Set up Hass.io with secure remote access using DuckDNS and Nginx proxy

To be able to access your Home Assistant dashboard securely from outside your home, you need to set up a dynamic DNS provider, SSL/TLS certificates, and a path to access your Home Assistant instance from outside your network. The easiest and most popular way to do this is using Hass.io with the DuckDNS and NGINX Proxy add-ons.

Why is the NGINX Proxy add-on needed?

Without the Nginx Proxy, Home Assistant itself is responsible for serving your SSL/TLS certificates via the http component. Currently the http component can't serve both HTTP and HTTPS at the same time, so if this is enabled, all API traffic to Home Assistant must be over HTTPS. This is problematic for the Konnected devices when used with the LetsEncrypt certificates generated by the DuckDNS addon. These certificates require significant memory & processing power to negotiate, which causes severe performance and reliability issues on Konnected's tiny ESP8266 chip. Using the Nginx proxy we can avoid all this by offloading HTTPS termination to Nginx, leaving Home Assistant open to serve local requests from Konnected over fast unencrypted HTTP.

There are many ways to do this! Home Assistant is very flexible and configurable -- this is just one approach.

Install the DuckDNS add-on

DuckDNS is a free dynamic DNS service. This service lets you pick a host name (i.e. "konnected.duckdns.org") that will always point back to your home internet connection even if your IP address changes from time to time. The DuckDNS add-on sets this up and automatically generates secure certificates for you via LetsEncrypt.

  1. Sign up for a free account on DuckDNS
  2. Create a domain on the DuckDNS dashboard.
  3. Install the DuckDNS add-on from the Hass.io add-on store and configure it with your domain and DuckDNS token copied from the DuckDNS dashboard
  4. Set accept_terms to true so your certificates will be generated.
  5. DO NOT make any changes to your configuration.yaml as suggested in the DuckDNS add-on docs. We are going to use Nginx to serve the certificates instead.

Install the Nginx Proxy add-on

Nginx is a lightweight open source web server that runs some of the biggest websites in the world. We're using it here to serve traffic securely from outside your network and proxy that traffic to Home Assistant.

  1. Install the NGINX Home Assistant SSL proxy add-on from the Hass.io add-on store and configure it with your DuckDNS domain
  2. All other settings can remain default.
  3. Start the add-on and wait until Nginx is running. You may need to refresh the logs a few times.

Set up Port Forwarding

  1. Log in to your router to set up port forwarding. For the simplest possible setup, forward port TCP 443 to port 443 on your Raspberry Pi running Hass.io. This way you would be able to access your Hass.io dashboard from anywhere at https://my-domain.duckdns.org.
  2. You may want to choose a more obscure port for access from the outside world, for example: https://my-domain.duckdns.org:7654. In that case, forward TCP port 7654 on your router to port 443 on the RPi.
  3. You can optionally forward port 80 on your router to port 80 on the RPi. Nginx serves up a redirect on port 80 as a convenience in case you forget to type https in front of the URL.
  4. From inside your network, you can continue to access Hass.io at http://hassio.local:8123

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.