Configuration.yaml... can there be multiple trusted proxy IPs?

Greetings… like many of you, I use a NAS to host a virtual machine for Home Assistant. I happen to use a Synology NAS, and it has two physical network ports.

When I look into the Virtual Machine Manager in Synology, there doesn’t appear to be a way to change the settings to say I only want the VMs to be accessible over one of those two physical network ports… it’s all or nothing.

Further, it doesn’t appear that I can set the individual VM to use a specific physical network port either.

This really isn’t an issue most of the time, so much an inconvenience, but I have to choose one of those physical ports (IP addresses) in my configuration.yaml “trusted proxies” line. I can reboot the VM… no problem. I can reboot the Synology… no problem. But once in a while, when I update the Synology OS, the physical port that the Home Assistant VM is using (LAN1 vs. LAN2, or vise-versa), flips on me. I don’t even realize it until I try to access Home Assistant remotely via my subdomain (ha.mydomain.com), to find that it has stopped working.

Although I’m very familiar with this by now, and it’s not really an issue to go into the configuration.yaml file and change the trusted proxy from one IP to the other, I’ve recently tried to put two IP entries in there, and it doesn’t work.

The HTTP section of my configuration.yaml file currently looks like this, and works great:

http:
use_x_forwarded_for: true
trusted_proxies: 192.168.xx.xx
server_port: 8123

(Yes, I have a full IP address in there that works… xx is just for this display.)

I have found documentation that looks like I should be able to do it, per below. But it doesn’t work:

http:
use_x_forwarded_for: true
trusted_proxies:
  - 192.168.xx.01
  - 192.168.xx.02
server_port: 8123

So… my seemingly simple question, just out of convenience alone… is there anyone that is doing this successfully, showing Home Assistant that it could conceivably use either of two addresses as a trusted proxy?

Thanks in advance for your help!

Please ensure your code snippets show correct indentation. The code you’d pasted above will not work with that indentation.

Also note there is no need to conceal private IP addresses. My HA host is 192.168.1.7, for example.

Why the leading zeros in the IP addresses? Try:

trusted_proxies:
  - 192.168.xx.1
  - 192.168.xx.2

This is one of my most popular posts, so I’d suggest the multiple address thing works:

I very much appreciate the quick response, @Troon! I get the private IP advice… and the leading zeros is just a habit on my numbering filenames, etc. I understand those are not needed.

That said, the documentation your article links to, the general documentation for the HTTP configuration, shows this:

You’re saying to take out the dashes before the IP addresses?

Should it then look like this:

trusted_proxies:
  192.168.1.1
  192.168.1.2

It’s really paranoid to hide non-routable ip adresses like 192.168.0.0/16, you know.
Same goes for 172.16.0.0/12 and 10.0.0.0/8: they are never reachable by anything else than your local network.

Just sayin… :wink:

2 Likes

I get it. It’s an over-abundance of paranoid caution on my part.

No, the zeroes in the final octets. You had .01 and .02 before. You say:

I’m suggesting they may actually be causing a problem, and it would be a good first step to remove them.

@Troon, I see what you’re saying. Sorry for confusion. I did not have leading zeros in my configuration.yaml file however, when I tried the dual address method. That said, I’m remiss with my own stupidity… I think I had this correct, and then tested incorrectly to get a bad result.

I just re-added as the documentation shows, and it’s working perfectly.

Sometimes it’s just saying something out loud and having someone answer to realize your own stupid mistakes. Thanks for entertaining my folly. :smiley:

  • Illinoid
2 Likes

Second time I’ve posted this today:

1 Like