Access your internal websites! Nginx Reverse Proxy in Home Assistant.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today i'm going to show you how to set up the nginx reverse proxy using home assistant so that you can access domains inside your local network so let's get started before we get started on the configuration let's talk about what engine x reverse proxy actually does so i have a little diagram here of a couple domains i'm going to walk you through how they actually get to point from point a to point b so we have a pc out on the internet computer or a phone or whatever and it it gets on the internet and domain one and domain two are set through dns to resolve to this firewall slash router so when you request domain one it goes down and this is on port 443 so it's ssl based it goes down port 443 into this firewall because that's what it resolves to from the firewall the firewall sends everything on port 443 over to this server right here which happens to be my nginx reverse proxy server which i'm running on home assistant so if you're running the standalone this is similar to the way it works home assistant just makes it easier through the interfaces so it hits this at port 443 and because domain1.com is sitting on this server over here i have a configuration in my nginx reverse proxy that says anything coming into that domain then gets forwarded on port 8080 over to this ip address and so whatever is on here then gets returned back through the proxy through the firewall router through the internet back to the computer and then we have a second domain does the same exact thing its dns resolves to this firewall router so we hit it on the internet 443 again so again everything comes in on 443 which makes it nice so you can just send everything on ssl to your reverse proxy and then it will handle it at the proxy level so it hits the firewall comes into port 443 on the firewall and then goes to 443 on nginx nginx picks it up says hey it's domain2.com and then in the configuration of the reverse proxy we say anything for domain2.com gets forwarded over to port uh 8888 on this server right here now you could put everything on the same port if it's on different servers or you could put everything on the same server on different ports so if you're running a virtual machine or something or you have one server that feeds or send serves multiple domains or whatever you could put it on different ports and have them all come in on 443 and then resolve over to the port on that server so in a at a very very high level that's how the engine x reverse proxy is actually serving content so let's go over now and start doing some configuration through the home assistant nginx proxy add-on and get these things set up so you can see how that works within home assistant all right now that we know what we're trying to accomplish this let's go through the steps in home assistant and get this done so the first thing you're going to need to do is go into supervisor the nginx proxy relies on mariadb to function so we're going to have to install that first you can go to the add-on store and then we can search for maria db so maria db is a sql database server so it's just another database server and we're going to install this okay so once it's installed we need to do one little bit of configuration you need to set up your logins and this password is set to null so i'm just going to change it to this now on your production system make sure you use secure passwords and secure logins don't do this this is a demo so we're going to get rid of all this at the end so it doesn't make that much of a difference so now we save it and once it's saved we can go back into info and we can start it and always when you start an add-on make sure you're checking the logs to make sure everything is up and running you won't be able to install nginx proxy manager until this is fully up and running it will complain it's not available yet all right so it looks like it's fully completely installed so now we can go back over to our add-on store and we want to install the nginx proxy manager you'll notice you have the home assistant ssl proxy and you'll also have the proxy manager the proxy manager is what we're going to play with today so we can install this as well all right so it's installed now we want to go ahead and start it and check the logs and again this will take a couple of minutes to to install so give it some time to completely finish before you go into the next step okay it started up now you'll notice here that there is an error related to a certificate because i installed this before as a test and then removed it it's showing these errors if if you don't see any errors then you should be good to go i'm not going to worry about this error for now what i'll have to do in this case is go in and remove the other certificate because it didn't remove it during the removal process but it's good to go for us to continue so one thing you also notice is that when you go to the web ui it's going to ask you for a username and password and so we have to do is we have to look here in the documentation and you can see here that the default username and password is admin example.com and then change me as the password so under info uh once we refresh it will give us the web ui link so here's the web ui link and we'll put in those email address and that password change me is the password and it's going to make you change it when you first start up so your whatever name you want to give it here and then email address and i'll just do a demo at mostlychrisdemo.com save it and then my current password and i'll give it a new password all right so we have one user created now you can add additional users as administrators or whatever you want them to be i'm just going to go with the one user for now typically in your home install you're just going to do yourself as an admin or whatever but you can certainly do more with that all right so now we have an installed proxy manager