Issue is when I open the website, it will give me the error that hsts is enabled, even though I definitely did not check this option ( and I never did (today!).
What is the reason for this?
Do I have to set some sort of header?
Same thing with vaultwarden, basically I set this up 1:1 except for the url whichi is vw.xxxxx.duckdns .org.
Are you absolutely sure that NPM has an IP from the subnet 172.22.0.0/24? Is there any way you can remove the trusted_proxies setting from homeassistant and then check if it will accept the connection from NPM?
I have set it but it wont change anything.
You can access the docker inspect here https://pastebin.com/t1T98RCw
I can imagine that this problem is before homeassistant as even if I ignore the certificate error , it will not forward me to homeassistant but to my router / a warning page from my router saying it has blocked me.
If I test the server reachability inside nginx manager it will ask me if npm is configured correctly, so you might be onto something with NPM configuration …
I have now set up duckdns over docker instead of over my router, but it hasnt helped anything. My Duckdns IP is the same (and its correct, if I just open this IPV4 Address it will redirect to my nginx landing page).
Okay I think here is the error. AFter doing the Test Server Reachability the following will come up in the nginx-db logs:
2023-12-29 21:06:25 3 [Warning] Aborted connection 3 to db: ‘npm’ user: ‘npm’ host: ‘172.22.0.8’ (Got an error reading communication packets)
Now I have no clue why this is ( I think this is the end for today as my head is about to explode). Docker inspect nginx reveals that this request for sure came from nginx (as it has the .0.8 ip).
if I close the 8123 port and remove my cache, firefox will warn me, if I click on forward anyways it will forward to a website from my router for some reason saying that the DNS-Rebind-Protection has blocked my attempt and that there is some issue with the host-header.
Instead of forwarding ha.yourdomain.com to 192.168.178.214 (which I assume is the lan ip address for your machine), you should forward it to a hostname called homeassistant (which is the hostname for the home assistant instance inside your docker compose network).
What cert did you put on the proxy answering the inbound? Usually that error means either the browser doesn’t like the cert, or it’s connecting to 80, and modern browsers really fight you on that sometimes. Also, cache. Clear your cache if you’re bouncing between internal URL/IP and the public.
I assume you just want to expose to internet to learn art of reverse. Otherwise there’s better ways.
Mainly I want to expose it so I can access my stuff remotely. What would you recommend otherwise?
Traefik looks alot more difficult to me from the get go but I haven’t tried it out yet (because I dont know where to start)
Issue is just that I have a basic understanding about docker/ubuntu stuff now (or I know how to manipulate stuff like I want) but basically everything with Web and https is a big black hole for me which I can’t seem to grasp yet.
Yeah, it’s a lot. It’s a very large field, and you’re playing in two or three areas here.
Look at a couple of overlay options. ZeroTier is the one I remember off top of my head. There are others, Google alternatives. These use a coordination server. Some are a hosted service, but there’s some that you host yourself. These are supposed to be pretty easy. You watch a couple of videos on these, I bet you’re be fine.
Wire guard offers more traditional VPN. You can tunnel your device back to your network. Some routers offer a VPN option. There’s open sense, ddwrt, etc. Again, lots of videos.
Since you said you mostly wanted remote access, I strongly suggest not opening services to public and use VPN.
You can still learn reverse proxy too, but just do it internally, even though it wouldn’t technically be needed. This will be much safer and learner friendly.
I have ridiculous amounts of services running, but I use gateway router VPN to access most of them.
using a vpn or similar is not really an option as I have famiy members accessing it and I dont want to always connect using a vpn just for example to open my garage or accessing my shopping list.
