#Getting the following alert re the

Move SSL to a proxy server

Like nginx reverse proxy?

Yes

Or something else

I use Traefik, but HAProxy and Caddy also work well

I use Swag to expose most of my services to the internet already, should I just be using that instead?

I got to get some sleep but will do some reading tomorrow - I’m not sure if I can expose the VM HA is running in with Swag as it only exposes the docker containers (may be limited to that).

SWAG will work just fine for this

SWAG is basically NGINX

Yeah, i actually think HA is exposed by swag, I use the same domain across both HA and the others, just different subdomains

Which makes me wonder, if I’m already using SWAG, why am I using SSL?

😂

😴

https://tenor.com/view/sleep-time-gif-25989083

@shadow river are you able to elaborate a bit more on this or link me to any resources to read up on? trying to get my head around it so i know where I am at and where I need to go, and how to get there too!

On what?

(also, I get notifications when you post in the thread, no need to tag me)

SSL certs being in HA versus proxy

ah cool, i thought you blocked me ages ago for tagging u 😛

I can do that again, and stop answering you, if you want

stop tempting me 🥺

There's no HA specific documentation on it

@... @,,,,,,, @!!!!!!

Certainly not from HA themselves

Ahh right. I did see a couple random threads on the forum but no real resolution (i.e. spoon fed version)

The proxy side of it isn't HA specific

you suggested moving SSL to proxy, whats the reasoning for that?

ah

Scroll to the top of the thread

fk I am going to have to scrap what I have done and start from scratch, just hosting the SSL within the proxy itself?

Well, start the SSL bit from "scratch", yes

Yeah...

1. Configure NGINX to do SSL for HA, with the same hostname etc as you use currently

2. Remove SSL from HA

3. ... profit?

Might pester the good peeps on the LSIO discord for a moment 😄

The only thing with HA is that you need to enable websockets in the proxy

Or just use Traefik

What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. omg

Only if you're running stuff in Docker, but pretty much yes

ah, home assistant is the only thing i do not use in docker

I use it for HA with HA not in Docker, and it's not any harder there

ah, vm?

Nah, Core

whats that running on? I am running OS in a VM

I'm running it bare metal on a Mini PC

(AMD Ryzen)

ah righto

so looking thru my SWAG config files, like ssl.conf, it already has SSL certs and keys referenced, so am I just doubling up by having them in HA as well?

Well, yes, but no

Are you using SWAG for HA?

If so then you can simply remove SSL from HA and tell NGINX to use http:// for the proxy_pass

I’ll give it a shot. Can I just get rid of the http.yaml file?

Well, probably not, because ... you know ... proxy 😉

https://www.home-assistant.io/integrations/http#reverse-proxies

😂

so got rid of the SSL cert lines, but that did not work... now to figure out how to make the SWAG side work I guess

https://community.home-assistant.io/t/reverse-proxy-using-nginx/196954

First Google hit, but it looks right

https://community.home-assistant.io/t/reverse-proxy-using-nginx/196954/74?u=beasthouse

ok this is interesting...

tried that and getting a 502 to the domain, and ERR_CONNECTION_REFUSED to the IP addy

Well, you should be able to hit HA directly on the IP, with http:

Nah, just get ERR_CONNECTION_REFUSED

This site can’t be reached10.0.0.245 refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall

wonder if its one of my proxy settings

likely

Well, can you reach HA directly?

nope. I am thinking maybe it is cloudflare or my port forward now

Stop

Are you trying to reach HA on the LAN IP and port?

http://192.168.0.42:8123/

?

yes

Right, well, then Cloudflare and port forwarding have FUCK ALL to do with it

10.0.0.245:8123 and 10.0.0.245:2096

I think my port is set to 2096

What?

Why the fuck...

that is what is popping up in the CLI

lol

You changed https://www.home-assistant.io/integrations/http#server_port?

If you didn't then the port is still 8123

correct, but even with removing that from the http config, its still on 2096

Then you didn't restart HA

And you're nuts for changing it

just rebooted the VM twice?

Then I have no idea what you fucked up

Check your config file again

And then check HA's log file

hehehe alright...

2021-05-16 13:49:21 INFO (MainThread) [homeassistant.components.http] Now listening on port 8123
``` from one of my old log files

hmmm wonder if i installed the cloudflared add on... will check that out

something is off

and whatever youtube i watched on this is what prompted me to go with 2096 😄

If you find out who that was, let me know so I can warn others to avoid them

EverythingSmartHome - know him? 😄

Oh... god

lol

hmmm nup no add ons...

#1079727835566055505 message

noted

again

But also... check the log file, see what port it's really listening on

It's going to be much easier to tackle this methodically than just bang a bunch of random rocks together

what log level should i set it to? at the moment its set as warning

trying debug

2021-05-16 13:49:21 INFO (MainThread) [homeassistant.components.http] Now listening on port 8123
                    ^^^^

ahh

2023-02-28 22:30:56.366 INFO (MainThread) [homeassistant.components.http] Now listening on port 2096

removing the entire http config should fix that, but it hasn't been

2023-02-28 22:33:25.722 INFO (MainThread) [homeassistant.components.http] Now listening on port 8123

or maybe it has been 😄

alright now we are in business

so. i can now access via 10.0.0.245:8123

Just have to figure out the SWAG side of things now

time to sleep on it and worry about the rest tomorrow

thanks for putting up with me Tink

ok so for swag it says make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url - how do I do the latter?

hmm looks like its a deprecated thing from a few years ago

figured it out, turns out with SWAG, HA does needs its own cname record regardless that the rest of the containers do not!

@shadow river Uhhhh I've literally never advised anyone to change your port to this

Sorry for the old tag but someone mentioned me and I couldn't find it then I saw this message saying I did this and was like uh what 😂

And ... where in there did I say you'd said anything? @solar hollow

And yes, some rando pinged you in #general-archived ... then deleted it

You didn't, the OP did. I was just clearing my name was all 😄

Ah got it, thanks

Ah... well... I'm not responsible for somebody else... particularly them

#general-archived message was the message immediately before the one they deleted

Sorry! I figured it must have been something you suggested as I had followed one of your videos on this but maybe I threw some input in from some other guide. Didn’t mean to throw you under a bus or anything, love your content, your server and everything you do for the community 🙏

https://hodgkins.io/securing-home-assitant-with-cloudflare