It’s not immediately obvious why you would use a duckdns if your network already has an external IP address??? You might need to use the LetsEncrypt addon though on your Pi.
Your trusted networks will also not work - those are internal IP addresses and I bet you’re locked out. You will need to delete the banned IP file in config and delete the trusted networks as well.
Thanks for the feedback. Although I have an external (synology) domain, the certificates issued for this domain are on-board the NAS not accessible by the Pi3.
I’ve taken a different tack and used the reverse proxy on the Synology to route https traffic on a dedicated port to http://pi3ipaddress:8123. This leverages the Synology certificate on that Synology domain and allows connection to the front page of hass.io but alas, it won’t let me login. I had to add a forwarding rule for that dedicated port to the NAS IP to allow the reverse proxy to work.
I’ve removed the trusted_networks now too although that caused a problem with my Node Red HA add-on as it was always connected on localhost so 127.0.0.1 got banned.
I’m nearly there now but don’t know why I cant login when accessing hass.io from my external address and dedicated port even though the route is working.
here’s my config - did you remove the trusted section altogether?
http:
# Uncomment this to add a password (recommended!)
api_password: !secret http_password
ssl_certificate: !secret ssl_cert_lets
ssl_key: !secret ssl_key_lets
ip_ban_enabled: True
login_attempts_threshold: 5
# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
base_url: !secret base_url_name
This way if you use an invalid API key you get locked out after 5 attempts. I think you’ll never have a local IP address logging in? Or is your redirect passing through the API key?
Not quite sure what you mean here. With my reverse proxy on the Synology NAS, I’m forwarding requests from https://mysynologydomain.me:9678 to http://pi3ipaddress:8123. A port forwarding rule in the NAS forwards port 9678 to the local NAS which I had to do to allow the proxy to work. So in theory, the Pi3 is seeing a local request for access as the request is coming in from the local IP and port?
I have no idea.
If I was doing this I’d be using mysynologydomain:8123 and forwarding 8123 to the Pi and using letsencrypt addon in hassio to get a certificate on the pi.
If you’re not seeing the frontend the way you are doing it there’s obviously something wrong. Hopefully someone here will be able to help…
This is al I have now in HTTP.
http:
# Secrets are defined in the file secrets.yaml
api_password: !secret http_password
ip_ban_enabled: True
login_attempts_threshold: 5Thanks. I am seeing the front end, just won’t let me login and nothing is added to the ip_ban.yaml.
so when you see the frontend, you enter the API and nothing happens?
Is it HTTPS? that might be the problem if there’s no ssl on the Pi?
ah you removed ssl and the base url?
The reverse proxy is routing a HTTPS request to a HTTP request so the Pi3 is seeing a request on http://pi3ipaddress:8123. There is no certificate on-board the Pi and the ha config has not been told that either.
So I get this remotely:
Then this:
You will need to fix the reverse proxy config.
Thank you but that’s a bit beyond me. I’m using the native reverse proxy in the Synology NAS so reconfiguring that would be a real challenge (at least for me).
So why not use nginx reverse proxy? Is there something wrong with getting your hands dirty and learning? 
No, you can install it on your Synology. NGINX has nothing to do with hassio.
Thanks. With my blog and YouTube channel, I like to talk about how to do things that are super easy for Noobs to understand so I often give things a crack to see if there is an easy way of doing something. Configuring NGINX goes beyond that so I really appreciate your help but I’ll leave it at that.
I hand you a complete configuration for nginx and you say it’s too hard to configure?
What? You have to figure out how to install it? I don’t understand…
Thanks but the purpose for learning this is so I can blog about it for others that are starting out. Although I’m sure I could get it working, it’ll be in the too hard bin for most of my audience. I’ve also recently seen this Synology DSM – Reverse Proxy (Part 2) – Primal Cortex's Weblog that may be related to why the native proxy in Synology can work with the HA front-end? Would it be possible to modify the HTTP section to allow CORS from the proxy redirect?
Hi xbmcnut, I don’t know if you are still interested, but i’ve recently came across a solution to your problem. You need to add a websocket in the “custom heathers” section, just when you are creating the entry for the reverse proxy. Take a look to this link.
https://www.home-assistant.io/docs/ecosystem/synology/
Hope it helps!
Yes, thank you. I am using that successfully.
