krmnn
5/18/2017 - 8:45 AM

Nginx SSL reverse proxy config for Home-Assistant

Nginx SSL reverse proxy config for Home-Assistant

server {
        listen 443 ssl;
        server_name xxx;

        ssl on;

        ssl_certificate /etc/letsencrypt/live/xxx/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/xxx/privkey.pem; # managed by Certbot

        ssl_prefer_server_ciphers on;

        # dhparams file. generate with "openssl dhparam -out dhparams.pem 2048"
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;

        # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
        # add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_session_cache shared:SSL:10m;

        # better performance for HA web frontend
        # proxy_buffering off;

        location / {
                proxy_pass http://localhost:8123;
                proxy_set_header Host $host;

                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
        }


}
server {
    listen       80 default_server;
    server_name  xxx;

    return 301 https://$host$request_uri;
}

Nginx SSL reverse proxy config for Home-Assistant

  1. Forward :80 and :443 to IP running HA.
  2. Don't use the HA built-in SSL directives. They never actually worked for me.
  3. Do the letsencrypt dance.
  4. Create a SSL dhparams file: openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048. Watch your raspberry getting hot for an hour.
  5. Enable nginx config: ln -s /etc/nginx/sites-available/home-assistant.conf /etc/nginx/sites-enabled/home-assistant.conf
  6. systemctl restart nginx