Apache reverse proxy configuration – Docker home assistant

fminarro · December 15, 2022, 10:24am

I can access my hassio instance through the IP 192.168.1.100:8123, within my LAN, and I am trying to configure the reverse proxy to be able to access homeassistant from outside the home.

Homeassistant is installed in Docker, and in a Debian 11 server where I also have CollaboraOffice online and Nextcloud installed, and we access all of this from WLAN because we resolve DNS with NO-IP

I have added the domain that I have created of homeassistant in NO-IP so that the IP can be resolved

Within /etc/apache2/sites-available I have created the file homeassistant.conf

<VirtualHost *:80>
         ServerName home-aaaaa.aaa.com

         ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

then i did
a2ensite home assistant
systemctl reload apache2

I generated the certificates let’s script with certbot --apache and it was successful, and an SSL file called homeassistant-le-ssl.conf was generated

<IfModule mod_ssl.c>
<VirtualHost *:443>
         ServerName home-aaaaa.aaa.com

         ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/home-aaaaa.aaa.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/home-aaaaa.aaa.com/privkey.pem
</VirtualHost>
</IfModule>

And I completed it with this code

<IfModule mod_ssl.c>
<VirtualHost *:443>
         ServerName home-aaaaa.aaa.com

         ProxyPreserveHostOn
         Proxy Requests Off
         ProxyPass /api/websocket ws://192.168.1.100:8123/api/websocket
         ProxyPassReverse /api/websocket wss://192.168.1.100:8123/api/websocket
         ProxyPass / http://192.168.1.100:8123/
         ProxyPassReverse / http://192.168.1.100:8123/

         RewriteEngine on
         RewriteCond %{HTTP:Upgrade} websocket [NC]
         RewriteRule ^/?(.*) ws://192.168.1.100:8123/$1 [P,L]

         <Location "/">
                 satisfy any
         </Location>
         <Location "/api">
                 satisfy any
         </Location>

         ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/home-aaaaa.aaa.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/home-aaaaa.aaa.com/privkey.pem
</VirtualHost>
</IfModule>

I try to access the link home-aaaaa.aaa.com and I get the following message: 400: Bad Request

nielssiebert · January 2, 2023, 12:30am

Finally found a working configuration for an apache2 ssl proxy setup. Exactly what I needed. Thanks for posting this!


<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
<VirtualHost *:1443>
    ServerName myhostname.and.the.domain
    ErrorLog ${APACHE_LOG_DIR}/haerror.log
    CustomLog ${APACHE_LOG_DIR}/haaccess.log combined

    ProxyPreserveHost on

    <Location /api/websocket>
        ProxyPass wss://ip.adress.of.homassistant:8123/api/websocket
        ProxyPassReverse wss://ip.adress.of.homassistant:8123/api/websocket
        satisfy any
    </Location>

    <Location />
        ProxyPass http://ip.adress.of.homassistant:8123/
        ProxyPassReverse http://ip.adress.of.homassistant:8123/
        satisfy any
    </Location>

     RewriteEngine on
     RewriteCond %{HTTP:Upgrade} websocket [NC]
     RewriteRule ^/?(.*) ws://ip.adress.of.homassistant:8123/$1 [P,L]

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLUseStapling on
    SSLCertificateFile /etc/letsencrypt/live/myhostname.and.the.domain/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/myhostname.and.the.domain/privkey.pem
</VirtualHost>
</IfModule>

rolfinoz · January 7, 2023, 10:37am

I’m having an issue with an Apache 2 reverse Proxy and HA.

I have no problem getting the the HA login page, but after I login it fails to auth and keeps re-trying.

I had a slightly different config, but I am using the one from above and it behaves exactly the same.

Looking at the developer console I can see that it is failing to post to /auth/token resulting in an uncaught promise.

I have tried adding specific ProxyPass rules for /auth but it makes no difference.

Does anyone know the secret to making HA work with an Apache2 proxy?

fminarro · March 21, 2023, 4:17pm

Everything working.

The homeassistant-le-ssl.conf file finally looks like this.

<IfModule mod_ssl.c>
<VirtualHost *:443>
         ServerName home-aaaaa.aaa.com

         ProxyPreserveHostOn
         Proxy Requests Off
         ProxyPass /api/websocket ws://192.168.1.100:8123/api/websocket
         ProxyPassReverse /api/websocket wss://192.168.1.100:8123/api/websocket
         ProxyPass / http://192.168.1.100:8123/
         ProxyPassReverse / http://192.168.1.100:8123/

         RewriteEngine on
         RewriteCond %{HTTP:Upgrade} websocket [NC]
         RewriteRule ^/?(.*) ws://192.168.1.100:8123/$1 [P,L]

         <Location "/">
                 satisfy any
         </Location>
         <Location "/api">
                 satisfy any
         </Location>

         ErrorLog ${APACHE_LOG_DIR}/error.log
         CustomLog ${APACHE_LOG_DIR}/access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/home-aaaaa.aaa.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/home-aaaaa.aaa.com/privkey.pem
</VirtualHost>
</IfModule>

And also inside homeassistant in the configuration.yaml file (in my case) I added the following:

http:
   use_x_forwarded_for: true
   trusted_proxies:
     - 192.168.1.1
     - 192.168.1.0/24

Visuel · April 6, 2023, 5:57pm

→ ProxyPreserveHost On

→ ProxyRequests Off

lord0gnome · December 8, 2024, 9:06am

Hi rolfinoz . I have the exact issue you’re describing with the /auth/token page giving me a 400, bad request. I’ve tried every permutation of apache2 configurations that I could think of. Nothing seems to work.

