Well for me it was solved by just removing the banned IP from the list. I still have IP_ban_enabled=true now.
I couldn’t do that when I started this thread because I didn’t have my IP banned in the file to begin with… Maybe I’ll make another try now and enable it, haven’t had the time.
Thanks for this, for me it was the ip ban config that resulted in the 403 errors
Glad I found this thread! Had the same 403 error and am certain I’d not changed anything, looked at the logs which complained about duplicate IPs in /config/ip_bans.yaml . Turns out the duplicate was my own external IP, so basically HA banned itself and I wonder how it did that. Commenting out my IP and restarting got me back to normal operation.
Wow so after wasting 3 days trying to fix HA I finally find this thread and realize this is an ongoing issue since 2019 and as of 2022 the only solution is to completely remove IP-ban protections on a PUBLIC control panel for my entire house with my camera feeds and buttons to unlock the front door? Seems like a recipe for a disaster to get hacked. I already had many failed login attempts and I’m supposed to remove all protections now?
I even made sure to set “max failed login attempts” at 10 but HA is banning myself even if I didn’t have any failed login attempts.
lol… I guess I won’t be enabling ipban yet then… 
I bet there are a few Auth-options in the GUI nowadays?
I ended up disabling IP-bans and enabling 2FA
disabling ip ban did not solve the 403 issue for me. Maybe it is my reverse proxy setting when coming from external ips? internally it is working fine.
I have the same problem at the moment using NGNIX and DuckDNS
The symptoms described in the posts above look very familiar to what I am experiencing.
Out of the blue I am not able to access my Home Assistant instance using the Android Companion app. I get the 403 Forbidden error. Using the local IP when I am on my home wifi works fine. Accessing from outside of my network (tested using 4G connection on my cell phone) using my duckdns url works fine as well, but using the duckdns url when connected to my home wifi is given me these errors. Setting ip_ban to false seems to work but I do want this functionality for security reasons. Last but not least, the 403 error was not caused by my IP being banned as it did not show up in the banned IP list.
Can someone help in really understanding what is causing this and how to fix this? The WAF is on the decline here ):
Thanks.
EdwinH Were you able to understand the cause? I am experiencing the exact same issue with the exception that the Docker IP, my local network IP and an IPv6 address was added to the ip_bans file. Thanks
Turned out that our son had incorrect logon credentials in his cellphone causing our router external IP adress to be banned by HA when he was on the local network (he was accessing HA via the externel url). Providing the correct credentials solved it.
That would do it. Thanks
Same issue for me but oddly only started happening around 2022.2 or 2022.3.
I’ve got HA core in docker on Unraid with a reverse proxy (swag) and my iPhone app is only configured to use the External link https://hass.mydomain.com/. My domain is handled through cloudflare with wildcard subdomains and the setting to reveal IPs from incoming traffic on.
Every time I walk the dog or come and go between LTE and local WiFi it throws a 403 and a notification in the app.
I’ve also got pfSense as my router with pfBlocker, ngtop and avahi packages running. Maybe the answer is in the firewall logs.
Finally I think I “fixed” it by setting the internal IP in the HA companion app (http://x.x.x.x:8123/) when SSID matches. Not sure if this is a security risk but it seems to work out of the box. Obviously this now bypasses the firewall so I’m left the wonder again if the answer is in pfSense somewhere.
Would be interesting to see if any of the devs could reproduce this problem. I Would like to enable the ban feature again.
Update on my end, I don’t get errors any more when I’m on local WiFi, but I still get errors when switching IPs on my iPhone while I’m on external WiFi or LTE.
To me this indicates an issue when I’m hoping around IPs through my reverse proxy. I’m running swag with in docker (nginx). Here is my proxy config. If anyone has any insight please share.
Note: my ssl, proxy and resolver conf are all standard config in the nginx container.
Thanks!
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name hass.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app <homeassistant-ip>;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location ~ ^/(api|local|media)/ {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app <homeassistant-ip>;
set $upstream_port 8123;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
I had the same issue today. But strange cause it happened all of a sudden.
I’m wondering if there isn’t a way to white list a MAC address for example from the mobile device that your using. So regardless of the
ip address if you log in through the device it will let the connection through.
Could be that that is not possible in that case forgive me for my limited IT knowledge.
We have to know more about what is happening under the Hood. Why is ha blocking The traffic? Obviously it finds some reason to block it because it happens The most when ppl come from inside The network and try to go through from The outside. How is The blocking algoritm working I wonder. Any devs here?
Been running for a few years and now this is happening both for Android and iOS on local.