Apache proxy failing in iOS

Howdy,

I’ve got Home Assistant set up and running in Ubuntu, front-ended with Apache using the recommended proxy instructions. It works perfectly with my desktop browser (Firefox).

However, while both Safari and the Home Assistant app for iOS accept the username&password and appear to sign in successfully, they then stall at a page reporting “Unable to connect to Home Assistant”.

I tested directly accessing the python web service, and Home Assistant came up fine, though that’s not a viable solution in my situation.

The Apache logs and home-assistant.log aren’t indicating anything particularly useful.

Anyone else seen this?
Any suggestions?

Thanks.

homeAssistantLogin

I am using nginx in a broadly similar way, and Safari works for me. The error suggests it’s a websocket connection problem. Could you post your hass.conf Apache file please?

I’m running an nginx HTTPS reverse proxy on a Linode VPS that I run for other reasons, which redirects to my home public IP address, with HTTP port 8123 forwarded to the HA Pi but only open to the VPS’s IP address. These are the key lines that make the websocket connection work, similar to the ws and “upgrade” lines in the Apache conf:

    location / {
        proxy_pass http://MY_HOME_IP:8123;
        proxy_set_header Host             $host;
        proxy_set_header        X-Forwarded-Proto   $scheme;
        proxy_intercept_errors  on;
        proxy_http_version      1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

Could you post your hass.conf Apache file please?

Happy to, any assistance is much appreciated:

  ProxyPreserveHost On
  ProxyRequests off
  ProxyPass /owncloud !
  ProxyPass /api/websocket ws://localhost:8123/api/websocket
  ProxyPassReverse /api/websocket ws://localhost:8123/api/websocket
  ProxyPass / http://localhost:8123/
  ProxyPassReverse / http://localhost:8123/
  RewriteEngine on
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{Request_URI} !^/owncloud
  RewriteRule /(.*) ws://localhost:8123/$1 [P,L]
  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
  RewriteCond %{Request_URI} !^/owncloud
  RewriteRule /(.*) http://localhost:8123/$1 [P,L]

Note that I run an ownCloud service on the same virtual host (for reasons). I’m nobody’s RewriteRule expert, so it took me a while to get the reverse proxy to ignore the owncloud traffic.

Apache is doing the SSL management. I use a self-signed certificate, which neither Firefox nor Safari have any trouble with otherwise.

Thanks.

Hmm, that looks fine to me. I assume you’ve successfully installed mod_proxy_wstunnel as per instructions, otherwise Firefox probably wouldn’t work.

I’m afraid I’m out of suggestions; hopefully someone more expert in these matters will contribute.

Is there anything in your logs (/var/logs/apache2)?

I assume you’ve successfully installed mod_proxy_wstunnel

Indeed, proxy_wstunnel is enabled.

Thanks for your suggestions.

Is there anything in your logs?

Not that I can see, everything is coming up roses status 200!

Does HA log to anywhere else beyond the home-assistant.log file?

Thanks.

I think I’ve figured it out: Apache SSL was configured to use only TLSv1.3, nothing prior. I re-enabled TLSv1.2, and suddenly both Safari and the Home Assistant app fully connect – which is fantastic!

But I have no clue why the TLS version would matter. Only Apache is doing SSL, and Safari seems okay with TLSv1.3, otherwise I wouldn’t be able to access anything on my webserver from Safari, let alone be presented with a working Home Assistant sign on page.

So how does TLSv1.3 in Apache SSL get in the way of a complete login to the non-SSL Home Assistant server!?!

Signed,
Confused in Canada

Heh, wasn’t going to guess that one!

Have a look here: https://caniuse.com/#feat=tls1-3 — maybe Safari’s implementation of websockets over TLSv1.3 isn’t there yet.

Okay, that makes sense. Thanks again.