#ngninx docker

https://i.gyazo.com/10ba8b91f1b9d1160a229977ad510b7f.png
port forwards

443 should e forwarded from the router to NGINX

Nothing should be forwarded to HA

when I do that it no longer works :X
ill send HA config and ngninx

is it safe to share dns subdomain or should I avoid that?

Mask if you want

HA config:
https://dpaste.org/ycs1d

Remove the SSL lines

Add back the lines for the proxy

nginx
https://dpaste.org/Lyo8u#L22

new HA

https://dpaste.org/tZ4me

router now setup to forward 8123, 443, 81, 80 to machine running docker and rebooted router just in case

Remove 8123

Also remove 80 and 81 unless you need them fo something else

homeassistant:
  internal_url: https://192.168.0.99:8123
``` that URL isn't valid

Your http section should be:

http:
  use_x_forwarded_for: true        # How to extract client IP address
  trusted_proxies:                 # Permit connections from reverse proxy
    - 192.168.0.42/32              # IP of the proxy, as seen by HA

Don't use 0.0.0.0/0 - wherever you got that from was full of shit

they said its a test method that allows all IPs :X
how do I figure out the ip of the reverse proxy?
Its on the same machine in docker on a different network.

That's not ports

FFS

Easy way to work it out, set it to 127.0.0.1/32 to test, and then watch HA's log file for errors

IPs* nmy bad

Sure, that's true, it's also a fucking terrible idea

Seriously, anything that person wrote shoud be ignored in favour of learning to juggle with running chainsaws

and what should the internal url be?

http://192.168.0.99:8123

HTTPS with an IP isn't ever going to work

HTTPS HAS TO BE used with the name in the SSL cert

https://dpaste.org/0i8DY

Now, when you restart HA you'll be able to access it with the internal URL

Try https://prazska.duckdns.org and see what errors you get in HA's log

Internally it works.
externally I get a spam of this in the portainer log:
https://dpaste.org/eoUL4
in browser:
502 Bad Gateway
nginx/1.25.3

Bad gateway is expected

A request from a reverse proxy was received from 172.17.0.2, but your HTTP integration is not set-up for reverse proxies

That kind of message is what you're looking for

Or

Received X-Forwarded-For header from an untrusted proxy 172.20.1.10

home-assistant.log
https://dpaste.org/tHwhD

Have you tried accessing your HTTPS URL during that time?

Wait

        proxy_pass http://127.0.0.1:8123;

WTF

127.0.0.1 isn't going to work here

Use the host IP

127.0.0.1 (and localhost) doesn't work the same inside Docker as it does on a bare metal install

proxy_pass http://192.168.0.99:8123;

and restarted ngninx container

400: Bad Request
2023-12-14 14:43:06.510 ERROR (MainThread) [homeassistant.components.http.forwarded] Received X-Forwarded-For header from an untrusted proxy 192.168.208.3

There you go

so I want to put that into the trusted proxy?

Yes

and no /32 at the end?

Sure, if you want to

You don't have to

sweet, that works now, and it works with local dns entry too

are there any directions you could point me in to set this up?

use nginx to terminate SSL and proxy the request to the container in cleartext
Issue: I cant access Z2M trough HA iframe (requires https)
are there any not too difficult solutions?

Thank you so much for your valuable help also!

Well, basically do the same again but for Z2M

You'll need to set a password for the frontend though

Ah, you'd need to do that in NGINX, not Z2M

The Z2M docs touch on all that, but don't do it step by step

I don't need Z2M publicly available, just accessible through HA.
same thing applies to ESPHome, as it lets you flash device from current machine

Well, then just use the internal URL to access HA

Then when you're at home those iframes will work

Ill have a look into it in a bit, again thank you so much for your help