一、说明
当homeassistant利用frp内网穿透后,服务器使用反向代理后,现在可以域名访问,但是不能加端口等问题。主要修改服务端nginx和本地homeassistant相关代码。
二、服务端nginx代码
域名:abc.abc.com 端口:1234 转发端口:4321
proxy_cache_path /www/wwwroot/abc.abc.com/proxy_cache_dir levels=1:2 keys_zone=ha_yzjia_cn_cache:20m inactive=1d max_size=5g;
# ########## 1. 1234端口:完全独立的HA代理配置(不依赖443)##########
server {
# 仅监听1234端口,不包含443(独立端口)
listen 1234 ssl;
listen 1234 quic; # 1234独立QUIC支持
http2 on;
server_name abc.abc.com;
# 核心:1234端口独立SSL配置(不依赖443的SSL上下文)
ssl_certificate /www/server/panel/vhost/cert/abc.abc.com/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/abc.abc.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3; # 移除旧协议,增强兼容性
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL_1234:10m; # 1234独立SSL会话缓存(不共享443)
ssl_session_timeout 1d;
# 1234独立QUIC声明(关键!删除443后QUIC仍生效)
add_header Alt-Svc 'quic=":1234"; h3=":1234"; h3-29=":1234"; h3-27=":1234"';
add_header Strict-Transport-Security "max-age=31536000";
# 1234独立HTTP转HTTPS(保留端口)
error_page 497 https://$host:$server_port$request_uri;
# 证书验证目录(独立配置,不依赖443)
include /www/server/panel/vhost/nginx/well-known/abc.abc.com.conf;
location /.well-known {
allow all;
}
# HA代理核心配置(完全独立)
location ^~ / {
proxy_pass http://127.0.0.1:4321;
proxy_set_header Host $host;
proxy_set_header Origin ""; # 解决跨站拦截
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
# WebSocket支持(HA必需,独立配置)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; # 固定为upgrade,避免动态判断错误
# 超时配置(独立设置,不依赖443)
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
}
# 安全规则与日志(独立记录)
location ~ ^/(\.user.ini|\.htaccess|\.git|\.env) {
return 404;
}
if ($uri ~ "^/\.well-known/.*\.(php|jsp|py)$") {
return 403;
}
access_log /www/wwwlogs/ha_1234.log;
error_log /www/wwwlogs/ha_1234.error.log;
}
# ########## 2. 443端口:独立配置(如需保留,可保留;如需删除,直接删除此块)##########
server {
listen 443 ssl;
listen 443 quic;
http2 on;
server_name abc.abc.com;
root /www/wwwroot/abc.abc.com; # 443端口的业务根目录(非HA)
# 443独立SSL配置
ssl_certificate /www/server/panel/vhost/cert/abc.abc.com/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/abc.abc.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL_443:10m; # 与1234独立缓存
add_header Alt-Svc 'quic=":443"; h3=":443"';
add_header Strict-Transport-Security "max-age=31536000";
# 443端口业务(如静态页/PHP,不代理HA)
include enable-php-00.conf;
location / {
try_files $uri $uri/ /index.php?$query_string; # 443的默认业务逻辑
}
# 证书验证与安全规则
include /www/server/panel/vhost/nginx/well-known/abc.abc.com.conf;
location ~ ^/(\.user.ini|\.htaccess) {
return 404;
}
access_log /www/wwwlogs/ha_443.log;
error_log /www/wwwlogs/ha_443.error.log;
}四、homeassistant配置文件代码
http:
# 启用反向代理IP转发识别
use_x_forwarded_for: true
# 信任你的反向代理服务器IP(关键配置)
# 如果你将Nginx和Home Assistant部署在同一台服务器(IP为8.210.253.248),添加以下配置:
trusted_proxies:
- 127.0.0.1 # 本地回环地址(同一服务器必加)
- 1.2.3.4 # 服务器公网IP(若代理和HA在同一机器)
# 匹配域名加端口访问
base_url: https://abc.abc.cn:4321五、原理
通过 1234 端口稳定访问 Home Assistant(HA),同时确保 443 端口可独立处理其他业务(或删除 443 不影响 1234)。
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容