My HA installation won’t accept Username + Password authentication anymore, from any client, when connecting via reverse-proxy. I saw the breaking change of the http header, so I changed the required settings. Connection via direct IP is working fine, where I can find logs that tell me the authentication is invalid: Login attempt or request with invalid authentication from xx.xx.xx.xx while the same authentication is used to look at the error at all.
I cannot find anything in the logs that would tell me where to look for solutions at all. I tried setting the http segment in configuration to:
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.0.0/16
My docker proxy lives on a 192.168.0.0 segment, which is the same segment as HA.
I use the Linuxserver nginx proxy with the following configuration. I added
proxy_set_header Upgrade $http_upgrade;
and
proxy_set_header Connection “Upgrade”;
as troubleshooting from other threads.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name hass.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app Home-assistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location /api {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app Home-assistant;
set $upstream_port 8123;
set $upstream_proto http;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
proxy.conf settings:
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
# TLS 1.3 early data
proxy_set_header Early-Data $ssl_early_data;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
What am I missing here? The authentication is obviously valid because I can login directly. I tried a client that has never logged into HA, didn’t work so it is not a browser cache issue. Clients login from 10.0.0.0 and 192.168.0.0 address spaces, but as far as I know I am not and was not filtering them at all. I just really don’t know what the next step is here.
Compose file for HA is:
homeassistant:
container_name: Home-assistant
image: homeassistant/home-assistant
volumes:
- ./ssdpool/ssd1/Configs/Homeassistant:/config
- /etc/localtime:/etc/localtime:ro
ports:
- 8123:8123
# devices:
# - /dev/ttyUSB0:/dev/ttyUSB0
restart: always
environment:
- TZ=Europe/Amsterdam
depends_on:
- deconz