Nginx as a reverse proxy for Home Assistant

By AdminHome Assistant, Raspberry

Introduction

When setting up Home Assistant, there may be a need to access it using both HTTPS and HTTP protocols:

  • HTTPS ensures secure, encrypted communication, which is essential for protecting your data and meeting security best practices.
  • HTTP is still required for certain integrations that rely on webhooks but don’t support SSL encryption.

However, Home Assistant natively supports only one protocol at a time—you can’t run both HTTP and HTTPS simultaneously.

This is where a reverse proxy comes into play. A reverse proxy acts as an intermediary, handling incoming requests, managing SSL encryption, and seamlessly routing traffic to Home Assistant. This setup allows you to enjoy the security benefits of HTTPS while maintaining compatibility with integrations that require HTTP.

To address this, a reverse proxy is needed to manage SSL and handle both protocols effectively.

🔧 Home assistant configuration

By default, Home Assistant does not allow connections through a reverse proxy. To enable this functionality, you’ll need to add specific parameters to the configuration.yaml file.

The easiest way to modify this file is by installing the “File Editor” add-on in Home Assistant:

  1. Go to Settings → Add-ons → Add-on Store.
  2. Search for “File Editor” and install it.
  3. Start the add-on and open the configuration.yaml file for editing.

I prefer to keep the default port 8123 for accessing Home Assistant. Therefore, in the reverse proxy configuration, you’ll see a different external port mapped to this internal standard port.

Here’s an example of what to add to your configuration.yaml file:

http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  server_port: <HA_PORT>
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.0.0/16
    - 127.0.0.1
    - <IP_ADDRESS_OF_YOUR_HOME_NETWORK>

⚠️ Important Notes:

  • ip_ban_enabled: true and login_attempts_threshold: 5  are needed to prevent brute force attacks if your instance is accessible from the Internet. 
  • 172.30.0.0/16 – this is Docker inside network. So, it must be allowed if you use NGINX as HA addon.
  • Replace <HA_PORT> with your preferred port for non-SSL access to your HA.
  • Replace <IP_ADDRESS_OF_YOUR_HOME_NETWORK> with the actual IP address of your home network.
  • The trusted_proxies setting ensures only specified proxy servers are allowed to forward requests.
  • The use_x_forwarded_for parameter enables Home Assistant to recognize the original IP address of the client, instead of the proxy’s IP.

After making changes, don’t forget to restart Home Assistant for the new settings to take effect.

🔧 nginx configuration

While Home Assistant offers its own NGINX-based add-ons for reverse proxy, I opted for a different approach. Since I already had a standalone NGINX server installed on my home server for other purposes, I decided to integrate Home Assistant into that existing setup.

Although I experimented with the “NGINX Home Assistant SSL Proxy” add-on, I found it to be slightly slower compared to running NGINX directly on my home server. The standalone NGINX provided better performance and flexibility, especially since it was already managing other services on my network.

If you prefer using a standalone NGINX server instead of the Home Assistant add-on, this guide is for you. This method offers better performance and more flexibility, especially if you’re already running NGINX for other services.

 

🖥️ Step 1: Install NGINX

If NGINX isn’t installed on your Linux system, you can install it using your package manager:

For Debian/Ubuntu-based systems:

sudo apt update
sudo apt install nginx

After installation, start and enable NGINX to run on boot:

sudo systemctl start nginx
sudo systemctl enable nginx

📄 Step 2: Create the NGINX Configuration File

Once NGINX is installed, the next step is to configure it as a reverse proxy for Home Assistant.

  1. Navigate to the NGINX configuration directory:

cd /etc/nginx/sites-available

Create a new configuration file for Home Assistant with using your preferable text editor if mcedit isn’t your choice:

sudo mcedit homeassistant.conf

Add the following configuration:

server {
    listen 8123 ssl;
    server_name your-domain.com;
    ssl_certificate /usr/share/hassio/ssl/fullchain.pem;
    ssl_certificate_key /usr/share/hassio/ssl/privkey.pem;    
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    proxy_buffering off;
    add_header "Strict-Transport-Security max-age=31536000; includeSubDomains" always;

location / {
        proxy_pass http://<Home-Assistant_ip>:<HA_PORT>;
	proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 	proxy_set_header Upgrade $http_upgrade; 
 	proxy_set_header Connection $connection_upgrade;
    }

⚠️ Key points:

  • Replace 8123 with your preferable port.
  • Replace your-domain.com with your actual domain or IP address.
  • proxy_pass http://<Home-Assistant_ip>:<HA_PORT>; forwards traffic to Home Assistant’s IP and port.
    So, replace <Home-Assistant_ip> with actual IP and <HA_PORT> must be the same as in HA configuration at the beginning of this article.
  • Check if ssl_certificate and  ssl_certificate_key configured properly. 
    You can find now to get a free certificate in this article or install Let’s Encrypt addon for Home Assistant.

🔗 Step 3: Enable the Configuration

Create a symbolic link to enable the configuration:

sudo ln -s /etc/nginx/sites-available/homeassistant.conf /etc/nginx/sites-enabled/

Test the NGINX configuration for errors:

 
sudo nginx -t

Restart NGINX to apply changes:

 
sudo systemctl restart nginx

Now your Home Assistant is securely accessible through NGINX with better performance and flexibility! 🚀