Start with a clean pi: setup raspberry pi. To add them open your configuration.yaml file with your favourite editor and add the following section: Exposing your Home Assistant installation to the outside world is a moderate security risk. You have remote access to home assistant. Then, use your browser to logon from your local network 192.168.X.XXX:8123 and you should get your normal home assistant login. Is as simple as using some other port (maybe 8443) and using https://:8443 as my external address? Strict MIME type checking is enforced for module scripts per HTML spec.. Very nice guide, thanks Bry! Once you do the --host option though, the Home Assistant container isnt a part of the docker network anymore and it basically makes the default config in the swag container not work out of the box (unless they fixed it recently) and complicates the setup beyond the nice simple process you noted above. DNSimple provides an easy solution to this problem. The Nginx Proxy Manager is a great tool for managing my proxys and ssl certificates. The second service is swag. Ive gone down this path before without Docker setting up an Ubuntu instance on Digital Ocean and installing everything from scratch. It's an all-in-one solution that helps to easily setup an Nginx reverse proxy with a built-in certbot client. Without it, they can see oh, this is a home assistantI can try this exploit to get around the SSL. Nevermind, solved it. Home Assistant Free software. The RECORD_ID I found by clicking on edit for a DNS record, and then pulling the ID from the URL. client is in the Internet. Next to that: Nginx Proxy Manager Save my name, email, and website in this browser for the next time I comment. Home Assistant is still available without using the NGINX proxy. I am running Home Assistant 0.110.7 (Going to update after I have . You should see the NPM . Back to the requirements for our Home Assistant remote access using NGINX reverse proxy & DuckDNS project. This will allow you to work with services like IFTTT. Chances are, you have a dynamic IP address (your ISP changes your address periodically). Its pretty much copy and paste from their example. There are two ways of obtaining an SSL certificate. Cert renewal with the swag container is automatic - its checked nightly and will renew the certificate automatically if it expires within 30 days. Hi, I have a clean instance of HASS which I want to make available through the internet and an already running instance of NGINX with configured SSL via Let's Encrypt. The next and final requirement is: access to your router interface as we will do one quick port forward rule, but more on that later, because now we will continue with DuckDNS domain creation. Optionally, I added another public IP address to be able to access to my HA app using my phone when Im outside. Double-check your new configuration to ensure all settings are correct and start NGINX. More on point 3, If I was running a minecraft server, home assistant server, octoprint servereach one of those could have different vectors of attack. Go to the Configuration tab of the add-on and add your DuckDNS domain next to the domain section and Save the changes. To install Nginx Proxy Manager, you need to go to "Settings > Add-ons". It seems like it would be difficult to get home assistant working through all these layers of security, and I dont see any posts with examples of a successful vpn and reverse proxy setup together in the forum. It turns out there is an absolutely beautiful container linuxserver/letsencrypt that does everything I needed. For this tutorial you will need a working Home Assistant with Supervisor & Add-ons store. Here you go! What is going wrong? The main things to note here : Below is the Docker Compose file. Naturally I thought it was just a mistake on my end but I finally read something about iOS causing issues way back in 16 and instead used my hotspot to try from my mac and voila, everything worked fine. This is very easy and fast. I copied the script in there, and then finally need the container to run the command crond -l 2 -f. Thats really all there is to it, so all that was left was to run docker-compose build and then docker-compose up -d and its up and running. I can run multiple different servers with the single NGINX endpoint and only have to port forward 1 port for everything. Selecting it in this menu results in a service definition being added to: ~/IOTstack/docker-compose.yml. This service will be used to create home automations and scenes. I was setting up my Konnected alarm panel to integrate my house's window and door sensors into home assistant. So then its pick your poison - not having autodiscovery working or not having your homeassistant container on the docker network. Im pretty sure you can use the same one generated previously, but I chose to generate a new one. NGINX makes sure the subdomain goes to the right place. I wouldnt consider it a pro for this application. Hopefully you can get it working and let us know how it went. I never had to play with the use_x_forwarded_for or trusted_proxies for the public IPs to show correctly, so I can actually see the IPs that have logged to my HA. Those go straight through to Home Assistant. I ditched my Digital Ocean droplet