Using HA NGINX Add-on to reverse proxy to other addons

I’m so close to figuring this out, but simply cannot.

What I’d like to do is use the NGINX addon in HA to reverse proxy to other addons that I install in HA as well like Grocy, Vaultwarden, etc. Specifically I want to migrate my self-hosted Bitwarden password manager to be hosted inside HA using the Vaultwarden addon.

When I install the Vaultwarden addon, I can reach it at <ip_address_of_ha>:7227. Awesome.

Next I tried setting up the NGINX reverse proxy so that under the “Customize” option, it’s set to active: true, and I create a new configuration for vaultwarden in /share/nginx_proxy/vaultwarden.conf.

In the /share/nginx_proxy/vaultwarden.conf file, I have the following:

server {
  ssl on;
  ssl_certificate      /ssl/<my_cert>.fullchain;
  ssl_certificate_key  /ssl/<my_cert>.key;

  server_name pw.<domain_name>;
  location / {
    proxy_pass http://127.0.0.1:7277;
  }
}

I’m 90% certain that the problem is the proxy_pass directive. I think that because if I curl from inside HA (using the terminal addon), I get the following:

curl: (7) Failed to connect to 127.0.0.1 port 7227 after 0 ms: Connection refused

I know just enough about NGINX outside of the addon, but inside the Home Assistant container, I’m not sure how to reach the Vaultwarden addon. Is it some 172. docker container address? Can anyone advise how to reach the Vaultwarden IP from the reference point of HA (edit: or from the perspective of the NGINX addon, I realized) so that I can get the reverse proxy to work? Or is this not possible?

Any advice would be awesome because once I figure this out, I can use it as a launchpad to move a few of my self-hosted apps into HA, which would be amazing.

(I’ve tried searching for this, but a lot of the search results are how to use NGINX to reach HA itself, which works for me, and because “home assistant NGINX to proxy to addons” gets really muddled, I apologize if this has been answered and I haven’t found it).

Yes

Technically, you would be able to do so by using the container name of vaultwarden as the IP.
Practically, I don’t use HAOS, so I’m not sure, but you could try bitwarden

How do I get that?

I mentioned I’m moving away from my self-hosted Bitwarden instance into a version hosted in HA. Vaultwarden is the appropriate addon.

I’m an idiot, it’s right on the front page of the addon.

image

I updated the conf file with that hostname, and had to make a few other adjustments:

server {
  ssl listen 443 ssl;
  ssl_certificate      /ssl/<my_cert>.fullchain;
  ssl_certificate_key  /ssl/<my_cert>.key;
  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers         HIGH:!aNULL:!MD5;

  server_name pw.<domain>;
  location / {
    proxy_pass https://a0d7b954-bitwarden:7277; # Needs to be https
  }
}

And it works now. Leaving this post in case anyone else needs to use the reverse proxy similar to how I wanted to use it.

As you noticed, the vaultwarden addon is using bitwarden in its name nevertheless.

Good to know that an HA addon container name is <random (container id?)>-<slug in config.yaml> but note that if the first part of the name is actually the container id, it might/will change the next time the addon is restarted. Worth a test…

From the quick, surface-level googling I did, the difference between Bitwarden and Vaultwarden is that the latter is written in Rust but still API-compatible. I haven’t looked at the add-on’s source code. I might be splitting unnecessary hairs, but if someone is searching for the “Bitwarden addon” in HA, they will find Vaultwarden.

Anyway, a restart of the add-on didn’t change its hostname, nor did a restart of my hardware itself, so I’m okay for now. Hopefully it would survive a whole HA backup and restore (didn’t test that), but if it doesn’t, I can always come back and reference my own post here on how to change the applicable configuration in NGINX.

I meant exactly this :arrow_down: and nothing else :wink:

Hi,

i also have an addon running on https://addon-slug:1234

But i want to give it an valid SSL coming from my lets encrypt addon
But how does this works?

Lets say i surf to https://SUB.mydomain.com, it needs to goto https://addon-slug:1234
Do you need to setup some DNS entry too in your router/dns server? so that address gets resolved?

server_name pw.<domain_name>; => is that your subdomain that can be resolved externally ? But your router forwards it to a local address?