#How to have both http and https for INTERNAL LAN use only (no remote access)

I want to be able to use:
http://homeassistant.local:8123 AND
https://homeassistan.local:8123
nothing more, nothing less.

There has to be a way to do this. Every guide I look at assumes you want remote access. I have Nabu Casa for that because I have Starlink and it's literally impossible to get to my router's ip address externally.
Browsers REQUIRE https for the mic to work on the Voice assistant. Too many of my other apps and devices fail when https is enabled w/ Lets Encrypt and there are logged HA bugs with no workarounds (OpenHasp for one) .

You need a trusted CA to issue certs for .local, and that doesn't exist

ok. then I can I use an ip address?

Not with https://

You'd need a trusted CA still

ok, then I can use a static host name in my router's DNS.

Of course, you don't need remote access to use https:// locally

I still need to use both http and https to work on my HA instance

You just need yourdomain.example.com to resolve to a LAN IP, and to use DuckDNS's DNS-01 validation

You'll still need a proxy then

It does.

Because HA is either HTTPS or HTTP, not both

Right. NGINX

Or anything else

but how to configure that? I've been messing w/ it for DAYS.

go ahead and ping home.shole.party

https://blog.ceard.tech/2018/01/nginx-and-home-assistant#configuration

it resolves via cloudfare to 192.168.1.250

so remove the community version of NGINX??

Nah, you asked about the config

That's how I configured it back when I used NGINX

There is no magic though

So, I have dns resolving correctly
I have LetsEncrypt working
I can access https://home.shole.party:8123
do I remove

http:
   ssl_certificate: /ssl/fullchain.pem
   ssl_key: /ssl/privkey.pem

from configuration.yaml?

Yes

I think thats what has been confusing me...

Set NGINX to use port 443 and then you just use https://home.shole.party/

where/how does NGINX get its cert from ? same place as LetsEncrypt?

From your LE add-on

(assuming you're using that)

ok, I'll run down this Rabbit Hole for a while.
yes as I said, that all works great.

I mean, I'm an EE and this shit is complicated!

Everything is complicated the first time

No doubt!

And the second, and third, until you understand what's actually going on under the hood

This is easy compared to Voice, pipeline, TTS, STT.....

🙂

ok, using all the defaults in NGINX and setting the domain to home.shole.party I get

Safari can’t open the page “https://home.shole.party:8123/auth/authorize?response_type=code&redirect_uri=http%3A%2F%2Fhome.shole.party%3A8123%2F%3Fauth_callback%3D1&client_id=http%3A%2F%2Fhome.shole.party%3A8123%2F&state=eyJoYXNzVXJsIjoiaHR0cDovL2hvbWUuc2hvbGUucGFydHk6ODEyMyIsImNsaWVudElkIjoiaHR0cDovL2hvbWUuc2hvbGUucGFydHk6ODEyMy8ifQ%3D%3D” because Safari can’t establish a secure connection to the server “home.shole.party”.

http://home.shole.party:8123 - works fine.
https://home.shole.party - gives 400: Bad Request

Well, https://home.shole.party:8123/ won't work

Now... did you check HA's log file yet?