Cannot log in to the frontend when behind a reverse proxy

NMe84 · April 17, 2021, 8:37pm

Ok, this is a weird one. I’ve got a Pi that has been running Home Assistant in Docker (homeassistant/raspberrypi4-homeassistant:stable) for a while now and it’s always worked fine, up until this week. I had some unrelated network issues because of Pi-hole crashing and once I got that back up and running, my problems with Home Assistant somehow started.

My problem is that I can’t log in anymore, but only when using the externally available domain I have for it. When using the internal hostname and post 8123 it works just fine, so it’s really something reverse proxy related. When I try to log in using the domain name I pointed to it I get the login screen, but after entering my username and password I get a “Unable to connect to Home Assistant.” message with a retry button below it. The URL in the browser at that point is something like https://my.domain.name/lovelace?auth_callback=1&code=base64_data_here. If I look at my browser’s dev toolbar during that request I can see that there is a POST request to https://my.domain.name/auth/token that’s resulting in an error 400, Bad Request.

This is the relevant configuration I have set up in Home Assistant:

http:
  server_host: 192.168.1.203
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.0.0/24
    - 192.168.0.0/16
    - 172.17.0.0/16
    - 127.0.0.1
  base_url: https://my.domain.name

Up until the point the issue started I was only using the base_url part, I added the rest in to try and resolve the issue, without any luck sadly.

Just in case it’s relevant (though I don’t think it is), I’m also using emulated_hue so my Logitech Harmony can control my non-Hue lamps:

emulated_hue:
  listen_port: 80
  advertise_ip: 192.168.1.203

Relevant netstat output:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.1.203:80        0.0.0.0:*               LISTEN      -
tcp        0      0 192.168.1.203:8123      0.0.0.0:*               LISTEN      -

Just to reiterate, nothing seems to be wrong with Home Assistant itself. All my automations are working, all relevant ports are open and even the web UI is working, just not externally. Can any of you see something that I’m missing here?

checking12 · April 17, 2021, 8:51pm

What you have under homeassiant in you yaml?. Think you need to specify external url there

NMe84 · April 17, 2021, 9:22pm

I didn’t have anything relevant to this issue under the homeassistant entry in the config file, but I just attempted to add these two lines and it made no difference, sadly. Thanks for the suggestion though!

homeassistant:
# ....
  external_url: "https://my.domain.name"
  internal_url: "http://192.168.1.203:8123"

checking12 · April 18, 2021, 7:22am

Which machine is your reverse proxy then ? Normally, its only one ip. What software did you use , nginx or something else? Runs on your pi ?

NMe84 · April 18, 2021, 10:46am

Ah, I should have mentioned that. I’m using a Synology NAS on the same network as a reverse proxy and for SSL termination since I have more services that I need a proxy for and most of them are running on the NAS. I used the graphical interface to add the different entries but I know it uses nginx to do it under the hood. The 192.168.1.203 IP mentioned above is the Pi that’s running HA, my NAS is available on the same network through 192.168.1.72.

Djal · April 18, 2021, 12:31pm

For Synology NAS as reverse proxy, you need to set the header like that :

NMe84 · April 18, 2021, 3:58pm

Awesome, that fixed it. Weird though, I had that set up before and for some reason it was gone now, which is why I didn’t even look here. Let’s hope it sticks around this time.

You have a typo in your last header by the way, but I guess that means the last entry isn’t required.

blomnik · October 1, 2022, 5:04pm

I have the same issue with my own Apache 2.4 proxy, running on Digital Ocean VPS. Login form successfully rendered, and after that I got HTTP400 on /auth/token request. Do you have any idea how to fix it for Apache2? Here is my config

<VirtualHost *:80>
ProxyPreserveHost On
ServerName <my_public_domain>
ServerAdmin <my_email>

ProxyPass / http://<my_private_ha_hostname>:<portnumber>/
ProxyPassReverse / http://<my_private_ha_hostname>:<portnumber>/
ProxyPassReverseCookiePath / /
ProxyPassReverseCookieDomain "<my_private_ha_hostname>" "<my_public_domain>"
</VirtualHost>

blomnik · September 12, 2024, 6:27pm

Need to add some rules for WebSocket

 <VirtualHost *:80>
  # .....

  RewriteEngine on
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*)  ws://<my_private_ha_hostname>:<portnumber>/$1 [P,L]
  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
  RewriteRule /(.*)  http://<my_private_ha_hostname>:<portnumber>/$1 [P,L]
</VirtualHost>