How to make Home Asisstant public available without VPN?

sonnatager · January 22, 2024, 3:14pm

Hello guys,

I have some services installed and they are all publicly accessible with their corresponding subpath:

Nextcloud: domain.example/nextcloud
Gitea: domain.exmple/gitea
Vaultwarden: domain.exmple/vault
Jellyfin: domain.exmple/jellyfin

I also have Home Asisstant installed and it is working fine on my local network.
My goal i to make Home Asisstant also accesible publicly:

domain.exmple/home

But ithis is not working, because Home Asisstant does not support to be hosted on a subpath:

github.com/home-assistant/architecture

Ability to host the application on a path

opened 02:15AM - 24 Feb 19 UTC

closed 03:52AM - 19 Mar 19 UTC

davidjb

As first discussed at https://github.com/home-assistant/home-assistant/issues/21…113, Home Assistant doesn't currently support hosting on a path (eg `https://home.example.com/homeassistant`), being only able to be hosted at the root of a domain. Being able to serving Home Assistant from a subdirectory would allow it to co-exist alongside several other applications on an existing single hostname (served by a web server or reverse proxy, like Nginx) . This would save maintaining a separate hostname for this one application, removing the need for additional firewall, DNS configuration or HTTPS certificate config/renewals and so on. In other applications, serving an application on a path is common. It usually involves the app's resources being served with either absolute URLs (eg prefixed with a full `base_url` or just a path component), or via relative URLs (possibly with a `<base>` tag in the HTML). Dynamic apps often allow the frontend host to pass the "path" as part of the request (eg `PATH_INFO` in FastCGI), or otherwise applications might statically prefix all the resources on a page and it is up to the user to configure this correctly in the app's settings. I'm only generally familiar with Home Assistant's internals but given the [http `base_url` setting](https://www.home-assistant.io/components/http/#base_url) setting exists already, it appears to be following the latter "static" style of configuration. To implement the ability for Home Assistant to be served with a path, the simplest solution appears to be a case of ensuring `base_url` affects Home Assistant's URLs correctly, where any assumptions have been made in the code about the app being hosted at the root (`/`) of the domain. For example, resources and links in the frontend HTML currently point at `/frontend_latest` and `/static`, so these would need the ability to be prefixed based on live configuration (or made relative). A comment on the previous issue mentioned there are other components [that rely on knowing the path exposed to the internet](https://github.com/home-assistant/home-assistant/issues/21113#issuecomment-464457085) so these would need adjusting too to make them flexible (& anywhere else that assumes the same). Is Home Assistant's architecture able to accommodate being served on a path / is this something that can be done? I'm new to the project so happy to contribute a PR but I'd need some initial guidance from the core team to understand the scope and of changes required.

Is there a possiblity, to host Home Asisstant on a subdomain?
I would like to have Home Asisstant to be reachable with a domain like so:

home.domain.example

I don’t want to use a VPN, because i have already installed ProtonVPN on my mobile phone, and therefore i cannot use a VPN to my home network.

Best regards

Jappe · January 22, 2024, 4:52pm

You would need to setup a reverse proxy. What webserver do you use?

sonnatager · January 22, 2024, 5:17pm

I am using nginx and i have created for every service a config file in the sites-dietpi folder.

Joulinar · January 22, 2024, 5:32pm

Have a look to Reverse proxy using NGINX - Community Guides - Home Assistant Community

You should be able to start at point 6

Jappe · January 22, 2024, 5:32pm

There is a nice tutorial in the HA forums to create a reverse proxy with nginx and make it reachable via subdomain:
https://community.home-assistant.io/t/reverse-proxy-with-nginx-using-a-subdomain/196952

sonnatager · January 23, 2024, 2:26pm

I have also found this tutorials, but i am not able to get it work.

Are i am allowed to modifiy the config file /etc/nginx/sites-enabled/default?
Will this file not be overwritten by the lets encrypt certbot and/or a system update?

And, to be honest, i also don’t know how this is working with multiple server blocks in the nginx configs.

btd653 · January 23, 2024, 4:50pm

I can see you have a few ideas already, though if you want to try Tailscale I think it will be the simplest way, I use it and really easy to set up.

