I am using HomeAssistant behind a load balancer for SSL offloading. This means that HA always sees the client connecting from its local subnet, regardless of whether the real client is actually on the local network or connecting via the internet.
Thus, my user list is currently exposed on the login page visible to the internet, which is undesirable.
Is there a way for me to disable this?
Does your load balancer have the ability to pass the X-Real-IP and/or the X-Forwarded-For header? Did you add your load balancer as a trusted proxy?
Ref: HTTP - Home Assistant (home-assistant.io)
I use nginx and it recognizes the correct external IP address.
First battle is trying to locate & edit the correct configuration.yaml
Took me forever when I first set up HA to find the correct file and now having the same nightmare!
Running the disk image on Hyper-V - I’ve checked:
/config/configuration.yaml
/homeassistant/configuration.yaml
Neither one seems to be the correct file.
Can someone remind me, please?
configuration.yaml is the file you need. Also, your proxy will need to pass the headers mentioned by JOHLC.
In fact, this new feature seems to have been added without proper security considerations as it discloses the users even if HA is on a private subnet and the client is on another private subnet. See the other post on this and a related GitHub issue.
Thanks for the GitHub link. For the time being, I’ve limited access to HA through my load balancer to RFC1918 sources only.