Cannot access HA remotely though a reverse proxy

dad-cmyk · December 28, 2020, 7:51pm

Port 80 and 443 are forwarded to my Synology NAS. The Synology NAS manages web requests using its reverse proxy, it also manages SSL certs using LetsEncrypt. The NAS also runs docker and the container for HA itself.

The reverse proxy settings look like this:

When accessing https://ha.xx.net I am presented with the logon page for authentication, when the UN and PW are provided I get this page:

Looking at the log file i can see:

2020-12-28 19:39:52 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from ha.xxxx.net (192.168.0.40) (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36)

I have replaced my domain with xxxx for the sake of privacy.

Would HA take issue with a user authenticating through a reverse proxy? I have a number of services set up this way (also running in docker containers, albeit on a different host) and I have no such issues.

I can connect to HA using its local IP address (http://192.168.0.40:8123)

andy_mk3 · December 28, 2020, 10:17pm

Add this to config.yaml:

http:
  server_port: 8123
  use_x_forwarded_for: true
  trusted_proxies: <ip_of_proxy>

dad-cmyk · December 28, 2020, 10:36pm

Thanks @andy_mk3

My config file now looks like this

**
# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

http:
  server_port: 8123
  use_x_forwarded_for: true
  trusted_proxies: 192.168.0.40
  
# Text to speech
tts:
  - platform: google_translate
    cache: true
    cache_dir: /tmp/tts
    time_memory: 300
    base_url: http://192.168.0.40:8123
    service_name: google_say

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

I restarted my HA and tried again but no change.

andy_mk3 · December 28, 2020, 10:50pm

Is that the IP of your reverse proxy as well as your HA yes?

dad-cmyk · December 28, 2020, 11:04pm

@andy_mk3, that is correct. The Synology NAS runs docker where the HA container is, it is also the reverse proxy. Do you think that may be causing issues?

dad-cmyk · December 28, 2020, 11:08pm

The exact error im seeing in the log is:

Where desktop.home.xxx.net is the PC that im using to try log onto HA. Ive also tried by accessing https://ha.xxx.net from my mobile phone while disconnected from the WiFi to see if that causes any different behaviour. It does not.

dad-cmyk · December 29, 2020, 12:18am

I fired up a nginx container on another docker host (192.168.0.41) and configured it as a reverse proxy. I forwarded port 80 and 443 to 192.168.0.41. Created a virtual host for the HA container running on my NAS.
The exact same behaviour was observed. Connections were made to the front page for authentication however after authenticating the “Unable to connect to Home Assistant.” error was presented.
Edit: Further testing involved trying without SSL however this changed nothing.

dad-cmyk · December 29, 2020, 6:04pm

I have corrected this. In the nginx virtual host you need to add some proxy_set_header’s

Upgrade     $http_upgrade;
Connection  "upgrade";

andy_mk3 · December 31, 2020, 4:12pm

Glad you sorted it. Just checked my config and it’s the same, had completely forgotten about that part.