My setup:

Manifest driven podman play kube instance with hostNetwork: true
SSL managed by the apache2 instance
(But I was hoping to have https->https, for now I just want https->http to work)

configuration.yaml file:

http:
  # ssl_certificate: /etc/letsencrypt/live/mydomain/fullchain.pem
  # ssl_key: /etc/letsencrypt/live/mydomain/privkey.pem
  trusted_proxies: ["192.168.0.X", "192.168.0.0/24"]
  use_x_forwarded_for: true

I’ve tried mimicking the configuration posted by @fminarro and @nielssiebert

I get no errors in my apache2 logs, and I get this on the HA end:

2024-12-08 09:48:03.937 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from MY_IP (MY_IP). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36)

The apache2 debug logs regarding this endpoint:

[Sun Dec 08 09:51:46.536673 2024] [proxy:debug] [pid 988781] proxy_util.c(2553): AH00943: http: has released connection for (192.168.0.X)
[Sun Dec 08 09:51:46.550356 2024] [ssl:debug] [pid 988781] ssl_engine_kernel.c(415): [client 192.168.0.143:59302] AH02034: Subsequent (No.2) HTTPS request received for child 10 (server home.morill.es:443), referer: https://home.morill.es/lovelace?auth_callback=1&code=383fbda5c48743e48c138592156d3613&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9ob21lLm1vcmlsbC5lcyIsImNsaWVudElkIjoiaHR0cHM6Ly9ob21lLm1vcmlsbC5lcy8ifQ%3D%3D&storeToken=true
[Sun Dec 08 09:51:46.550503 2024] [proxy:debug] [pid 988781] mod_proxy.c(1513): [client 192.168.0.143:59302] AH01143: Running scheme http handler (attempt 0), referer: https://home.morill.es/lovelace?auth_callback=1&code=383fbda5c48743e48c138592156d3613&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9ob21lLm1vcmlsbC5lcyIsImNsaWVudElkIjoiaHR0cHM6Ly9ob21lLm1vcmlsbC5lcy8ifQ%3D%3D&storeToken=true
[Sun Dec 08 09:51:46.550525 2024] [proxy:debug] [pid 988781] proxy_util.c(2538): AH00942: http: has acquired connection for (192.168.0.X)
[Sun Dec 08 09:51:46.550540 2024] [proxy:debug] [pid 988781] proxy_util.c(2601): [client 192.168.0.143:59302] AH00944: connecting http://192.168.0.X:8123/auth/token to 192.168.0.X:8123, referer: https://home.morill.es/lovelace?auth_callback=1&code=383fbda5c48743e48c138592156d3612&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9ob21lLm1vcmlsbC5lcyIsImNsaWVudElkIjoibHR0cHM6Ly9ob21lLm1vcmlsbC5lcy8ifQ%3D%3D&storeToken=true
[Sun Dec 08 09:51:46.550561 2024] [proxy:debug] [pid 988781] proxy_util.c(2824): [client 192.168.0.143:59302] AH00947: connected /auth/token to 192.168.0.X:8123, referer: https://home.morill.es/lovelace?auth_callback=1&code=383fbda5c48743e48c138592156d3612&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9ob21lLm1vcmlsbC5lcyIsImNsaWVudElkIjoibHR0cHM6Ly9ob21lLm1vcmlsbC5lcy8ifQ%3D%3D&storeToken=true
[Sun Dec 08 09:51:46.550860 2024] [proxy:debug] [pid 988781] proxy_util.c(3290): AH02824: http: connection established with 192.168.0.X:8123 (192.168.0.X)
[Sun Dec 08 09:51:46.550917 2024] [proxy:debug] [pid 988781] proxy_util.c(3476): AH00962: http: connection complete to 192.168.0.X:8123 (192.168.0.X)
[Sun Dec 08 09:51:46.561405 2024] [proxy:debug] [pid 988781] proxy_util.c(2553): AH00943: http: has released connection for (192.168.0.X)

That auth token contains valid login information since I just used it to login on the previous page, I’m stuck on the lovelace Unable to connect to Home Assistant. page,
Unable to connect to Home Assistant.

/auth/token payload:

client_id: https://home.mydoma.in/
code: 383fbda5c48743e48c138592156d3612
grant_type: authorization_code

and the response for the token request is:

{"error":"invalid_request","error_description":"Invalid code"}

If anyone has had this issue and found the solution, please let me know !
I'm slowly going crazy