Use NGINX proxy withot duckDNS

modernhistorian · March 23, 2023, 2:25am

Desiring to access HA over https, I used the let’s encrypt add-on to generate the certificates (port challenge) and wrote configuration.yaml this way:

http:
  server_port: 8124
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Now I could access my site with https:// but I couldn’t reach it over the LAN and my ecowitt devices became unavailable. When I searched for a solution to that I found a lot of discussions using DuckDNS and the NGINX proxy. But I have a static ip and a registered domain and don’t need or want a dynamic DNS.

So I tried using NGINX without DuckDNS and it hasn’t gone well. I forwarded ports 443 and 80 to ports 443 and 80 on the HA internal ip. I installed the NGINX add-on with this configuration:

domain: ko0y.org
hsts: max-age=31536000; includeSubDomains
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

and the configuration.yaml set to this:

http:
  server_port: 8124
#  ssl_certificate: /ssl/fullchain.pem
#  ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

With this setup, I can access HA over the LAN and using http://, but not with https://. In other words, it acts as it did before installing the certificates or NGINX. The log says NGINX is running.

Do I have the configuration for NGINX wrong, or can it not be used without DuckDNS? If the latter, is there another way to use my https certificates while still being able to use the ecowitt integration and access HA over the LAN? Thanks for any help.

DuckDuck25 · March 23, 2023, 4:33am

I can’t address your NGINX proxy issue, but here’s what I did (tonight) to get a letsencrypt certificate on HA, and access HA from my LAN using HTTPS. BTW, I use cloudflare for my registar/DNS.

Installed Cloudflare integration.
Created a DNS record for my domain (e.g. ha.mydomain.com)
Configured Cloudflare plugin to update ha.mydomain.com
Setup letsencrypt integration using cloudflare validation
On my firewall (Firewalla Gold Plus) I setup a custom DNS entry of ha.mydomain.com and pointed it to the private IP address of my HA.
When on my LAN my browser pointing to ha.mydomain.com redirects to HTTPS to my internal private IP
In HA network settings I set the external/internal address to https://ha.mydomain.com:8123

BTW, I don’t have external access to HA. I’m merely using ha.mydomain.com as a validation point for letsencrypt. If your firewall doesn’t have DNS overrides, you could use the hosts file on your computer to do the same thing. This might give you an idea on an alternative way to do what you want.

modernhistorian · March 24, 2023, 1:31am

Thanks for your help. I have gotten it working, though I’m not entirely sure how. I changed nameservers from google cloud back to google domains, and I cleared the cache several times. Sometimes clearing the browser cache will fix an obscure problem.