Double Proxy
So I have Nginx Proxy Manager running on OPNsense. Then I have Cloudflare proxying NPM.
Prerequisites
- OPNsense
- Home Assistant
- Cloudflare
- Domain name
Goals
- Access Home Assistant on local network at http://homeassistant.localdomain:8123.
- Access Home Assistant on from any network at https://ha.doiotyourself.com.
How to
Home Assistant
-
Settings > System > Network
Host Name The name your instance will have on your network:
homeassistant
Home Assistant URL Internet:
https://ha.doiotyourself.com/
Local Network:Automatic
-
Update
configuration.yaml
and save lists of all reverse proxies in new directoryconfiguration/trusted_proxies/
http: use_x_forwarded_for: true trusted_proxies: !include_dir_merge_list configuration/trusted_proxies/ ip_ban_enabled: true login_attempts_threshold: 5
configuration/trusted_proxies/ip-my-proxy.yaml
# IP Address of my reverse proxy --- - !secret proxy_ip_address
and add a new line to
secrets.yaml
proxy_ip_address: 192.168.107.1
configuration/trusted_proxies/ips-v4.yaml
# https://www.cloudflare.com/ips-v4 --- - 173.245.48.0/20 - 103.21.244.0/22 - 103.22.200.0/22 - 103.31.4.0/22 - 141.101.64.0/18 - 108.162.192.0/18 - 190.93.240.0/20 - 188.114.96.0/20 - 197.234.240.0/22 - 198.41.128.0/17 - 162.158.0.0/15 - 104.16.0.0/13 - 104.24.0.0/14 - 172.64.0.0/13 - 131.0.72.0/22
configuration/trusted_proxies/ips-v4.yaml
# https://www.cloudflare.com/ips-v6 --- - 2400:cb00::/32 - 2606:4700::/32 - 2803:f800::/32 - 2405:b500::/32 - 2405:8100::/32 - 2a06:98c0::/29 - 2c0f:f248::/32
-
Restart Home Assistant
Cloudflare
-
dash.cloudflare.com > Websites > Home Click on your domain name
-
DNS > Records Create a new A or AAAA record. Point to the IP Address of the OPNsense WAN interface you want to hit. Proxy status:
Proxied
-
SSL/TLS > Overview
-
Rules > Page Rules
-
SSL/TLS > Origin Server Set Authenticated Origin Pulls to Enabled Create Certificate
Save the certificate to OPNSense
OPNsense
-
System: Trust: Certificates Save the Cloudflare Origin Certificate created in the step above as ‘Cloudflare Origin Certificate’***
-
System: Settings: Administration Select a TCP port other than 443 for the Web GUI and Disable web GUI redirect rule.
-
System: Firmware: Plugins Install
os-nginx
. -
Services: Nginx: Configuration
-
New Upstream Server
-
New Upstream
-
Download the NAXSI (WAF) rules
-
New Location
-
Location Continued and Advanced mode
-
New HTTP Server
-
General Settings Select Enable nginx
-
-
Firewall: Alias
-
Firewall: Rules: WAN
Future Improvements
Use split DNS to resolve hostnames so to redirect the clients on the local network to the local IP address of OPNsense Nginx Proxy Manager rather than routed through Cloudflare’s servers and back to the local network. This is low priority as I’m mostly using the Home Assistant iPhone App and can set different hostnames for Internal URL http://homeassistant.localdomain:8123
and External URL https://ha.doiotyourself.com
.