If the container HA is running in is a problem, then why not install it in a vm on i.e. Debian 11? Then you have full control and access.
It’s in the VM in my Synology NAS. When I open the terminal for the VM I can only call ha commands
You installed HA OS VM? Just drop that and create a deb 11 VM with a supervised HA installation. You then can ssh into linux and do whatever you want. I also first did HA OS, but 5 mins later I deleted it again
@Patrick010 - I would not go that far to recommend like this. People run different install type for different reasons. There is no “best” install method - only “best fit”… and the best fit obviously means differently for different people.
@aussie1497 - I think you are close.
- 192.168.1.154:8123 is the internal IP and port you are using to access your HA instance, is that http or https? Can you test, from 192.168.1.153, whether your can access the HA address?
- Are you using synology.me to access your Synology instance from outside your LAN? Is that working? How did you set that up?
- You said reverse proxy access pihole works. Describe your setup on that front please.
- What is the port forwarding look like on your router? 443 external to 443 on 192.168.1.153…?
- Following Patrick’s link yesterday, could you setup something similar to this??
Synology: How To Reverse Proxy Your IP Camera – Marius Hosting
Installed pihole as https://www.wundertech.net/how-to-setup-pi-hole-on-a-synology-nas-two-methods/
- router forwards 443 to Synology
- set ph.mydomain.com up, ddns, ssl cert
- set local dns in pihole for ph.mydomain.com
- reverse proxy ph.mydomain.com:443 to 192.168.1.153:port
pihole works fine
For HA, did exactly the same thing, except 192.168.1.154:8123
The key was adding http:
use_x_forwarded_for
Before this I would get a 400 error.
I can’t https to 192.168.1.154:8123 as HAOS has no ssl cert
I can https://ha.mydomain.com/ internally on my PC and laptop, so Synology reverse proxy is fine
I just noticed on mobile, on home wifi, I get
Before I thought I only get this while on outside network.
Nothing in home-assistant.log
I guess, 1 way would be install some ssl cert as an HA addon? Then forward router port to HA? Ie bypass Synology reverse proxy.
I have 2 ideas.
=== route #1 ===
Does this “to Synology” mean… to Synology management (DSM) port, or to the port of the reverse proxy server on Synology?
Could you share the setup screen in pi-hole?
Is this “port” the port for pi-hole, or the port for nas?
Could you show us your reverse proxy setup screen from Synology?
If you setup another reverse proxy of nas.mydomain.com:443 https, to http://192.168.1.153:(your DSM port), would that work when you access from outside?
It’s fine. For a reverse proxy setup, you could point that to http://192.168.1.154:8123, no ssl cert is needed.
This statement need to be checked. When you do use that ha.mydomain.com from LAN, it goes to pihole for dns lookup, and then with the local dns rule you set, you’d go directly to 192.168.1.154. This does not go through reverse proxy.
=== route #2 ===
I am actually thinking about the same thing.
Given you have HAOS, and you and do add-ons easily, then you can look into this add-on:
New Add-On: Cloudflared - Share your Projects! - Home Assistant Community (home-assistant.io)
I setup mine in 30 minutes. Including the time to register my account and domain name.
And the best part is that you don’t even need to open any port on your router.
Well… both, actually. When you enter “yourdomain.synology.me” it takes you to DSM main page, but if you enter anything else before your domain, like “ha.yourdomain.synology.me” it takes you to defined web page (defined via proxy manager).
I defined my setup like THIS and everything works.
@k8gg - Maybe you wouldn’t recommend this, but I ran in to the same issues. Installed deb 11 supervised in no time and had HA running in even less. But if you guys want to continue messing about, by all means do so
The fact that he has pi-hole running behind the reverse proxy proves that it works. So it has to do something with HA. But as it is a fairly closed OS its hard to analyse.
Well router forwards 443 to Synology 192.168.1.153:443
There nas does its stuff.
So ph.mydomain.com reverse proxys to my internal access to pihole 192.168.1.153:port
All it does is take http and make it https
ha.mydomain.com reverse proxys to 192.168.1.154:8123
but it needed all those other websockets and proxy config
Now I guess your point about pihole is interesting. Because my Local DNS Records point to 192.168.1.153. Then ha.mydomain.com is a cname to the nas name.
So internally ha.mydomain.com → 192.168.1.153 so it does hit the reverse proxy.
Externally I guess ha.mydomain.com is a cname to duckdns. So it would be my ip:443, which goes to 192.168.1.153:443 → reverse proxy
But main thing, why internally is desktop differnt from mobile (both chrome)?
Mobile redirs me to /lovelace. Then has the fail/retry screen.
My setup is the same as yours. Not sure why I can only access internal on desktop.
Even internal on mobile fails?!
I’ve installed and set up
New Add-On: Cloudflared - Share your Projects! - Home Assistant Community (home-assistant.io)
I think. I got
INFO: Finished setting-up the Cloudflare tunnel
I’m not sure how to check.
