114 lines
3.6 KiB
Plaintext
114 lines
3.6 KiB
Plaintext
##
|
|
#
|
|
# Home Assistant - nginx Configuration File
|
|
#
|
|
# Using nginx as a proxy for Home Assistant allows you to serve Home Assisatnt
|
|
# securely over standard ports. This configuration file and instructions will
|
|
# walk you through setting up Home Assistant over a secure connection.
|
|
#
|
|
# 1) Get a domain name forwarded to your IP.
|
|
# Chances are, you have a dynamic IP Address (your ISP changes your address
|
|
# periodically). If this is true, you can use a Dynamic DNS service to obtain
|
|
# a domain and set it up to update with you IP. If you purchase your own
|
|
# domain name, you will be able to easily get a trusted SSL certificate
|
|
# later.
|
|
#
|
|
#
|
|
# 2) Install nginx on your server.
|
|
# This will vary depending on your OS. Check out Google for this. After
|
|
# installing, ensure that nginx is not running.
|
|
#
|
|
#
|
|
# 3) Obtain an SSL certificate.
|
|
#
|
|
# 3a) Using Let's Encrypt
|
|
# If you purchased your own domain, you can use https://letsencrypt.org/ to
|
|
# obtain a free, publicly trusted SSL certificate. This will allow you to
|
|
# work with services like IFTTT. Download and install per the instructions
|
|
# online and get a certificate using the following command.
|
|
#
|
|
# ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
|
|
#
|
|
# Instead of example.com, use your domain. You will need to renew this
|
|
# certificate every 90 days.
|
|
#
|
|
# 3b) Using openssl
|
|
# If you do not own your own domain, you may generate a self-signed
|
|
# certificate. This will not work with IFTTT, but it will encrypt all of your
|
|
# Home Assistant traffic.
|
|
#
|
|
# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 9999
|
|
# sudo cp key.pem cert.pem /etc/nginx/ssl
|
|
# sudo chmod 600 /etc/nginx/ssl/key.pem /etc/nginx/ssl/cert.pem
|
|
# sudo chown root:root /etc/nginx/ssl/key.pem /etc/nginx/ssl/cert.pem
|
|
#
|
|
#
|
|
# 4) Create dhparams file
|
|
# As a fair warning, this file will take a while to generate.
|
|
#
|
|
# cd /etc/nginx/ssl
|
|
# sudo openssl dhparam -out dhparams.pem 2048
|
|
#
|
|
#
|
|
# 5) Install this configuration file in nginx.
|
|
#
|
|
# cp nginx-hass /etc/nginx/sites-available/hass
|
|
# cd /etc/nginx/sites-enabled
|
|
# sudo unlink default
|
|
# sudo ln ../sites-available/hass default
|
|
#
|
|
#
|
|
# 6) Double check this configuration to ensure all settings are correct and
|
|
# start nginx.
|
|
#
|
|
#
|
|
# 7) Forward ports 443 and 80 to your server on your router. Do not forward
|
|
# port 8123.
|
|
#
|
|
##
|
|
|
|
server {
|
|
# Update this line to be your domain
|
|
server_name example.com;
|
|
|
|
|
|
# These shouldn't need to be changed
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server ipv6only=on;
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
|
|
server {
|
|
# Update this line to be your domain
|
|
server_name example.com;
|
|
|
|
# Ensure these lines point to your SSL certificate and key
|
|
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
|
|
# Use these lines instead if you created a self-signed certificate
|
|
# ssl_certificate /etc/nginx/ssl/cert.pem;
|
|
# ssl_certificate_key /etc/nginx/ssl/key.pem;
|
|
|
|
# Ensure this line points to your dhparams file
|
|
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
|
|
|
|
|
|
# These shouldn't need to be changed
|
|
listen 443 default_server;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
|
|
ssl on;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
|
|
proxy_buffering off;
|
|
|
|
location / {
|
|
proxy_pass http://localhost:8123;
|
|
proxy_set_header Host $host;
|
|
proxy_redirect http:// https://;
|
|
}
|
|
}
|