Anyway, I disabled pihole, which was simply taking it out of deco’s dns.

Let me restart everything and try it out.

So I restared HA via the menu. Then rebooted my phone. Hooked my laptop to my phone hotspot.

Results:
phone - retry screen
laptop - retry screen

Actually worse than before.

Unless is there any other action I need to do each time I change these settings?

Maybe I do the final route, forward router 8123 → 192.168.1.154:8123
I’d need ssl addon in HA

If that doesn’t work then I’d need to see how to backup then install debian in a VM.

Tried router 8123 → 192.168.1.154:8123
Le’ts encrypt ssl addon in HA. But I couldn’t get it working

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

So I don’t think that’s an option then.

Another thought, in cloudflare should I have dns cname as proxied? Should it matter?

i created a post yesterday (Link) and your issue seems like the same issue i have.
the setup was working for almost 3 years now, i changed nothing and it suddenly stopped working.

I also use cloudflare and a reverse proxy, all my other services (9 in total) are working fine except Home Assistant.

strange…

i use HA behind synology reverse proxy too, however i do not use the external 443 port, but 55xx range. Did you try moving to other port for HA in your case?
And then i mean both external port as receiving port on synology and synology forwarding to 8123 to ha host.
And update external url including the new port number in HA config

If that would work then it’s only a port conflict somewhere which can be investigated separately ofcourse

Did you by any chance enter anything from THIS site in config file? When i played with that i almost locked myself out, so i don’t use anything but default.

@Protoncek I am not using Authentication Providers

But firstly, I wonder what [homeassistant.components.http.ban] means. I haven’t been getting these in my logs since the 1st day. Does that mean the ban sticks, and my errors are actually leftover from the 1st day before adding trusted_proxies?

How to clear ban list? suggests I don’t have a ip_bans.yaml file so it’s not the case.

After all that stuff, I’ve basically exhausted all options. Then I remembered I have multipl ext urls to use, so I can set them up differently.

I’ll use shortnames now:
myurl = ha.mydomain.com
ddns = me.duckdns.org
nas = 192.168.1.153 - synology instance
haos = 192.168.1.154 - vm on nas

I installed Duck DNS on HA again. Set up my DuckDNS.org domain. (currently unused). It’s time to do a reset/check. I have

• Cloudflared off
• cloudflare subdomains reset to cnames on ddns
• pihole back on - otherwise my local links to nas etc are broken
• pihole local is cname myurl = ddns (ie nas)
• router 80/443 → nas
• 8123 → haos:8123
• on HA, Le’ts encrypt off, Duck DNS on

On synology reverse proxy I have

• myurl:443 → haos:8123
• ddns:8123 → haos:8123

I noticed when I forgot to put the myurl:443 → haos:8123 back on, I would get the retry screen

Unable to connect to Home Assistant.
Retrying in 15 seconds…

Internally:
Now if I access https://myurl it is fine (going thru pihole → reverse proxy)
https://ddns or https://ddns:443 redirects to ddns:50xx nas login (where’s this from?)
https://ddns:8123 takes me to HA login, I can login (going thru pihole → reverse proxy)

https://nas:8123 gives me

400 Bad Request

The plain HTTP request was sent to HTTPS portnginx
I guess this is expected, no reverse proxy entry for this

Externally:
https://myurl seems to work
https://ddns:8123 seems to work
https://nas:8123 times out

Does that initially seem like I’m good now?
The difference is then the Duck DNS addon. Why does that help the reverse proxy work, which isn’t even related to it?

FYI I had Duck DNS added to Synology’s ddns option as a custom provider. It worked and the Duck DNS site showed my ip.

Did further test.
Disabled Duck DNS addon
Reboot router (changes IP)
Update ddns on synology
Restart HA

All still seems to work. The only difference from when nothing worked is that Duck DNS addon
is installed - but disabled.

What does this mean?

Looks like you are good to go.

The purpose of the Duckdns add-on is to handle certifications.
Now that it is your synology box doing reverse proxy and thus handling certificates for 2 urls, you likely would not need the add-on on HAOS.

Next is to monitor the situation, run further tests on various scenarios, and maybe think about simplifying your setup / reducing attack surfaces.
I say this mainly because, (while I don’t know what you want,) you likely don’t “need” both myurl and ddns in place, and you likely don’t “need” to open port 8123 on your router - if/when the reverse proxy setup on your nas box works.

Thanks, though we still don’t know why it wasn’t working initially. I’m basically back to the same as how I started.

I took off open port 8123. Still good. Next is to delete Duckdns add-on (now disabled).

I now have myurl = ddns = syndns. 3 domains pointing to my ip. Does it matter? Security is https and long password right?

So I have rebooted my VM.
Now I again cannot access from outside. Same as before,
ph.mydomain.com working
ha.mydomain.com broken

Internally I can access via wired desktop but not mobile phone browser

Reinstall duckdns on ha, rebooted ha. Still the same.

Mobile can use internal ip, without https

One thing changed is I installed web station, because my public ip automatically redirected to my secret DSM port.

I stopped the service to see if it changed, but still not working.

OK I maybe be back now.
Need to make sure Cloudflare DNS is NO PROXY.