I need help setting up the config file for Nginx running in Windows

[ae8u]

First thanks for your service. I was in OIF as well. I was in Iraq in 2004.

Now for my question. Here is the situation: I run a Windows Server 2012 R2 with a domain. I am now adding Home Assistant running on a Raspberry Pi (and running Raspbian).

I want to be able to log into the Home Assistant when we are away from home to monitor things. I have registered my own domain on Amazon Route 53, and have it set up so that it tracks my external IP address, just like DDNS programs such as DuckDNS would do. I initially set up port forwarding on my router to forward port 443 to the Pi and it all worked, so I know it is all set up correctly up to that point.

Unfortunately, I also have some other programs that require https access so I can't just leave it set up to do the port forwarding on my router.

All that said I am now trying to set up Nginx on the Windows Server. I have got that done, and I have it set up to run as a service. But I am struggling with getting the nginx.conf file written correctly. I cant get it to start, now that it is a service. it keeps giving an error 1067, which I think means there is a problem with the nginx.conf file. What would the nginx.conf file look like to get the Windows server to listen on port 443 and if it sees a call for my Home Assistant domain, it forwards to the Raspberry Pi, otherwise it just lets the 443 traffic go on to the PC that is trying to pass traffic on port 443?

I hope this all makes sense, and that I have explained it all correctly. I am into new territory for me and I am a little lost on what to do next.

Thanks, Mike

[edm00se]

Hi Mike. I missed you by a few years as I didn't make it over until '08, but always nice to run into a fellow vet.

It sounds like you have a nice growing setup, so growing pains are inevitable. If you're set on using a Windows Server instance w/ Nginx to work as a reverse proxy, being the sole outward facing server that forwards requests between your external and internal servers, then I recommend reading through the Nginx guide on reverse proxying. The basic premise is to use proxy_pass to point to the internal destination, based on your matching route (e.g.- /assistant/, etc.), it would looks something like this:

location /route/ {
        proxy_pass  http://127.0.0.1:9000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

I've gone this route in limited quantities a few times and it has served me well. I included some of the other headers that can/may be used for better identifying additional information. Serving out the traffic over HTTPS and using the Nginx instance for SSL termination may be something you need to do, so above the locaton blocks, at the server "listen" block when you define port to listen on, I wouldn't even turn on port 80/http. Using routes like this will force everything under a "subdirectory" from an external perspective, although there are other ways than this sort of thing.

More advanced configurations can get a bit hairy, so take your time and try to keep everything straight. It's enough of a topic that freecodecamp even has their own guide to the process, in combination with Docker and Lets Encrypt, to automate the certificate portion (and looks useful to those getting started with it, if you don't mind rolling a container instance in Docker).

An alternative you may wish to consider a tool to somewhat automate this for you. This Caddy server looks to attempt to fill that space and is open source and hosted on GitHub. I haven't used it myself, but it may be worth a look to see if that's something you want to try.

Best of luck!

[ae8u]

Good morning Eric,

I hope you are well and surviving the pandemic and that it is not causing you any hardship - health-wise or financially!!

Thanks so much for all of the information. I have begun to read through it and I must say much of it is new territory for me and is requiring lots of studying on my part. I am a 69 year old "computer geek" that was ahead of my time when I started writing basic programs on a Radio shack computer in 1982, but now behind the times and the power curve.

So after reading your opening comment about being "set on using a Windows Server instance w/ Nginx", I was a little intrigued. I guess the bottom line is I am not set on anything other than accomplishing my goal (described below) with the easiest and least complicated approach. So what I mean by that is this. I have had the Windows network ever since my first PC's got upgraded to Windows 10 and I could no longer share files between PC's. So I set up my own internal domain and a bunch of drives on a PC running Windows 12 Server and it solved the issues. I have an internal unregistered domain name and all computers are logged into and authenticated by the server.

I am also an Amateur Radio Operator and one of my PC's is dedicated to the hobby. It is directly connected to my Radio Transceiver. I periodically connect to a logbook in the cloud managed my a national non-profit to sync my logbook to theirs. This is done via https and port 443 and is critical for my hobby to do so.

Now I am getting into playing with Raspberry Pi's and setting up Home Assistant on one. It uses Nginx and Let's Encrypt and I have SSL certificates for it. I registered my own domain on AWS Route 53 (xxxx.link) to use to access it externally. After giving the Pi this domain I set up port forwarding for port 443 on my Netgear Router. Unfortunately, after doing so I started getting errors on my radio logbook syncing saying port 443 could not connect. I assume that it is caused by the port forwarding.

So the bottom line is I want to be able to forward my Route53 domain name (xxxx.link) to forward to my internal IP address 192.168.xxx.xxx and have all other port 443 traffic work the way it previously did - going to whatever PC is trying to access an https site.

I apologize for this long email, but I thought it important for you to understand my set up. That being said, how would you do this? Would you continue with setting up Nginx on the Windows Server? Would you add Docker containers to the Windows Server? Would you run Caddy on the Windows Server? In your example config, it shows forwarding to a folder, but currently the Windows server does not recognize the Pi folders.

Thanks again for taking your time to help a fellow vet and computer enthusiast - albeit a hobby for me.

Mike

[edm00se]

Hey Mike.

We're doing okay, thankfully. We'll be a bit cooped up by the time this all blows over, but hey, that's probably most of humanity now, so I can't really complain.

As to your network topology, I'm not trying to imply anything be set by anyone. We all gravitate towards tools we're familiar with, myself certainly included. So while my personal take on a similar situation might sound like "just throwing a docker container in front with a reverse proxy or load balancer" may make sense to me, whether this matches up with your needs to setup or maintain can easily be different.

As for Windows Server, it's all good, I just tend to gravitate towards containerized solutions these days as I don't generally run Windows as my primary OS and already work with containers a decent amount. I have run nginx both inside of containers and also Nginx for Windows in the past; both approaches work, although your existing nginx install on the raspberry pi running the home assistant has some appeal. But before we go that route, I'd like to summarize things, at least partly for myself.

You're looking to reconcile multiple services, which interact from your home network, outside, via the shared port 443 (for https traffic). How it's resolved is really the question. I would approach it from whatever path has the least resistance for you, whatever that may be. That could take the shape of:

• binding alternate ports on your home router, so that once service works on 443, another works on an alternate port, such as 8443, etc.
  • this does rely on the external services being able to be configured to accommodate the appropriate port
  • this keeps the traffic separate and may be low setup and effort, so long as you can get away with it
• using a reverse proxy, such as nginx, or a different tool (like that caddy server)
  • still requires configuring your external services to "listen"/interact on whatever path/route, subdomain, or port you configure
  • could be easy-ish to setup
  • you can dive into something like docker if you want to, but that ought to be a secondary concern
• configuring dynamic dns names for your respective needs
  • may involve port forwarding alternate ports like above, but if you use a handful of ddns names (some providers like no-ip allow for buy a hundred or so at a reasonable cost), then each would be its own "server" address w/ rebound port, potentially

I'm not terribly familiar with Route 53, from my personal experience so far. If my speed read of their product page is correct, they specialize in forwarding your local traffic up to AWS itself, as opposed to your choice of destination. I can't speak to further configuration on their part, but if it does the job, great.

Please keep some salt on hand as this is more into system administrator territory, whereas I've dabbled in such things but am a developer who is more used to handing those sorts of requirements off and not dealing with too many of those fiddly parts.

In any case, I hope that gives you some good ideas and inspiration for what will work for you.

Best of luck.

Eric

P.S.- I started off with TI-BASIC on my graphic calculator, writing expanded functions to solve my math homework and showing "steps" along the way.