Using Nginx SSL Proxy to forward different domains to different services

skillx · October 16, 2021, 6:36am

I have the Nginx SSL Proxy and Duckdns addons set up on my Home assistant instance, allowing me to access it externally with SSL from a domain such as hass.duckdns.org. I have port forwarding set up on my router so that port 443 (for SSL) is forwarded to my Hass instance, as port 443 is being monitored by Nginx.

I also have Bitwarden RS set up as an addon, and I can currently access this externally using hass.duckdns.org:7277.

Is there any way to change this so that I have another domain such as hassbitwarden.duckdns.org, which, when the domain is entered (without the need to append the specific port), the Nginx proxy picks this up, and, based on the url, routes this domain through to Bitwarden_RS?

In summary:

hass.duckdns.org → Home Assistant Instance
hassbitwarden.duckdns.org → Bitwarden RS Addon

koying · October 16, 2021, 8:00am

Nginx can definitely do this, but I don’t think the HA addon has that functionality.
Bottom-line: If you want this, you’ll have to install your own nginx, not the HA version.

k8gg · October 16, 2021, 2:44pm

Correct. The “NGINX Home Assistant SSL proxy” add-on would help you access HA and HA only.

Switching to the other add-on “Nginx Proxy Manager”, with some tinkering, would help you achieve what you are looking for.

You will want to disable the “NGINX Home Assistant SSL proxy” add-on, and make changes to duckdns add-on.

ndbroadbent · November 17, 2022, 3:50am

I just figured out how to do this! It’s possible to proxy multiple domains and ports using the customize.active and customize.servers options.

I’ve set up SSL for my Home Assistant server using the “Lets Encrypt” and “NGINX Home Assistant SSL proxy” addons. I wanted to set this up for some other services that I run on my server, and some add-ons that expose a port with an HTTP web server (not SSL.) For example, I’m using the CompreFace add-on for facial recognition, and the web UI is over HTTP. It also doesn’t support HA’s built-in ingress feature (which would have made this much easier.) So I wanted to set up my own ingress with the nginx proxy add-on, add a link to the sidebar, and show the UI in an iframe using panel_iframe. (An SSL proxy is required because you can’t view an HTTP page in an iframe if the parent page uses HTTPS.)

It took me a while to figure this out, but it’s actually pretty simple. Here’s how to set up multiple servers for NGINX Home Assistant SSL proxy.

Requirements

You will already need to have SSL working on a custom domain or subdomain.
You will probably need a Supervisord installation, running Home Assistant on a Debian 11 server: GitHub - home-assistant/supervised-installer: Installer for a generic Linux system
- Or a way to access the Docker containers

Steps

Visit your NGINX Home Assistant SSL proxy configuration page: /hassio/addon/core_nginx_proxy/config
Set active: true in the Customize section. Leave the other options as their default settings.

(That’s the part that took me a while to figure out!! Custom config isn’t enabled by default.)

SSH into your server
Run this command to view the generated /etc/nginx.conf for your nginx proxy add-on:

docker exec $(docker ps --filter "name=nginx_proxy" --format '{{.ID}}') cat /etc/nginx.conf

This finds the nginx_proxy Docker container and shows the contents of /etc/nginx.conf

Copy the last two server { ... } sections. It will look like this:

   server {
        server_name YOUR_DOMAIN;

        # These shouldn't need to be changed
        listen 80;
        return 301 https://$host$request_uri;
    }

    server {
        server_name YOUR_DOMAIN;

        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;
        ssl_session_tickets off;
        ssl_certificate /ssl/fullchain.pem;
        ssl_certificate_key /ssl/privkey.pem;

        # dhparams file
        ssl_dhparam /data/dhparams.pem;

        listen 443 ssl http2;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        proxy_buffering off;

        include /share/nginx_proxy_default*.conf;

        location / {
            proxy_pass http://homeassistant.local.hass.io:8123;
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }

Back on your host server (not in the nginx proxy Docker container), create a new directory at: /usr/share/hassio/share/nginx_proxy/:

mkdir -p /usr/share/hassio/share/nginx_proxy

Create new file in this directory. For my CompreFace add-on proxy, I created a file at: /usr/share/hassio/share/nginx_proxy/compreface.conf
Paste your copied Nginx server { ... } section in here.
- Replace YOUR_DOMAIN with the new domain (or subdomain)
- Replace the port (8123) in http://homeassistant.local.hass.io:8123 with the port for your service that is running on the host server. For example, if you have a service running at port 4567, this line would now be:

            proxy_pass http://homeassistant.local.hass.io:4567;

homeassistant.local.hass.io is a special domain that will return the IP address of your host server.

Restart NGINX Home Assistant SSL proxy

You should now be able to access your service on the domain that you configured.

jabronimus · December 30, 2022, 8:22pm

I wonder, what if the page I’m trying to reach isn’t running on the machine running home assistant? Say, I wanted to get to the page for my router or my NAS - how would I change the last step in the above instructions?

CentralCommand · January 1, 2023, 6:23am

Just replace this url with whatever you want. It’s just a url. Doesn’t even have to be in your network, could be https://google.com

That being said, I definitely recommend just checking out the nginx proxy manager addon instead. It’s much easier to use:

Manage all your routes in a GUI
Add/remove routes without needing to restart anything
Get let’s encrypt certificates for each subdomain and have npm automatically keep them up to date with one checkbox (again, without restarting anything)

kevdog · December 24, 2023, 5:36am

Hey I’m aware this post is quite old but it pointed me in the correct direction. I’m writing this as of 12/24. I’m pretty much in agreement with the instructions within the original post, however he stated:

mkdir -p /usr/share/hassio/share/nginx_proxy

This is not correct. I’ve looked at the configuration and read the documents.

If using HAOS (which is a dockerized version of home assistant), the add-on directory is located at /homeassistant/share. The configuration entered also said look in the nginx_proxy/*.conf. So in actuality all the add-on configurations are going to be added in /homeassistant/share/nginx_proxy/. Just a heads up since this can be confusing. I know HA comes in many flavors. I’m using HAOS so it might be different for other versions.

guixop · April 25, 2024, 5:13pm

@ndbroadbent @kevdog

Thank you for this information, I use HAOS and indeed the commands need to be adapted, here is what I entered and it works perfectly.

mkdir -p /share/nginx_proxy
nano /share/nginx_proxy/newdomain.conf

I specify that I used this procedure in order to be able to access Home Assistant with two different domain names, this means that I did not change the port, but only the domain name.

This allows me to provide access to Home Assistant from a secondary domain name that I can remove at any time if necessary, for example, if there was a security risk if my child lost their phone.

Of course, you must remember to create a second domain name on DuckDNS.org and add it to the Home Assistant Addon.