You're welcome. Glad it helped!

You're welcome!

Awesome, thank you!

Yep and this makes it nice.

I am facing the same thing right now. You're correct, the 'NGINX Home Assistant SSL proxy' is automatic setup for https to HA from the internet. However, I have other services on my local network I wish to access which in HA which are running http, so I am using this video to figure out how to migrate to 'Nginx proxy manager'. It looks like I cannot have both at the same time, since they bind to the same port 443.

Same here

Most welcome!

You're welcome. Thanks for watching!

Those are two different things. Force SSL tells the connection to force SSL in the browser. Challenge DNS is a method for you to authorize your SSL certificate with Let's Encrypt. There is a method that will talk directly to your HA instance on port 80 but that has to a port that is open publicly and forwarded to your HA instance. I wouldn't do that. As for the error, not sure what is going on there.

@@mostlychris I agree, I couldn't get it to work (with force SSL) so I unistalled DuckDNS, NGINX, SSL etc. closed all my ports on the router and joined the Nabu Cada subscriptoin plan. Much simpler, and safer now!

I edited out the actual pasting of the file because it contains my credentials. You would put your own credentials in there based on your DNS provider and how they format it.

@@mostlychris use mask to cover your credential

I had used Let's Encrypt add-on before using the Nginx proxy. When I installed the proxy add-on it complained about the existing certs and that there was no auth method. Are you running any other certificate manager on the same device?

We're chatting in Discord about this.

I have not tried that. I'll give it a look.

I don't think latency plays into this. DuckDNS in the context of HA is having a single duckdns owned domain point to your HA instance. With the reverse proxy, you can run stuff inside your network that is then accessed via a single port through your router. The proxy picks up the domain name and then forwards it to your internal resource. Access is remote from any web enabled device (phone, PC, etc). I have remote monitoring enabled for some of my internal applications.

Excellent! Good luck!

Do u just have jellyfin as publicly accessible or with username and password? if i use username and password i cant connect to jellyfin through the phone app, or is it a way to combine the username and password in the url?

​@@gambler3k I use Jellyfin's built-in authentication! Though I use NGINX to make the instance available to the web, and not Jellyfin's built-in method.

I don't think so. However, there are options such as Twingate (just released a video on that kzbin.info/www/bejne/gX3FXpyPa82WhMk) or VPN such as Tailscale (kzbin.info/www/bejne/aYKoi4WmrcuNppY) that I think works behind CGNAT.

You need to be able differentiate the request coming into the proxy. You can have one domain but would need to use subdomains to make things go to different ports at the proxy level. sub1.domain.com; sub2.domain.com; etc.

@@mostlychris Thanks Chris, one thing I discovered was that you must refresh the domain entry if you (say) create an access list or add another user. That one has me scratching my head for a while!

Correct. If you are using Nabu Casa, you don't need this. However, if you have other things internal to your network then this provides a way to get to them without having to port forward. I have quite a few other internal sites (some noted in the video) that this is great for.

You're welcome!

Are you asking if you can use the AdGuard add-on via the reverse proxy? If so, you could, but not sure what the use case would be.

You can use pi-hole internally. It doesn't interfere with this installation. Pi-hole used to be an add-on in Home Assistant but I don't see it now. I personally use AdGuard, which is an add-on and provides similar features. I use "split DNS" so that my local devices resolve to the local IPs and then with the proxy from outside, they are sent to the appropriate device. If you are running Home Assistant, I'd recommend using AdGuard.

@@mostlychris One caveat there - AdGuard uses port 80, so that will interfere with LetsEncrypt's HTML-based authentication, and must be disabled while generating/renewing a certificate.

I have a reverse proxy set up for bitwarden (now vaultwarden). SSL requires a certificate so I created a domain that I use on the reverse proxy in order to point to my vaultwarden port on the HA server internally. I also use AdGuard to do a DNS rewrite so my vaultwarden secure domain can be reached both internally and externally at the same URL.

I was using Google Domains but in order to use credentials, you have to use Google Cloud DNS. console.cloud.google.com/net-services/dns. You would use Google Domains as the registrar and Google Cloud DNS to handle the zone files. Sounds strange to use Google to use Google (not a typo) but that is how it works. Of course, you can use any DNS provider that has an automated credential type setup that is compatible with this add-on.

