Using a homeassistant supervised with external nginx reverse proxy results in no connection from internet

potato_tester · July 11, 2021, 7:46am

I am using the homeassistant supervised container set, and I can access it from my LAN without any issue: I just point my browser to http://raspberrypi:8123 ans everything works.

My setup is the following:
I have my router forwarding port 444 to 443 (so, from the internet, I am accessing https://myfqdn.org:444)

I have an nginx server already running for other purposes, and I want to use that as a SSL termination point for the connections comming from the internet. In this case, the configuration of nginx is

server {
    listen 443 ssl default_server http2;
    server_name myfqdn.org;

    # enable TLS
    ssl on;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDH+AESGCM DH+AESGCM ECDH+AES256 DH+AES256 ECDH+AES128 DH+AES ECDH+3DES DH+3DES RSA+AESGCM RSA+AES RSA+3DES !aNULL !MD5 !DSS";

    # Enable HSTS (HTTP Strict Transport Security) for half a year
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";

    # set the certificates
    ssl_certificate /etc/letsencrypt/live/myfqdn.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myfqdn.org/privkey.pem;

    # enable OCSP stapling to speed up first connect
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/myfqdn.org/chain.pem;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/nginx/tls/private/dhparam.pem;

    # Enable session resumption
    ssl_session_cache shared:SSL:30m;
    ssl_session_timeout 1d;

    # Set several headers
    proxy_hide_header X-Powered-By;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;

    location / {
        proxy_pass http://127.0.0.1:8123;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_buffering off;
    }
}

Finally, in /usr/share/hassio/homeassistant/configuration.yaml, I have added the following section:

homeassistant:
  external_url: https://myfqdn.org:444
  internal_url: http://raspberrypi:8123

Can somebody give me a hand?

tom_l · July 11, 2021, 8:25am

See the first breaking change in the release notes for 2021.7.

Nick4 · July 11, 2021, 9:33am

@potato_tester, in addition to tom_l’s answer, you can have a look at my similar problem and solution: “Unable to connect to Home Assistant” from WAN (Duck DNS + NGINX)

RaA11 · July 11, 2021, 9:49am

add the following to your Configuration.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24  # Add the IP address of the proxy server

you can find the proxy ip by locking the homeassistant log

tom_l · July 11, 2021, 9:54am

@RaA11 if you are going to recommend config please format it correctly so that the required indention is preserved.

RaA11 · July 11, 2021, 10:00am

fixed, sorry that was my my first post

tom_l · July 11, 2021, 10:12am

You’ve been lurking too long. Join in!

potato_tester · July 12, 2021, 7:16am

@tom_l Thank you for your answer! Indeed, I had not checked the changelog for this version. I have updated my configuration to look like:

homeassistant:
  external_url: https://myfqdn.org:444
  internal_url: http://raspberrypi:8123

http:
  use_x_forwarded_for: true
  trusted_proxies: [172.30.32.0/23]

(The reason for using the 172.30.32.0/23 is because my docker interface is sitting in 172.30.32.1/23). I have also changed the configuration in nginx, just in case, so that the line

proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

now looks like

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

After that I have reloaded nginx and restart homeassistant through the Configuration → General → Server controls window… but still no luck.

tom_l · July 12, 2021, 9:13am

Why do you have square brackets around the IP address?

That is not what is shown in the documentation.

Pretty sure you will need your local address too.

potato_tester · July 12, 2021, 11:42am

Hi! Because in yaml these two statements are equivalent, but I like more the second because is more compact:

array:
  - item1
  - item2

array: [item1, item2]

Still, after adding the localhost, still does not work… or by local address you meant the LAN IP address?

KingRichard · July 12, 2021, 11:50am

why redirect from 444 to 443? why not just 443 and then proxy to 8123? hahahaha

The only way peopel do 80 to 443 just because you dont need to add port on your http or https

potato_tester · July 12, 2021, 11:56am

Because I have another server already listening to the 443, and I want to keep both servers separated.

petro · July 12, 2021, 12:00pm

if you go that route, you have to use proper json. What you have is not proper json. An IP is not a number, therefore it needs to be wrapped in quotes.

potato_tester · July 14, 2021, 7:25pm

Right, I corrected that thank you! I am still getting this issue, but I think I have made some progress:

if on a laptop on the local network, I set an entry in /etc/hosts file to resolve myfqdn.org to the ip of the raspberrypi, I can connect from the laptop to homeassistant using https… everything works.
if I connect using that same laptop, without any modification to /etc/hosts, to myfqdn.org:444 it does not work.

Then, seems that the problem is caused by my router forwarding external 444 port to 443 in the nginx server. Does this make any sense?

potato_tester · July 14, 2021, 7:44pm

Please, disregard my previous message. Seems that a reset of my router solved the issue