Accessing LAN applications with HASSio Nginx Reverse Proxy Addon

DuckDNS subfolder reverse proxy configuration for SSL access to LAN resources

Have you ever needed to access LAN resources while you’re away? Have all of the news of hacks leave you feeling queasy about exposing additional ports on your router? Then this might be a solution that you can implement in a matter of minutes.

Initially, when I started using HASSio, I was happy to see that the addons included Nginx for reverse proxy. Unfortunately, it was very limited with what it would let you configure. Fast forward a handful of months and the devs have added the ability to customize the addon with custom server configurations. For me, this is great, because I’ve installed HASSio Raspberry Pis at three family member’s houses.

At this point, I’m assuming you have your HASSio instance up and running. If not, there are plenty of how to’s to walk you through this process just a Google away. In order to expose your instance to the world, you should have SSL certificates on the site. The best way to do this with HASSio is to use the DuckDNS addon and enable it to have Lets Encrypt handle automagically getting the certificates. Once this is done, you should be able to access Home Assitant without trouble from the WAN at your DDNS url of yourcustomurl.duckdns.org. If you own your own domain, it’s a bit different, but let me know if the comments and I will help where I can.

Follow these steps

Now add the addon via Hass.io panel > Addon Store > NGINX Home Assistant SSL proxy and click install. After the install finishes, you will need to add your DuckDNS domain (yourcustomurl.duckdns.org) and set the customize > active to true .

{ "domain": "example.duckdns.org", "certfile": "fullchain.pem", "keyfile": "privkey.pem", "hsts": "max-age=31536000; includeSubDomains", "customize": { "active": true, "default": "nginx_proxy_default*.conf", "servers": "nginx_proxy/*.conf" } } 1 2 3 4 5 6 7 8 9 10 11 { "domain" : "example.duckdns.org" , "certfile" : "fullchain.pem" , "keyfile" : "privkey.pem" , "hsts" : "max-age=31536000; includeSubDomains" , "customize" : { "active" : true , "default" : "nginx_proxy_default*.conf" , "servers" : "nginx_proxy/*.conf" } }

If you look at the source for the nginx.conf file, you see the differences between how the default and servers options are utilized. Since we want to have these sites be subfolders of the DDNS domain instead of subdomains, we need to add our configuration to the default file.

The next step is to create the nginx_proxy_default.conf file in your share folder in the root of your Raspberry Pi. For me, this was easy to do via SSH and executing nano /share/nginx_proxy_default.conf . You can also install the terminal addon and perform it through the web terminal within HA.

For this example, I want to access my TOMATO router configuration. So I used this configuration:

location /router/ { rewrite /router/(.*) /$1 break; proxy_pass http://192.168.1.1:80; proxy_redirect http:// https://; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } 1 2 3 4 5 6 7 8 9 10 11 location / router / { rewrite / router / ( . * ) / $1 break ; proxy _ pass http : / / 192.168.1.1 : 80 ; proxy _ redirect http : / / https : / / ; proxy_http _ version 1.1 ; proxy_set _ header Host $host ; proxy_set _ header X - Forwarded - For $proxy_add_x_forwarded_for ; proxy_set _ header Upgrade $http_upgrade ; proxy_set _ header Connection $connection_upgrade ; }

Here, I’ve set the subfolder as /router/ , rewriting the URL to remove the router subfolder so when it hits the router it goes to the base URL, and am passing it to my router’s URL. The rest of the configuration sets headers and a few other details.

To make this easily accessible from within the HA UI, I added an iframe:

You can do this by adding this to your configuration.yaml file:

panel_iframe: router: title: 'TOMATO' icon: mdi:router-wireless url: https://example.duckdns.org/router/ 1 2 3 4 5 panel_iframe : router : title : 'TOMATO' icon : mdi :router-wireless url : https ://example.duckdns.org/router/

I will mention that while this configuration works for basic resources, some others with more advanced UIs will require additional configuration to pass websockets or APIs.