Help needed setting up NGINX reverse Proxy / HA / Vaultwarden using Duckdns

Submitted ⁨⁨10⁩ ⁨months⁩ ago⁩ by ⁨Lobotomie@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

Hey Guys,

so I still have no clue about most of the stuff im doing hence why I am doing it :)

I have a ubuntu system running all kinds of docker containers and I want to expose homeassistant and vaultwarden to the internet.

Now I have set up a Duckdns account, I have setup my Router (fritzbox) to update the dyndns settings, I have set up my homeassistant the following:

homeassistant:
  internal_url: http://192.168.178.214:8123
  external_url: https://ha.xxxxx.duckdns.org

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.22.0.0/24

Following is my Homeassistant Configuration:

  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /homeassistant/:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    network_mode: host
    privileged: true
    ports:
      - 8123:8123
      - 5683:5683

  nginx-proxy-manager:
    container_name: nginx
    privileged: true
    image: 'jc21/nginx-proxy-manager:latest'
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    environment:
      DB_MYSQL_HOST: "nginx-db"
      DB_MYSQL_PORT: 3306
    volumes:
      - /nginx/data:/data
      - /nginx/letsencrypt:/etc/letsencrypt

  nginx-db:
    container_name: nginx-db
    image: 'jc21/mariadb-aria:latest'
    environment:
    volumes:
      - /nginx/mysql:/var/lib/mysql

  vaultwarden:
    container_name: vaultwarden
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - /vaultwarden:/data/
    ports:
      - 8125:3012
      - 8124:80
    environment:
      - DOMAIN=https://vw.xxxxx.duckdns.org
      - LOGIN_RATELIMIT_MAX_BURST=10
      - LOGIN_RATELIMIT_SECONDS=60
      - ADMIN_RATELIMIT_MAX_BURST=10
      - ADMIN_RATELIMIT_SECONDS=60
      - ADMIN_TOKEN=
      - SENDS_ALLOWED=true
      - EMERGENCY_ACCESS_ALLOWED=true
      - WEB_VAULT_ENABLED=true
      - SIGNUPS_ALLOWED=true

I have forwarded the ports in the router.

I have set up nginx the following:

Image

Issue is when I open the website, it will give me the error that hsts is enabled, even though I definitely did not check this option ( and I never did (today!).

What is the reason for this?

Do I have to set some sort of header?

Same thing with vaultwarden, basically I set this up 1:1 except for the url whichi is vw.xxxxx.duckdns .org.

source

Comments

Sort:hotnew top

redcalcium@lemmy.institute ⁨10⁩ ⁨months⁩ ago
What happened when you tried to open it on incognito mode / private browsing mode?

Btw, if you’re using Chrome, you can type thisisunsafe to bypass hsts warning if nothing else work.

source
- Lobotomie@lemmy.world ⁨10⁩ ⁨months⁩ ago
  if I close the 8123 port and remove my cache, firefox will warn me, if I click on forward anyways it will forward to a website from my router for some reason saying that the DNS-Rebind-Protection has blocked my attempt and that there is some issue with the host-header.
  
  source
  - redcalcium@lemmy.institute ⁨10⁩ ⁨months⁩ ago
    Instead of forwarding ha.yourdomain.com to 192.168.178.214 (which I assume is the lan ip address for your machine), you should forward it to a hostname called homeassistant (which is the hostname for the home assistant instance inside your docker compose network).
    
    source
    -> View More Comments
Decronym@lemmy.decronym.xyz ⁨10⁩ ⁨months⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

HA Home Assistant automation software

~ High Availability

IP Internet Protocol

VPN Virtual Private Network

[Thread #382 for this sub, first seen 28th Dec 2023, 12:45] [FAQ] [Full list] [Contact] [Source code]

source
walden@sub.wetshaving.social ⁨10⁩ ⁨months⁩ ago
Which ports did you forward?

source
- Lobotomie@lemmy.world ⁨10⁩ ⁨months⁩ ago
  80,443,8123 and 8124
  
  source
  - walden@sub.wetshaving.social ⁨10⁩ ⁨months⁩ ago
    Only 80 and 443 get forwarded to nginx. nginx handles everything from there. Close the other ports.
    
    source
    -> View More Comments
MSgtRedFox@infosec.pub ⁨10⁩ ⁨months⁩ ago
What cert did you put on the proxy answering the inbound? Usually that error means either the browser doesn’t like the cert, or it’s connecting to 80, and modern browsers really fight you on that sometimes. Also, cache. Clear your cache if you’re bouncing between internal URL/IP and the public.

I assume you just want to expose to internet to learn art of reverse. Otherwise there’s better ways.

source
- Lobotomie@lemmy.world ⁨10⁩ ⁨months⁩ ago
  Mainly I want to expose it so I can access my stuff remotely. What would you recommend otherwise? Traefik looks alot more difficult to me from the get go but I haven’t tried it out yet (because I dont know where to start) Issue is just that I have a basic understanding about docker/ubuntu stuff now (or I know how to manipulate stuff like I want) but basically everything with Web and https is a big black hole for me which I can’t seem to grasp yet.
  
  source
  - MSgtRedFox@infosec.pub ⁨10⁩ ⁨months⁩ ago
    Yeah, it’s a lot. It’s a very large field, and you’re playing in two or three areas here.
    
    Look at a couple of overlay options. ZeroTier is the one I remember off top of my head. There are others, Google alternatives. These use a coordination server. Some are a hosted service, but there’s some that you host yourself. These are supposed to be pretty easy. You watch a couple of videos on these, I bet you’re be fine.
    
    Wire guard offers more traditional VPN. You can tunnel your device back to your network. Some routers offer a VPN option. There’s open sense, ddwrt, etc. Again, lots of videos.
    
    Since you said you mostly wanted remote access, I strongly suggest not opening services to public and use VPN.
    
    You can still learn reverse proxy too, but just do it internally, even though it wouldn’t technically be needed. This will be much safer and learner friendly.
    
    I have ridiculous amounts of services running, but I use gateway router VPN to access most of them.
    
    source
    -> View More Comments
stown@sedd.it ⁨10⁩ ⁨months⁩ ago
Are you absolutely sure that NPM has an IP from the subnet 172.22.0.0/24? Is there any way you can remove the trusted proxy setting from homeassistant to see if it will accept the connection from NPM?

source
- stown@sedd.it ⁨10⁩ ⁨months⁩ ago
  I did some reading and found that the trusted_proxies setting is required. Can you try setting it to 0.0.0.0/0?
  
  source
  - Lobotomie@lemmy.world ⁨10⁩ ⁨months⁩ ago
    I have set it but it wont change anything. You can access the docker inspect here pastebin.com/t1T98RCw I can imagine that this problem is before homeassistant as even if I ignore the certificate error , it will not forward me to homeassistant but to my router / a warning page from my router saying it has blocked me.
    
    source
tagginator@utter.online [bot] ⁨10⁩ ⁨months⁩ ago
New Lemmy Post: Help needed setting up NGINX reverse Proxy / HA / Vaultwarden using Duckdns (https://lemmy.world/post/10039683)
Tagging: #SelfHosted
(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)
I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md
source

Fewer Letters	More Letters
HA	Home Assistant automation software
~	High Availability
IP	Internet Protocol
VPN	Virtual Private Network