Can't connect to Home assistant from internet anymore

illegalmexicain · April 28, 2024, 1:16pm

Can’t connect to Home assistant from internet anymore. Started a new install and still get the same error.

From outside i can reach home assistant but land on the login page with: Error: Something went wrong
I get nothing in the logs, but when i inspect the page i get 2 errors:

Failed to load resource: the server responded with a status of 500 () →

Error starting auth flow SyntaxError: Unexpected token ‘<’, “
<h”… is not valid JSON

Here’s my setup:

Reverse proxy (swag): Runnning in Docker (ubuntu)
Home Assistant (HAOS): Runing in a VM (virtual box)

Swag proxy conf:
(I replaced the end of my machine IP with XXX)

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name homeassistant.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.XXX;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ ^/(api|local|media)/ {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.XXX;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

Home Assistant Configuration Yaml:


# Loads default set of integrations. Do not remove.
default_config:

# Load frontend themes from the themes folder
frontend:
  themes: !include_dir_merge_named themes

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24
    - 172.28.0.0/16

Tinkerer · April 29, 2024, 1:11pm

Enable websocket support in NGINX

illegalmexicain · April 29, 2024, 5:47pm

The proxy.conf included in the conf already enable websocket:

## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.>
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;

# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;

# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;

illegalmexicain · May 2, 2024, 12:11am

If you ever stumble on my post, i fixed it. Problem was due to my setup also using Crowdsec, with recaptcha. CAPTCHA or Appsec are do not support http2 requests, and as of 5/1/2024 it’s not fixed yet.

Crowdsec reCAPTCHA remediation : http2 requests are not supported yet

opened 01:49PM - 03 Sep 23 UTC

closed 09:18AM - 22 Feb 24 UTC

shad-lp

Hello, I've set up Crowdsec to use captcha remediation instead of ban for som…e collections, especially LePresidente/Emby. On a banned IP, as soon as the captcha is resolved, I got an error 500 in the browser. In the nginx (SWAG Linuxserver) error.log I get this error : ```2023/09/02 09:28:31 [error] 673#673: *1762 lua entry thread aborted: runtime error: /usr/local/lua/crowdsec/crowdsec.lua:485: http2 requests are not supported yet stack traceback: coroutine 0: [C]: in function 'read_body' /usr/local/lua/crowdsec/crowdsec.lua:485: in function 'Allow' access_by_lua(http.d/crowdsec_nginx.conf:14):3: in main chunk while sending to client, client: 46.178.201.44, server: emby.*, request: "GET /web/index.html HTTP/2.0", host: "emby.xxx.ovh" ``` I tried to : 1. remove the http2 argument in the listen directive in my emby reverse proxy configuration file, but no change. 2. remove the http2 argument in the default.conf for main server, no change 3. both, no change If I switch back to ban remediation, everything runs smoothly. Here is my setup : profiles.yaml (crowdsec) : https://pastebin.com/ftcdgtwT crowdsec-nginx-bouncer.conf : ```ENABLED=true API_URL=http://crowdsec:8080 API_KEY=REDACTED CACHE_EXPIRATION=1 # bounce for all type of remediation that the bouncer can receive from the local API BOUNCING_ON_TYPE=all FALLBACK_REMEDIATION=ban REQUEST_TIMEOUT=3000 UPDATE_FREQUENCY=10 # live or stream MODE=live # exclude the bouncing on those location EXCLUDE_LOCATION= #those apply for "ban" action # /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE BAN_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/ban.html REDIRECT_LOCATION= RET_CODE= #those apply for "captcha" action CAPTCHA_PROVIDER=recaptcha # ReCaptcha Secret Key SECRET_KEY=REDACTED # Recaptcha Site key SITE_KEY=REDACTED CAPTCHA_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/captcha.html CAPTCHA_EXPIRATION=3600 ``` I don't know if I'm doing something wrong, any help appreciated.

So what’s the fix ?

If you still want to use Captcha or AppSec you need to remove http2 from your proxy conf files.

If your not using Captcha or Appsec make sure they’re not in youre docker yml file.