and started researching how to do this in Docker on my home server. I use Caddy not Nginx but assume you can do the same. OS/ARCH. If doing this, proceed to step 7. in. Testing the Home Assistant Remote Access using NGINX Reverse Proxy & DuckDNS, Learn How to Use Assist on Apple Devices: Control Home Assistant with Siri. The ACCOUNT_ID I grabbed from the URL when logged into DNSimple. Your switches and sensor for the Docker containers should now available. YouTube Video UCiyU6otsAn6v2NbbtM85npg_anUFJXFQeJk, Home Assistant Remote Access using reverse proxy DuckDNS & NGINX prerequisites. Any suggestions on what is going on? Let us know if all is ok or not. I have setup the subdomain and when I try to access it via a web browser I get a 400 error, when I try to connect the iOS app it says 400 error Shared.WebhookError 2. I can connect successfully on the local network, however when I connect from outside my network through the proxy via hassio.example.com, I see the Home Assistant logo with the message "Unable to connect to Home Assistant." I . If you have a container in bridge network mode (like swag) you can't reference another docker container running in host network mode (like home assistant) by 127.0.0.1, localhost, hostip, or container name. Forward port 443 (external) to your Home Assistant local IP port 443 in order to access via https. I ditched my Digital Ocean droplet and started researching how to do this in Docker on my home server. After the container is running you'll need to go modify the configuration for the DNSimple plugin and put your token in there. and I'll change the Cloudflare tunnel name to let's say My HA.I'll click Save.. I'm ready to start the Cloudflare add-on in Home Assistant, but before that, I have to add some YAML code to my configuration.yaml file. This video will be a step-by-step tutorial of how to setup secure Home Assistant remote access using #NGINX reverse proxy and #DuckDNS. Powered by Discourse, best viewed with JavaScript enabled, SOLVED: SSL with Home Assistant on docker & Nginx Proxy Manager. I hope someone can help me with this. Add the following to you home assistant config.yaml ( /home/user/test/volumes/hass/configuration.yaml). While VPN and reverse proxy together would be very secure, I think most people go with one or the other. Restart of NGINX add-on solved the problem. Fortunately,there is a ready to use Home Assistant NGINX add-on that we will use to reverse proxy the Internet traffic securely to our Home Assistant installation. I got Nginx working in docker already and I want to use that to secure my new Home Assistant I just setup, and these instructions I cant translate into working. I also have fail2ban working using his setup/config so not sure why that didnt work in your setup. thx for your idea for that guideline. That DNS config looks like this: Type | Name But first, Lets clear what a reverse proxy is? I have a basic Pi OS4 running / updating and when I could not get the HA to run under PI OS4 cause there was a pyhton ssl error nightmare on a fresh setup I went for the docker way just to be sure that I can use my Pi 4 for something else cause HA is not doing that much the whole day if I look at the cpu running at 8% incl. Then copy somewhere safe the generated token. I dont think your external IP should be trusted_proxy as traffic will no show as coming from there. Ill call out the key changes that I made. In this post, I will explain some of the hidden benefits of using a reverse proxy to keep local connections to Home Assistant unencrypted. It has a lot of really strange bugs that become apparent when you have many hosts. After the add-on is started, you should be able to view your Ingress server by clicking "OPEN WEB UI" within the add-on info screen. Step 1: Set up Nginx reverse proxy container. Unable to access Home Assistant behind nginx reverse proxy. With Assist Read more, What contactless liquid sensor is? Also, we need to keep our ip address in duckdns uptodate. You run home assistant and NGINX on docker? docker pull homeassistant/aarch64-addon-nginx_proxy:latest. In the name box, enter portainer_data and leave the defaults as they are. When you choose "Home Assistant", the service definition added to your docker-compose.yml includes the following: A list of origin domain names to allow CORS requests from. It looks as if the swag version you are using is newer than mine. Leave everything else the same as above. I am running Home Assistant 0.110.7 (Going to update after I have this issue solved) Once I got that script sorted out, I needed a way to get it to run regularly to make sure the IP was up to date. need to be changed to your HA host Add Home Assistant nodes to Node-RED: From the Node-RED menu on the top right bar select 'Manage palette', then in the install tab search for 'node-red-contrib-home-assistant-websocket . I do get the login screen, but when I login, it says Unable to connect to Home Assistant.. Docker container setup Open up a port on your router, forwarding traffic to the Nginx instance. We're using it here to serve traffic securely from outside your network and proxy that traffic to Home Assistant. In a first draft, I started my write up with this observation, but removed it to keep things brief.