Cloudflare - 400 Bad Request error

skrilla · March 2, 2024, 5:30pm

CF Tunnel was working perfectly for a long time, but suddenly ran into an issue where it simply broke after years of it working properly. In the CF Tunnel logs I was getting Error 400, and in HA logs saw this:

Logger: homeassistant.components.http.forwarded
Source: components/http/forwarded.py:125
Integration: HTTP (documentation, issues)
First occurred: March 1, 2024 at 3:41:29 PM (1182 occurrences)
Last logged: 9:21:34 AM

Received X-Forwarded-For header from an untrusted proxy 192.168.1.1

I included 192.168.1.1/32 as a trusted proxy, and still getting an the login error unable to connect to home assistant.

When I use a different browser - Firefox and Edge, I am able to get the login prompt, but after entering 2FA, it fails. The CF Tunnel logs shows the 400 bad request and get a failed login attempt logged in HA.

gtmax500 · March 7, 2024, 2:34am

Just letting you know, I had the same issues you were having (exactly the same with the error and different browser and CL tunnels). After trying all sorts of IP addresses including 0.0.0.0/0 under the trusted proxy, I finally got it to work by actually restarting home assistant, not just reloading the YAML file. I got it to work with just 192.168.1.1 and ::1 under the trusted_proxies and a full restart of HA (probably dont need ::1 but I left it anyways). I know it said to restart HA in the docs but for some reason I though just reloading the yaml files would be enough…clearly not. All working now.

trallan · April 27, 2024, 5:53pm

Was trying to access via my tunnel today and I get 400, bad request. Not sure why, other stuff in my tunnel works fine, only HA gives 400. This is the configuration.yaml setting that has worked before:

# Allows proxy traffic from cloudflared tunnel
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.31.0.2

Edit:

Checked my HA logs and a new IP was shown to be blocked. Added it to my configuration yaml and now it works.

defcongo · June 6, 2024, 8:41pm

thanks. full restart worked for me too.

KLU · July 13, 2024, 7:58am

I’m glad that I found this topic

I moved from Cloudflared HA addon to a Cloudflared container in Docker/Portainer. After everything was set up, I got Bad Request: 400 error.

Adding Docker’s IP address in the configuration.yaml fixed the issue. So from:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

to

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
    - 192.168.1.101/32

Hopefully it will save somebody’s ass Cheers!

jlogan2231 · July 13, 2024, 9:06pm

@KLU Any chance this coincided with Cloudflare 5.1.15 update as well? I have pretty much done the same as you, but once I update to the latest Cloudflare Add on in HA, I then get the Bad Request, roll it back to 5.1.3, and the issue goes away. For us simpletons, what’s the purpose of the “/32” at the end and how did you know it was 32?

EDIT: I did your proposal, updated to 5.1.15 and it works. However if I refresh my window, I get the Home Assistant symbol and this message

" Unable to connect to Home Assistant.

Retrying in 56 seconds…

RETRY NOW"

If I click “Retry now”, it works, if I refresh the page again, I get the same issues. Never had this before, any ideas why this is suddenly starting to happen?

jortiz · September 2, 2024, 6:37am

Hello, I pasted the command but it still gives me the same 400 error, this is how my configuration file is

Loads default set of integrations. Do not remove.

default_config:

Load frontend themes from the themes folder

frontend:
themes: !include_dir_merge_named themes

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24 (what IP do I put here and how do I get it)
- 192.168.1.101/32 (what IP do I put here and how do I get it)
I thanked you very much

piotr1 · September 5, 2024, 1:29pm

http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22

aezzz · October 8, 2024, 12:12pm

Hi guys after weeks of f***ing around. In your Nginx proxy server add the following to clear the X-Forwarded-For information passed on by Cloudflare:
proxy_set_header X-Forwarded-For “”;

tylertylerday · October 21, 2024, 7:59pm

Did you end up figuring this out? I’m also getting the “unable to connect” issue but when I hit retry it takes me to a cloudflare bbad gateway page.

MateHolda · October 30, 2024, 2:21pm

You should restart Cloudflared add-on and then search in the Cloudflared log for the following line:
INF ICMP proxy will use 172.30.33.2 as source for IPv4

swiney89 · October 31, 2024, 3:44am

Looks like they’re sourcing from an IP that isn’t on their stupid list of IPv4 IPs.

172.30.33.0/24 isn’t part of this list, but it seems to be needed.

crixodia · December 23, 2024, 4:30pm

If you are using docker with HomeAssistant and Cloudflared. You just need to get the IP range of your docker network by typing ifconfig:

br-1df1b87605fe: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.20.0.1  netmask 255.255.0.0  broadcast 172.20.255.255
        inet6 fe80::42:bbff:fe7f:e134  prefixlen 64  scopeid 0x20<link>
        ether 02:42:bb:7f:e1:34  txqueuelen 0  (Ethernet)
        RX packets 298361  bytes 60672765 (60.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 307158  bytes 53646867 (53.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

br-8829dd824f77: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.19.0.1  netmask 255.255.0.0  broadcast 172.19.255.255
        inet6 fe80::42:55ff:fece:a8cd  prefixlen 64  scopeid 0x20<link>
        ether 02:42:55:ce:a8:cd  txqueuelen 0  (Ethernet)
        RX packets 229139  bytes 33989941 (33.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 233004  bytes 29178041 (29.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:42:1f:db:55  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

You can notice that all the IPs are under 172.X.X.X. So your configuration file will look like this:

# Loads default set of integrations. Do not remove.
default_config:

# Load frontend themes from the themes folder
frontend:
  themes: !include_dir_merge_named themes

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.0.0.0/8

Revivalist · December 30, 2024, 7:04pm

I cannot believe that a full restart did the same for me. lol

kurzweilfreak · November 15, 2025, 9:55am

I’ve been searching ro a solution to the 400: Bad gateway error issue, and this solved it for me. One I thought about it, it makes a lot of sense. Look in the log to see what causes the error, then add that IP to the configuration. Thanks @Mediacj

WesterbeekTim · November 24, 2025, 7:58pm

I am here to prevent that anyone needs to be just as frustraded as me for the past one hour. to make this work you have to copy this command in to the configuration.yaml

http:
use_x_forwarded_for: true
trusted_proxies:

whatever IP you are using

you need to have precisely 2 blank spaces after the http: in the configuration file. As soon as chatgpt told me this i copied it with the 2 spaces, saved the file, rebooted HA and finaly it worked.

but please wo ever though of this being a good idea?