and we haven't installed mariadb but we haven't done anything with it yet this is the part where it gets fun so i created a domain called mostlychrisdemo.com in my dns setup uh whatever you use to do that uh whatever dns provider you use you need to create a domain so you have something to use once you do that then you come over here to hosts under proxy hosts and this is what we're going to set our proxy host so i'm going to add a proxy host and it's all ui based which is really nice and my domain name again is going to be whatever this is going to be now this is just an example i'm going to use a real domain all right and then the scheme because i'm going to send this over to my demo home assistant instance one of the uses for a reverse proxy or nginx proxy is to be able to access your home assistant instance from outside without having to open up non-standard ports so i'm going to forward this to the ip address of my demo home assistant instance on the port that it's on now i'm not running this on ssl based internally in my network so it's going to forward this over to that device that server on non-ssl port which is 8123 very important is that you use websocket support so that all of the traffic on the web sockets can traverse the proxy or stuff isn't going to work all right so now we have this set up here it's also publicly accessible because we don't have any access list i'm going to leave this one publicly accessible because you can forward or you can rely on the home assistant authentication to do the authentication for you you can set up username and password for the proxy itself if you want to do that all right so we're going to skip custom locations we're going to go straight to ssl now there's no ssl certificate on nginx.mostlychrisdemo.com so we're going to request one and the way you do that is you just request a new ssl certificate and this is going to be the email address for that domain and we're going to use a dns challenge now dns challenge allow you to allows this plugin to go out to the dns provider configure a text value and then it will check to make sure that you're the owner of the domain and that the text value matches what it puts in that that dns server if it verifies all of that then it will issue the ssl certificate so it's a dns challenge you can do other challenges as well or do if you don't do dns challenge let's say we uncheck this box it's going to try to connect to this host on port i believe it's going to be port 80. so you're going to have to open up port 80 at least temporarily forward it over to this device that you're running this on so then when it tries to resolve that dns address for demo or nginx.mostlychrisdemo.com that it will come back over and i can show you the a little bit better here whenever it makes the request because these domains and let's just call this nginx.mostlychrisdemo.com because these domains point to this firewall it's going to come back over here check this send it over here to the plugin where the plugin is sitting if it's all good then it will issue the certificate the the caveat or the kind of the con to that is that you have to open that port 80 up at least while you're trying the authentication and so if you have a bunch of domains that you're trying to authenticate every time one is one expires and needs to be authenticated it's got to do this the whole process of opening ports i like the dns challenge and if you look here there are just tons and tons and tons of dns providers that you can do this with you can see all of these different providers that allow this plug-in to talk to their api or their system to do this kind of dns challenge authentication now i'm not going to tell you that every one of these is super easy nor is it the same i happen to use google as my dns provider with that one even though i'm using the google domains for some of my domains i have to use the google cloud control panel because that's the only thing that this api that google provides works with so i've created this domain in my cloud dns control panel and so this particular domain sits there and that's beyond the scope of this particular video you have to go through and create service accounts and do a bunch of other things in order to get the the credentials that you need here and that's what this credentials file is you have to get the credentials file generated from the cloud dns and then put it here for it to be able to talk to that api and do some work if you mess with the nest integration you kind of get what i'm talking about you got to go through a lot of steps to get that done so other providers may be simpler to use i don't know that for sure so we're going to do is we're going to go ahead and put in the credentials file content that i've already gotten from this and then we're going to submit it for um the the certificate uh creation so let me go ahead and get the credentials files content okay so i've pasted the credentials files content in this box uh propagation second i leave that blank what this does is it waits this amount of time default to 60 seconds for it to go out put the stuff on that api and then be able to query it 60 seconds later if your dns provider requires a longer propagation time you can set that in here and it will wait that period of time before checking to see if that text value has been put into the api and of course my email address for let's encrypt you need to agree to let's encrypt terms of service which you can read uh make sure you agree to what those say and then of course under advanced i don't do anything here you can do a custom nginx variable setup but we don't need to do that for for what i'm showing today and then we can go ahead and save and then we'll wait the time that the dns propagation timeout set to which in my case is 60 seconds and if you don't get any errors then your certificate will be issued okay so if that little pop-up box closes and everything works like it's supposed to then what we have here is we have a a