Then a few errors, then 4
INF Connection ______ registered connIndex=3 ip=198.41.192.27 location=BNE
I guess those are CF ips.
I can still access internally. Mobile still doesn’t work. Is it something to do with HA having a different IP to the nas?
I still don’t get the desktop vs mobile chrome difference.
I was going to mention that you had ‘cloudflare’ mentioned. and it seemed like you were getting slowness rather than not seeing HA at all. IF that is correct, I had the same symptom and simply disabling caching in cloudflare fixed it completely.
I don’t use the cloudflared addon (didnt want to have to rely on an addon for this) and rather just use a proxy setup. But in my setup you need to whitelist the cloudflare IPs too. I don’t see where you did that?
This all may be moot now that you installed cloudflared though.
In synology–>virtual machine manager, select your HA instance and under “general” check which IP’s are there… i have two of them starting with 172, so i entered in configuration this:
http: # ------------------------------------------------------------------------ HTTP
ip_ban_enabled: true
login_attempts_threshold: 10
use_x_forwarded_for: true
trusted_proxies:
- 192.168.0.0/24
- 172.30.32.0/24
- 172.17.0.0/24
also: did you try to turn off pihole and try to access? Just to definitely eliminate pihole’s fault…
- Post the entire log from Cloudflared please. Hard to know what “a few errors” are.
- Also what do you see from the Cloudflared dashboard?
- Did you follow the instructions to authenticate at Cloudflare, using the link from the log?
- Did you add
172.30.33.0/24
to the http section of your HA config? - Also did you follow instructions to remove / disable SSL certs? After Cloudflared add-on setup, the certifications of your domain name would be done by Cloudflared. Meaning no LetsEncrypt, no DuckDns, no Synology handling domain certification nor any other reverse proxy setup outside of Cloudflare, within your LAN network.
====
I would second this. Remove pihole from the equation, roll back DNS settings temporarily.
====
And, again,
I’m using
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
So that covers 172.30.33.0/24 and more
Anyway when that was empty, I’d get a ERR400 rather than the HA screen
So the addon, I went with the local config, followed it fine under
Initial Add-on Setup for local tunnels
It all worked. This was the log. I’m sure the last lines show it’s working.
2022-08-30T14:04:24Z ERR Failed to serve quic connection error="Unauthorized: Failed to get tunnel" connIndex=0 ip=198.41.200.33
2022-08-30T14:04:24Z ERR Register tunnel error from server side error="Unauthorized: Failed to get tunnel" connIndex=0 ip=198.41.200.33
2022-08-30T14:04:24Z INF Retrying connection in up to 2s seconds connIndex=0 ip=198.41.200.33
2022-08-30T14:04:26Z INF Connection 45d6bc44-4ff0-451c-920f-4291cb776024 registered connIndex=0 ip=198.41.200.33 location=SYD
2022-08-30T14:04:28Z INF Connection 9e37d67f-d134-4ebd-887d-d49f1740aceb registered connIndex=2 ip=198.41.200.73 location=SYD
2022-08-30T14:04:28Z INF Connection 6d5a8e07-3c0e-468e-93c7-074a280602a3 registered connIndex=1 ip=198.41.192.77 location=BNE
2022-08-30T14:04:30Z INF Connection 468b3e19-bd7e-4b7e-afc3-12c7bd4ba1ef registered connIndex=3 ip=198.41.192.27 location=BNE
2022-08-30T23:54:58Z INF Unregistered tunnel connection connIndex=2
The instructions to remove / disable SSL cert refers to on the HA, I don’t have any related addons in HA.
The tunnel would bypass the reverse proxy on synology anyway right?
Anyway, I disabled pihole, which was simply taking it out of deco’s dns.
Let me restart everything and try it out.
So I restared HA via the menu. Then rebooted my phone. Hooked my laptop to my phone hotspot.
Results:
phone - retry screen
laptop - retry screen
Actually worse than before.
Unless is there any other action I need to do each time I change these settings?
Maybe I do the final route, forward router 8123 → 192.168.1.154:8123
I’d need ssl addon in HA
If that doesn’t work then I’d need to see how to backup then install debian in a VM.
Tried router 8123 → 192.168.1.154:8123
Le’ts encrypt ssl addon in HA. But I couldn’t get it working
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
So I don’t think that’s an option then.
Another thought, in cloudflare should I have dns cname as proxied? Should it matter?
i created a post yesterday (Link) and your issue seems like the same issue i have.
the setup was working for almost 3 years now, i changed nothing and it suddenly stopped working.
I also use cloudflare and a reverse proxy, all my other services (9 in total) are working fine except Home Assistant.
strange…
i use HA behind synology reverse proxy too, however i do not use the external 443 port, but 55xx range. Did you try moving to other port for HA in your case?
And then i mean both external port as receiving port on synology and synology forwarding to 8123 to ha host.
And update external url including the new port number in HA config
If that would work then it’s only a port conflict somewhere which can be investigated separately ofcourse
Did you by any chance enter anything from THIS site in config file? When i played with that i almost locked myself out, so i don’t use anything but default.