Go to Tailscale and create free account. https://tailscale.com/
In your Tailscale dashboard settings enable HTTPS
Use this link to install Tailscale addon in HA Link to Add-on: dashboard – My Home Assistant
After installing in HA go the configuration, (3 dots) and edit as YAML and paste

funnel: true
proxy: true
userspace_networking: false

Save and start the addon in HA and Open the web ui of the Tailscale and authenticate.

Wait a couple mins max and in the dashboard (machines) in Tailscal ui you will see the url for HA and will now available on the internet.

If go this way and hit any snags I’ll offer any help, but it is easy as 1 2 3 4 5

I don’t think I missed any steps out.

Jappe · January 23, 2024, 5:39pm

Normally place your configurations in /etc/nginx/sites-available. Insiode this folder is already a default file. Inside this file is a line include /etc/nginx/sites-dietpi/*.conf; which means, you can just place your configs inside /etc/nginx/sites-dietpi. This folder will never gets overriden by nginx because it’s not from the default config.

Then you link your configs to sites-enabled:

sudo ln -s /etc/nginx/sites-dietpi/testsite.com.conf /etc/nginx/sites-enabled/

After that you reload ngninx: sudo systemctl reload nginx
With this method you can have multiple config files in sites-dietpi but only link the ones you want to have enable.

Joulinar · January 23, 2024, 8:00pm

I would not do that

just create a new configuration next to default. I found a nice tutorial

sonnatager · January 23, 2024, 8:18pm

Thank you for you help and fast response, but i don’t want to use an extern service to get access to my home asisstant instance.

sonnatager · January 23, 2024, 8:21pm

But i cannot define other server blocks inside this configs, or do i?

Joulinar · January 23, 2024, 8:37pm

see my post above. You need to create a new configuration next to default file

sonnatager · January 23, 2024, 9:15pm

I have created a file called homeasisstant in the sites-enabled folder.
The contents of this file is following:

server {
	server_name home.domain.example;

    listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/domain.example-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain.example-0001/privkey.pem; # managed by Certbot


    location / {
        proxy_pass http://127.0.0.1:8123;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /api/websocket {
        proxy_pass http://127.0.0.1:8123/api/websocket;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

But with this config i get an error in the logs if i restart nginx:

Jan 23 21:57:37 DietPi nginx[72533]: 2024/01/23 21:57:37 [emerg] 72533#72533: duplicate listen options for [::]:443 in /etc/nginx/sites-enabled/homeasisstant:5
Jan 23 21:57:37 DietPi systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jan 23 21:57:37 DietPi systemd[1]: Reload failed for nginx.service - A high performance web server and a reverse proxy server.
Jan 23 21:58:53 DietPi systemd[1]: Reloading nginx.service - A high performance web server and a reverse proxy server...
Jan 23 21:58:53 DietPi nginx[72600]: 2024/01/23 21:58:53 [emerg] 72600#72600: duplicate listen options for [::]:443 in /etc/nginx/sites-enabled/homeasisstant:4
Jan 23 21:58:53 DietPi systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jan 23 21:58:53 DietPi systemd[1]: Reload failed for nginx.service - A high performance web server and a reverse proxy server.

Joulinar · January 23, 2024, 10:13pm

these 2 lines are incorrect for the additional config file. It should be

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot

without http2 ipv6only=on

Jappe · January 24, 2024, 6:37am

You can also test and validate your config with the command nginx -t.

sonnatager · January 26, 2024, 4:14pm

@Joulinar Ok, i removed the ones you suggested. But after a nginx -t i get following errors:

2024/01/26 17:10:52 [warn] 264414#264414: conflicting server name "home.domain.example" on [::]:443, ignored
2024/01/26 17:10:52 [warn] 264414#264414: conflicting server name "home.domain.example" on 0.0.0.0:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Joulinar · January 26, 2024, 4:28pm

Looks like you configured your host name within 2 different files. I guess once in /etc/nginx/sites-enabled/default and another one within the new file. Best to remove the block from /etc/nginx/sites-enabled/default

sonnatager · January 26, 2024, 4:43pm

It is now working, thank you

system · April 25, 2024, 4:43pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.