@@mostlychris thank you! I will look into it.

I have this issue when it can't use the same auth method as when I set up my initial certificate. I just delete the cert, go into the host and re-add the cert using the verification method I originally used. Your site using that cert will be down for the few minutes that you take to provision a new cert.

I don't know that you can use anything else other than MariaDB. It mentions this as a requirement. What were you planning on using?

@@mostlychris I don’t think HA’s default is MariaDB. Isn’t it SQL?

If you are using Google, you should have the JSON file with your credentials. Each DNS provider will have their own auth method and/or credentials format. If Google, you should be able to paste the raw JSON credentials file directly into the box.

I fell over here as well. I use duckdns, it's not in the list so it's not clear how to get a credentials file :-( Back to researching for me...

You are doing a non-standard install so there could be anything using that port. You need to look through all your add-ons and figure out what is using port 80. With my installs, I can use portainer to tell visually tell me what ports I have mapped to what containers. I can tell you how to do this in Linux and unix variants but no so much in windows. Not sure what a web card is so I'm not going to be much help there.

Is this an external URL that can't be resolved?

​@@mostlychris When I'm port forwarding 80/443 to my Home Assistant OS (Nginx) my external IP won't resolve, I'm getting a error 522 from Cloudflare, sometime my external IP is redirected to LocalHAIP:8443/hassio/addon/a0d7b954_nginxproxymanager/info and back to my external IP and again error 522 from Cloudflare. when I'm only forwarding HA_Port to HA_Port everything is working fine (this bypass Nginx and just use home assistant default web server). thinking about it now, my gateway (UDM Pro / Ubiquiti) might already use port 443 for remote management.

It sounds like you have some routing issues. I use split DNS with AdGuard on my internal network so that it points to the correct place. If you are trying to reach the external URL from inside your local network it might be looping.

in my current setting, it's working while i'm on my LAN network : i can embed my synology web interface into a panel, but when i'm accessing my home assistant from outside, the panel doesnt load ... i cant figure out what is happening. do you have any tips ? i would very much appreciate it :)

I think this is something best suited for a VPN type setup. It sounds like you are attempting to connect to other devices inside your network that are not on HA itself. This might help: kzbin.info/www/bejne/mJq4Zp9miZmYbtk

Uh oh. What part is not working?

@@mostlychris remote access due to reverse proxy

@@encostablanca Yes. There is a breaking change noted. I have not yet upgraded to 2021.7 because I haven't gone through all the breaking changes. I'm not sure what might be misconfigured but make sure you have the configuration settings in the http section as noted below (from their breaking changes section on the website). Home Assistant will now block HTTP requests when a misconfigured reverse proxy, or misconfigured Home Assistant instance when using a reverse proxy, has been detected. If you are using a reverse proxy, please make sure you have configured use_x_forwarded_for and trusted_proxies in your HTTP integration configuration. For more information, see the HTTP integration documentation. Additionally, access to Home Assistant from the same IP address as a trusted proxy will be rejected if the request is marked as forwarded.

Hey Abid. I'll add that to my list.

I need more detail on what you are clicking and what you are trying to reach for the URL. Maybe something to post in my discord server.

@@mostlychris Just the link to port 81.

Are you proxying a specific URL (don't post it here)?

@@mostlychris The same URL I use to get to Home Assistant but using port 81 instead port 80.

@@huhcom If you get a chance, maybe jump into my discord for a more detailed discussion.

That's a great question. I don't think there is an option for the companion app to authenticate at a proxy level. You might just have to rely on HA's auth for that.

​@@mostlychris Yeah, I am also use 2FA. Also there is some of firewall rules on cloudflare for now. Other option, just use it with vpn

Don't think that applies here.

Yes. I've had domain names for so long now that it's just part of my yearly budge.

Domains are not hard to manage. There are a ton of providers out there that you can register a domain with and most of them provide DNS services as well. Were you planning on doing something with the reverse proxy?

@@mostlychris Thanks for awesome tutorials. In fact I am too lost after sub domain part. It is difficult. Kindly consider doing a follow up tutorial regarding creating a sub domain record and getting that data from domain providers or VPS providers. Thanks.

@@irtibatkisileri222 I added that to my list of vid requests.

It's in the "Home Assistant Community Add-ons" section. You might have to add that as a repository in the main add-ons section.