Externally, ha.mydomain.com gives me that retry button only.
The home-assistant.log file doesn’t seem to update all the time. I get things like
2022-08-28 12:27:25.466 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 172.68.66.41...
But you know, I got the retry error on more devices and times than the log shows up. I feel like I’m not getting all of them.
They’re mostly 172.68.*
What’s next to try?
The 1 issue I know, is that with Deco M5 + pihole all my guest network can’t access dns at all. But that only affects my iot devices, not HA/nas.
Did you enter port forwarding into your router? I have set port 443 (https default port) to IP of my synology. Then i can access anything (configured with reverse proxy) with https:// [xxx].mydomain.synology.me
@Protoncek Yes my 443 is currently forwarded to the nas.
@Patrick010 thanks I have already done all the steps in there.
@mirekmal I have done the steps in yours too, except for port 80. I don’t need http access, so I assume I don’t need it. I have hsts config’d so it should take care of 80.
The 192.168.0.0/16 covers 192.168.0.1 - 192.168.255.254, I also had my nas ip in there but figured to go all in. The only subnet not added is 10.x
Reverse proxies are in general working because I have pihole setup as a reverse-proxy. I can access that via other phones from outside my network.
Also I am actually reaching the home assistant on the reverse proxy, it’s just not happy. It shows the retry screen, so something is happening.
But even with the retry screen I’m not getting anything in the home-assistant.log I just tried the phone again after a few hours lapse.
Is there any long-term ban which I have to clear out?
I mean I see the retry logo, and I did see the “Login attempt or request with invalid authentication” before, but it could be 2 different issues and not 1.
Note that before I added trusted_proxies it would just say “400: Bad Request” even internally, another sign that Reverse proxies are working AND the trusted_proxies is covering the right IP?
I don’t know how to get into the HA VM and check the network in there. It’s not linux I don’t know the os commands.
You installed HA OS VM? Just drop that and create a deb 11 VM with a supervised HA installation. You then can ssh into linux and do whatever you want. I also first did HA OS, but 5 mins later I deleted it again
@Patrick010 - I would not go that far to recommend like this. People run different install type for different reasons. There is no “best” install method - only “best fit”… and the best fit obviously means differently for different people.
192.168.1.154:8123 is the internal IP and port you are using to access your HA instance, is that http or https? Can you test, from 192.168.1.153, whether your can access the HA address?
Are you using synology.me to access your Synology instance from outside your LAN? Is that working? How did you set that up?
You said reverse proxy access pihole works. Describe your setup on that front please.
What is the port forwarding look like on your router? 443 external to 443 on 192.168.1.153…?
Does this “to Synology” mean… to Synology management (DSM) port, or to the port of the reverse proxy server on Synology?
Could you share the setup screen in pi-hole?
Is this “port” the port for pi-hole, or the port for nas?
Could you show us your reverse proxy setup screen from Synology?
If you setup another reverse proxy of nas.mydomain.com:443 https, to http://192.168.1.153:(your DSM port), would that work when you access from outside?
It’s fine. For a reverse proxy setup, you could point that to http://192.168.1.154:8123, no ssl cert is needed.
This statement need to be checked. When you do use that ha.mydomain.com from LAN, it goes to pihole for dns lookup, and then with the local dns rule you set, you’d go directly to 192.168.1.154. This does not go through reverse proxy.
=== route #2 ===
I am actually thinking about the same thing.
Given you have HAOS, and you and do add-ons easily, then you can look into this add-on: New Add-On: Cloudflared - Share your Projects! - Home Assistant Community (home-assistant.io)
I setup mine in 30 minutes. Including the time to register my account and domain name.
And the best part is that you don’t even need to open any port on your router.
Well… both, actually. When you enter “yourdomain.synology.me” it takes you to DSM main page, but if you enter anything else before your domain, like “ha.yourdomain.synology.me” it takes you to defined web page (defined via proxy manager).
I defined my setup like THIS and everything works.
@k8gg - Maybe you wouldn’t recommend this, but I ran in to the same issues. Installed deb 11 supervised in no time and had HA running in even less. But if you guys want to continue messing about, by all means do so
The fact that he has pi-hole running behind the reverse proxy proves that it works. So it has to do something with HA. But as it is a fairly closed OS its hard to analyse.
Well router forwards 443 to Synology 192.168.1.153:443
There nas does its stuff.
So ph.mydomain.com reverse proxys to my internal access to pihole 192.168.1.153:port
All it does is take http and make it https
ha.mydomain.com reverse proxys to 192.168.1.154:8123
but it needed all those other websockets and proxy config
Now I guess your point about pihole is interesting. Because my Local DNS Records point to 192.168.1.153. Then ha.mydomain.com is a cname to the nas name.
So internally ha.mydomain.com → 192.168.1.153 so it does hit the reverse proxy.
Externally I guess ha.mydomain.com is a cname to duckdns. So it would be my ip:443, which goes to 192.168.1.153:443 → reverse proxy
But main thing, why internally is desktop differnt from mobile (both chrome)?
Mobile redirs me to /lovelace. Then has the fail/retry screen.
I was going to mention that you had ‘cloudflare’ mentioned. and it seemed like you were getting slowness rather than not seeing HA at all. IF that is correct, I had the same symptom and simply disabling caching in cloudflare fixed it completely.
I don’t use the cloudflared addon (didnt want to have to rely on an addon for this) and rather just use a proxy setup. But in my setup you need to whitelist the cloudflare IPs too. I don’t see where you did that?
This all may be moot now that you installed cloudflared though.
In synology–>virtual machine manager, select your HA instance and under “general” check which IP’s are there… i have two of them starting with 172, so i entered in configuration this:
Post the entire log from Cloudflared please. Hard to know what “a few errors” are.
Also what do you see from the Cloudflared dashboard?
Did you follow the instructions to authenticate at Cloudflare, using the link from the log?
Did you add 172.30.33.0/24 to the http section of your HA config?
Also did you follow instructions to remove / disable SSL certs? After Cloudflared add-on setup, the certifications of your domain name would be done by Cloudflared. Meaning no LetsEncrypt, no DuckDns, no Synology handling domain certification nor any other reverse proxy setup outside of Cloudflare, within your LAN network.
====
I would second this. Remove pihole from the equation, roll back DNS settings temporarily.
