Cloudflare - 400 Bad Request error

There have been recent changes to the HTTP component which is causing my (typical?) Cloudflare configuration to break.

I didn’t see another thread dealing with this issue, so here’s the problem/solution:

  • The recommended Cloudflare configuration uses ‘Proxied’ requests to your HA instance.
  • This is treated as a ‘reverse proxy’ by HA which (currently) blocks these requests, so you get a 400 Bad Request error.
  • Switching to DNS-only is an option, but this breaks the 10Y SSL certificate Cloudflare issues that several guides suggest as an alternative to LetsEncrypt etc.

You need to follow the guide for HTTP Reverse Proxies and add all the IP Ranges Cloudflare may use - you can copy and paste these in including the /XY subnet.

This should resolve the issue (until Cloudflare adds/deletes ranges).

4 Likes

Note that HA only blocks requests if the immediate reverse proxy talking to it is not trusted.

So, you only have to include all cloudflare IP/range if cloudflare is directly talking to your HA instance, which is not that typical…

Thanks for the idea but the ip range whitelist doesn’t work, my setup is docker containers for every service and Cloudflare teams (through Cloudflare tunnel), every service works except HomeAssistant

Same for me with the Cloudflare proxies added in HA config still bad request 400. Did anyone solve this?

EDIT: solution for me was adding the ip-address to the proxies in HA from mine local Proxmox container where I installed the Cloudflare tunnel. You can find the address of the bad request in your HA log.

9 Likes

Thank you for sharing your solution. It worked for me as well. I am using a cloudflared container with Unraid. I looked into the log of the home assistant container and added the IP of the bad request. After restarting HA I was able to access it through the Cloudflare tunnel.

1 Like

Hello…I came across this post and your answer because I just set up cloudflare tunnel and my Home Assistance is the only docker container I cant set up. I get a 400 Bad Request error when i set the tunnel as http. when i set it up as https i get 502 Bad Gateway error.

I read your solution but I am not sure how to implement it…I am new to self hosting so I am still learning what everything means and where to do. Would you mind directing me how and where to go and fix my problem? Thank you!

Go to your HA logs there you can find the error and the ip address. Next edit your configuration.yaml and add that ip address to the http: section under trusted_proxies

3 Likes

Hi @Mediacj I got the IP address and made the changes to my configuration.yaml:
Screen Shot 2022-07-09 at 3.33.57 PM

But I’m getting this error message when I try to restart HA:
Screen Shot 2022-07-09 at 3.31.48 PM

I’m sure I must have entered the code wrong but I have no idea what exactly I did wrong. This is the first time I actually edit a yaml file.

Any help would be appreciated! :slight_smile:

1 Like

I fixed it by entering this code instead:

http:
use_x_forwarded_for: true
trusted_proxies:
- 10.1.10.2

Screen Shot 2022-07-09 at 3.42.20 PM

Found it in this thread: https://community.home-assistant.io/t/reverse-proxy-error/312936/42

6 Likes

So as mentioned above I can access the HA web UI now. However, I can not connect with the iOS app (via cloudflare tunnel web adddress):

Any idea why it won’t let me use http://ha.MyDomain.com/ to log in via the app?

@VeniceNerd did you find a solution?

I also had problems with the integration. From just working it went to just not working.
After some time of struggling I decided to reinstall the integration, also in CF delete any settings an redo according to the manual. And it magically worked again.

Did you solve your problem? @redstormsju

Muchas gracias, funciono para mi. :ok_hand:

1 Like

Just wanted to say thanks for this!

In my scenario I had both a IPv4 and IPv6 address in my logs… I added both to the trusted proxies section of my configuration.yml and restarted. I was good to go after that!

1 Like

Brilliant find, that 1 line “use_x_forwarded_for: true”, was the one that got it working for me.

I’m haveing the same issue which yaml file am I accessing because my yaml file for cloud flare looks nothing like your guys

I don’t see anything in my logs

tried that

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.2.16      # Add the IP address of the proxy server
#    - 172.30.33.0/24  # You may also provide the subnet mask

and face

Logger: homeassistant.components.websocket_api.http.connection
Source: components/websocket_api/commands.py:230
Integration: Home Assistant WebSocket API (documentation, issues)
First occurred: 7:02:17 PM (1 occurrences)
Last logged: 7:02:17 PM

[140383316075968] Cannot quick reload all YAML configurations because the configuration is not valid: Integration error: trusted_proxies - Integration 'trusted_proxies' not found. Integration error: use_x_forwarded_for - Integration 'use_x_forwarded_for' not found.
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/components/websocket_api/commands.py", line 230, in handle_call_service
    await hass.services.async_call(
  File "/usr/src/homeassistant/homeassistant/core.py", line 2035, in async_call
    response_data = await coro
                    ^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/core.py", line 2072, in _execute_service
    return await target(service_call)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/helpers/service.py", line 986, in admin_handler
    await result
  File "/usr/src/homeassistant/homeassistant/components/homeassistant/__init__.py", line 342, in async_handle_reload_all
    raise HomeAssistantError(
homeassistant.exceptions.HomeAssistantError: Cannot quick reload all YAML configurations because the configuration is not valid: Integration error: trusted_proxies - Integration 'trusted_proxies' not found.
Integration error: use_x_forwarded_for - Integration 'use_x_forwarded_for' not found.

Thank you very much to everyone, with the help of this discussion I came to a solution, although I do not know if my solution is legal in terms of information security.

http:
  use_x_forwarded_for: true
  trusted_proxies:
      - 127.0.0.1