and was having problems logging in. Based on the advice in the above comments I changed the settings to Scheme: HTTPS and Websockets Support. I was immediately able to connect to HA from my subdomain. Thanks everyone.