Cannot Connect to HA via External URL on Apple Devices

Tech-Non · May 27, 2021, 11:35am

Hi there,
I’ve set up my Home Assistant core in a Linux Docker environment. I used a combination of nginx and let’s encrypt to make it available via a subdomain.
On both my Windows PC and Notebook I can connect via the local IP-Address and via the external Domain I set up without any Issues.
However if I try to connect my mobile Apps on iPhone, iPad and MacOS I get the Error “Unable to connect to Home Assistant” RETRY

I can manage to get it to work, if I enter the internal address manually in the settings of the mobile apps. But if I turn off my wifi, so I’m only connected via mobile data, the iOS client also refuses to connect with the same error message.
Additionally if I try to login via the webbrowser on any of my apple devices via the domain url I also get the same error message, but it works via the local IP-Address.

I have set up external access in the configuration.yaml:

homeassistant:
  external_url: "https://assistant.mydomain.xyz/"
  internal_url: "http://192.168.178.60:8123"

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.178.60

And I think I set up my nginx configuration correctly for my subdomain:

map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
}

upstream assistant {
        server 192.168.178.60:8123;
}

server {

    listen 80;
    listen [::]:80;
    server_name assistant.mydomain.xyz;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }

    if ($host != assistant.mydomain.xyz) {
        return 403;
    }

}

server {

    if ($host != assistant.mydomain.xyz) {
        return 403;
    }

    server_name assistant.mydomain.xyz;

    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    ssl_certificate /etc/letsencrypt/live/mydomain.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.xyz/privkey.pem;

    proxy_buffering off;

    location / {
        proxy_pass http://assistant;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

And for good measure this is my main nginx.conf file:

user nginx;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	set_real_ip_from 0.0.0.0/0;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
		

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_session_cache shared:le_nginx_SSL:1m;
    ssl_session_timeout 1440m;

    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers on;

    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';

    ssl_dhparam /etc/nginx/ssl-dhparams.pem;

	##
	# Logging Settings
	##
	
	log_format formated escape=json
     	 '{'
       	 '"requestId":"$request_id",'
       	 '"remoteAddress":"$remote_addr",'
       	 '"remoteUser":"$remote_user",'
       	 '"requestTimestamp":"$time_iso8601",'
       	 '"host":"$http_host",'
       	 '"request":"$request",'
       	 '"status":"$status",'
       	 '"bodyBytesSend":"$body_bytes_sent",'
       	 '"httpReferer":"$http_referer",'
       	 '"httpUserAgent":"$http_user_agent"'
     	 '}';

    access_log /var/log/nginx/formated_access.log formated;


	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
}

I don’t know if this is a problem with the ssl certificates or encryption settings, like http2, tls v1.3 or the ciphers I enabled?

Looking into the container logs of Home Assistant no errors show up.
The container logs of Nginx reveal some kind of http 304 Error for the lovelace ui
Authentication and registration of the apps in of themselves work. They show up in the integrations panel. It seems only the UI won’t load?

Any help would be greatly appreciated. Thanks in advance

tmjpugh · May 27, 2021, 2:25pm

Same issue here
iOS browser not working but in my case app works without issue

Tried various nginx config but no change. A clue may lie in fact that I don’t believe this occurred until latest iOS version release. Previously my iPad and iPhone had no issue

Tech-Non · May 27, 2021, 2:31pm

Yes I thought so too. I had Hass set up on my Raspberry Pi previously and everything worked with my configuration, I set up my dedicated server now and changed my Nginx configuration in the process though.
I updated my iPhone to iOS 14.6 yesterday evening, but my iPad is still on 14.5 so I don’t think it is the iOS version

Troon · May 27, 2021, 2:39pm

I run a reverse proxy nginx server on a Linode VPS pointing at my home installation on a Synology NAS. This works fine on my iPhone 6s running iOS 14.5.

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    send_timeout 300;
    server_name HOME_DOMAIN;

    access_log /var/log/nginx/access.log timed_combined;
    error_log /var/log/nginx/error.log;

    ssl_certificate /etc/letsencrypt/live/HOME_DOMAIN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/HOME_DOMAIN/privkey.pem;
    ssl_stapling on;
    ssl_stapling_file /etc/letsencrypt/live/HOME_DOMAIN/ocsp.resp;
    # ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/HOME_DOMAIN/fullchain.pem;
    # ssl_session_timeout 5m;
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # Use HTTP Strict Transport Security to force secure connections only
    add_header Strict-Transport-Security max-age=31536000;
    add_header Permissions-Policy "interest-cohort=()";

    location / {
        proxy_pass http://HOME_IP:8123;
        proxy_set_header Host             $host;
        proxy_set_header        X-Forwarded-Proto   $scheme;
        proxy_intercept_errors  on;
        proxy_http_version      1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

I’m just installing 14.6 now, will report back if any difference.

Tech-Non · May 27, 2021, 2:48pm

I’ve changed my config to match yours, without the ssl_stapling part. And now it works!
There must have been some minor error in my config, but now I can reach my Hass installation from mobile data with my phone, thank you