Security wise I just use 2FA so I dont think thats the issue.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
Are you absolutely sure that NPM has an IP from the subnet 172.22.0.0/24? Is there any way you can remove the
trusted_proxiessetting from homeassistant and then check if it will accept the connection from NPM?I did some reading and found that the
trusted_proxiessetting is required. Can you try setting it to0.0.0.0/0?I have set it but it wont change anything. You can access the docker inspect here https://pastebin.com/t1T98RCw I can imagine that this problem is before homeassistant as even if I ignore the certificate error , it will not forward me to homeassistant but to my router / a warning page from my router saying it has blocked me.
If I test the server reachability inside nginx manager it will ask me if npm is configured correctly, so you might be onto something with NPM configuration …
I have now set up duckdns over docker instead of over my router, but it hasnt helped anything. My Duckdns IP is the same (and its correct, if I just open this IPV4 Address it will redirect to my nginx landing page).
Okay I think here is the error. AFter doing the Test Server Reachability the following will come up in the nginx-db logs: 2023-12-29 21:06:25 3 [Warning] Aborted connection 3 to db: ‘npm’ user: ‘npm’ host: ‘172.22.0.8’ (Got an error reading communication packets)
Now I have no clue why this is ( I think this is the end for today as my head is about to explode). Docker inspect nginx reveals that this request for sure came from nginx (as it has the .0.8 ip).
What happened when you tried to open it on incognito mode / private browsing mode?
Btw, if you’re using Chrome, you can type
thisisunsafeto bypass hsts warning if nothing else work.if I close the 8123 port and remove my cache, firefox will warn me, if I click on forward anyways it will forward to a website from my router for some reason saying that the DNS-Rebind-Protection has blocked my attempt and that there is some issue with the host-header.
Instead of forwarding
ha.yourdomain.comto192.168.178.214(which I assume is the lan ip address for your machine), you should forward it to a hostname calledhomeassistant(which is the hostname for the home assistant instance inside your docker compose network).Now I get a error Fehlercode: SEC_ERROR_UNKNOWN_ISSUER, and if I continue it will again go to my router with the DNS-REbind / Host-Header Issue
What cert did you put on the proxy answering the inbound? Usually that error means either the browser doesn’t like the cert, or it’s connecting to 80, and modern browsers really fight you on that sometimes. Also, cache. Clear your cache if you’re bouncing between internal URL/IP and the public.
I assume you just want to expose to internet to learn art of reverse. Otherwise there’s better ways.
Mainly I want to expose it so I can access my stuff remotely. What would you recommend otherwise? Traefik looks alot more difficult to me from the get go but I haven’t tried it out yet (because I dont know where to start) Issue is just that I have a basic understanding about docker/ubuntu stuff now (or I know how to manipulate stuff like I want) but basically everything with Web and https is a big black hole for me which I can’t seem to grasp yet.
Yeah, it’s a lot. It’s a very large field, and you’re playing in two or three areas here.
Look at a couple of overlay options. ZeroTier is the one I remember off top of my head. There are others, Google alternatives. These use a coordination server. Some are a hosted service, but there’s some that you host yourself. These are supposed to be pretty easy. You watch a couple of videos on these, I bet you’re be fine.
Wire guard offers more traditional VPN. You can tunnel your device back to your network. Some routers offer a VPN option. There’s open sense, ddwrt, etc. Again, lots of videos.
Since you said you mostly wanted remote access, I strongly suggest not opening services to public and use VPN.
You can still learn reverse proxy too, but just do it internally, even though it wouldn’t technically be needed. This will be much safer and learner friendly.
I have ridiculous amounts of services running, but I use gateway router VPN to access most of them.
using a vpn or similar is not really an option as I have famiy members accessing it and I dont want to always connect using a vpn just for example to open my garage or accessing my shopping list. Security wise I just use 2FA so I dont think thats the issue.
Which ports did you forward?
80,443,8123 and 8124
Only 80 and 443 get forwarded to nginx. nginx handles everything from there. Close the other ports.
cheers!
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
5 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #382 for this sub, first seen 28th Dec 2023, 12:45] [FAQ] [Full list] [Contact] [Source code]
deleted by creator