Hello, my setup:
Internet server with public IP running apache server with several virtual hosts, with SSL enabled. One of them is a reverse proxy for my HA.
HA is set in the internal environment and has only an outgoing connection to the internet. Have only plain HTTP no SSL.
VPN between both servers with a dedicated IP range. I don’t use DuckDNS as I have my own domain and the server has static IP and of course, on the internet server is nothing from HA.
When I connect to a dedicated external URL I can log in and if credentials is correct I see:
“Unable to connect to Home Assistant.
RETRY”
In logs I can see:
Login attempt or request with invalid authentication from (). (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36)
But this is external IP address of the client (windows) computer. Of course, I don’t like to whitelist all the internet in configuration, so question is - what am I doing wrong, and how to set it UP correctly?
Of course, I have whitelisted all proxy IPs in configuration “http:”
Configs:
<IfModule mod_ssl.c>
<VirtualHost <name>:443>
ProxySourceAddress <IP1>
ProxyPass / http://<IP2>:8123/
ProxyPassReverse / http://<IP2>:8123/
ServerName <name>
SSLCertificateFile <file>
SSLCertificateKeyFile <file>
</VirtualHost>
</IfModule>
where IP1 is proxy server’s VPN local address, and IP2 is HA VPNs address.
HA config:
http:
use_x_forwarded_for: true
trusted_proxies:
- 10.0.0.0/8
- <IP3>/32
10.0.0.0/8 includes both HA server local addresses subnet and VPNs subnet as well, so proxy servers VPNs address is included…
IP3 - proxy servers external IP. (in theory, shouldn’t be needed, but added just in case).
So why HA is complaining about client external address if it should check proxy IP?
Thank you!
Cheers!