Using NGINX proxy manager with homeassistant (all via Docker)

admiralteal · May 3, 2024, 7:28pm

Hi folks,

I’m really struggling to get remote access working for my setup and am hoping I might get some advice, because it’s just been fighting me for days.

I currently have HA (2024.5.0) running in a Docker container on a recycled old office workstation (now running ubuntu server 22.04.4). Everything works fine through a local IP. That same old desktop already has a working NGINX proxy manager and also deals with keeping my IP updated for duckdns, which I use for remote SSH*.

I have one working subdomain via NGINX reverse proxy manager (https://proxies.mydomain.duckdns.org). It’s working properly, including getting apparently-valid SSL certificates, accessible both locally and from the wider internet – so I think it’s all good.

What I want to do is simply create another subdomain – https://ha.mydomain.duckdns.org – which allows me remote, relatively secure access to my homeassistant instance.

But of course, I’m posting here. It’s just not working and I don’t know why. I am no networking expert – I am really flying by the seat of my pants just trying to cobble stuff together – so I am hoping I’m just missing some config that will make it all work.

So here is what I have tried so far:

First, I tried simply forwarding port 8123 to my server through my router. I know this is super insecure, but just wanted to see some kind of life. Then I could use mydomain.duckdns.org:8123 or the actual ip address on port 8123. I get the homeassistant logo, sometimes even a login prompt, but always “Unable to connect to Home Assistant” then endless retrying.

I tried adjusting my configuration.yaml file. I added internal and external URLs to it. I tried both the regular ip address and the duckdns url. But this didn’t seem to make any difference. Endless loading data then unable to connect.

OK, fine, I didn’t really want it working this way anyway…

I tried to do it instead through the proxymanager setup, routing requests to ha.mydomain.duckdns.org to 127.0.0.1:8123 I checks “block common expoits” and “websockets support”. I let the proxy manager handle provisioning an SSL certificate and checked “force SSL” and “enable http/2”

I also read that I need to add some http configs to configurations.yaml for this, so I added

http:
 use_x_forwarded_for: true
 trusted_proxies: 
   - 127.0.0.1
 ip_ban_enabled: true
 login_attempts_threshold: 5

I’ve tried fiddling a bit between all these settings mentioned, but the best I am getting from the remote URL is “502 Forbidden” after a very long load. Or just a timeout.

Very much hoping someone here can tell me why I’m an idiot and what basic thing I have failed to do correctly. I’ve spent a lot of time trying to read similar posts/guides on this forum and haven’t found any that quite fix my situation – though I admit, I’m just about ready to give up on the containerized nginx reverse proxy manager and try from scratch with some other approach.

Bootleg3405 · May 4, 2024, 6:48pm

Here’s what’s working for me in configuration.yaml with NPM.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.19.0.2      # Add the IP address of the proxy server
    - 172.0.0.0/8  # You may also provide the subnet mask

Here 172.19.0.2 is the IP address of my NPM docker container.

Note that 172.0.0.0/8 includes all IP addresses starting with 172 and that alone likely work. You could probably also specify just the default docker bridge network (172.17.0.1).

172.0.0.1 is localhost on the host machine and doesn’t work with Docker containers.

I don’t have the extra lines with “ip ban” etc. I think that might be part of a fail2ban config?

Edit: for your NPM host entry for HA use http, the docker default bridge IP of 172.17.0.1 and port 8123 and enable the SLL cert. You could also use the docker IP address of the HA container here, but it’s better to use the bridge IP so if IPs change later on for some reason everything will still work.

admiralteal · May 4, 2024, 8:18pm

Man, thanks so much, this is some major progress for me.

I now have this in my config.yaml

homeassistant:
  external_url: "https://ha.mydomain.duckdns.org"
  internal_url: "http://localip:8123"

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.2 # the IP of my NPM container
    - 172.17.0.1

In NPM, I set the target address to be 172.17.0.1:8123 with all those same tags set.

And now I’m getting a homeassistant logo – but I’m still stuck on loading data / unable to connect, same as when I tried to do it with just a dumb, basic forwarded port in the router

Still, this is a lot better than it was a minute ago. Now I just need to figure out why HA is constantly failing to load data when connections are from beyond the LAN.

Bootleg3405 · May 5, 2024, 9:42pm

Did you forward external port 443 on your router to the npm container port 443?

admiralteal · May 5, 2024, 11:04pm

I did, and at least the proxy I made for connecting to NPM remotely is working correctly.

As it is now, my companion app is working even if remote browser connections still are timing out. Frankly, having the companion app working was the important part for me, so I consider this a success.