I recently moved my domain to Cloudflare and enabled their proxy network (note: not using tunnels, just the proxied DNS). Everything seemed fine, until I tried to log in to Home Assistant from work.
The auth process is disrupted in some way by going through Cloudflare. On my phone (companion app), which was already authenticated, everything works fine both on LAN and WAN. From work, where I was not logged in, I get the login page like normal, but after entering username/password/OTP, I just get the Unable to connect to Home Assistant. Retrying in 60 seconds... screen infinitely.
Sometimes, there is an HTTP 400 error in response to the query to auth/token, but sometimes not. Either way, it just never works no matter how many retries I make. In the Home Assistant logs, I have failed login attempts: WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from [work ip address]. Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0)
The connection goes Client -> Cloudflare -> Nginx Proxy Manager -> Home Assistant
Proxy is set up correctly and always worked before:
http:
use_x_forwarded_for: true
trusted_proxies:
# DOCKER
- 172.17.0.0/24
# CLOUDFLARE
- 173.245.48.0/20
...
- 131.0.72.0/22
Every attempt to search for help comes back with topics on using tunnels (irrelevant) or adding the trusted_proxies (already done; work IP address in the logs confirms that).
I’m hoping someone has configured this before and knows what step I’m missing. (Or, is there a bug in Home Assistant that this is revealing?)