source which is going to be this nginx.mostlychris demo uh domain and then the destination is going to be what we set in that configuration which is the ip address and port of my demo home assistant little device and of course you notice here it's http and not https the ssl is generated by let's encrypt access is public because we haven't created any access list and the status is online and you can click here if you need to disable or edit or even delete this stuff so if you have to come back in here and do anything you can do some extra editing and so forth here so i'm going to create a second domain and this time we're going to assign a an access list to that but first let's create an access list so i'm going to add an access list and i'm going to give it authorized users or just authorize that's good enough and i'm going to do a satisfy any and then for access i'm going to or for authorization i'm going to use a username and password and i'll do a demo and the password of course will be demo and we'll save that and what that's going to do is allow us to apply a password to the proxy side of things before it gets passed on to the rest of the network so when you apply a password it stops here so if you query them let's say you go to domain two hits the internet comes here hits its firewall it'll push it on to port 443 on the proxy but the proxy is going to say i need the username and password before it pushes it on over to here so that's what the user list is going to do when i set satisfy any that means that it will either satisfy be satisfied by the demo or the username password being correct or this access list being uh fulfilled we'll go through the same process of creating a proxy i'll do it again for you so that you can see a second time how it works and get a good idea so again hosts proxy hosts we have the one already created let's add another proxy host this time it's going to be adsb mostly chrisdemo.com and that adsb i have an adsb receiver that collects aircraft adsb data and feeds it to flight radar flightaware a bunch of other those flight services and so i want to be able to look at a moving map that comes with that so the host name or ip for this is going to be and the port is going to be port 80. again websocket support now this time instead of being publicly accessible we want to go ahead and click on and add it to the authorized users access list so you can't access it unless you have the username and password we're going to do the same thing we did with ssl we're going to request a new certificate and automatically request a certificate for the domain that you set within that first part uh using a dns challenge and one of the things google says is the data or the this when you're using the credentials file the data is going to be stored as plain text in the database and in a file so keep that in mind when you're storing this information on the server and for this once again i will take the content of the google file or the credentials file and place that in there and then propagation will stay the same email address is already set and then of course agree to the terms again go up to advanced and nothing there and we'll just save it and now we wait for it to generate the certificate hopefully with no errors okay so now we have another uh proxy host added here and it's accesses authorized user still using let's encrypt and it's going over to this ip with this port and the status is online that's as simple as it is for building out a reverse proxy using home assistant the add-on with mariadb and the engine x reverse proxy add-on if you want to manage your ssl certificates you can come over here and you can renew them or you can delete those you can also add an ssl certificate directly from here using let's encrypt let's encrypt or doing it custom and of course that gets into a little bit more advanced thing okay so since i can't show you this on my local network i'm going to show you what it looks like when i'm coming from my phone outside of my network using the proxy so first first we'll go to nginx.mostlychrisdemo.com and of course it asks me for my my home assistant login uh for this particular demo device and there i am i'm logged into home assistant using my uh proxy so it's going if we go back and look at our video here it's going from here which is assume my phone here 3.443 through my firewall over to the proxy and then over to you know my hx server and then let's assume this is the adsb device that we set up so let's go look at that one so we'll go to adsb.mostlychrisdemo.com and again this one has to be https and now remember on this one we set up the username and password authentication list so we're asking the proxy now is asking me for username and password to access this particular passthrough and now you can see that it has passed through to my flightaware raspberry pi that's running in my attic that's how the nginx proxy works that's how you set it up in home assistant using the supervised version of home assistant with the ui settings so let me know if you have any questions down below leave me comments if you liked the video make sure you hit that like button and also subscribe uh subscribing doesn't cost you anything but it sure does help my channel grow and helps me be able to make these videos for you and we will see on the next video

Info

Channel: mostlychris

Views: 20,641

Rating: undefined out of 5

Keywords: Home Assistant, Nginx, Proxy, reverse proxy tutorial, home assistant remote access, nginx reverse proxy, reverse proxy nginx, nginx reverse proxy configuration, reverse proxy setup, home assistant, home automation, smarthome, home assistant remote, home assistant remote connection, home assistant remote access ssl, home assistant remote access port forwarding, home assistant remote access security, home assistant remote access without port forwarding, how-to, tutorial, mostlychris

Id: CSbgLBcIuwE

Channel Id: undefined

Length: 19min 57sec (1197 seconds)

Published: Thu Jan 28 2021