Docker HomeAssistant and nginx-proxy

Tags: #<Tag:0x00007f7396f2c388> #<Tag:0x00007f7396f2c220> #<Tag:0x00007f7396f2c090> #<Tag:0x00007f73988eff18>

Hi

Just started with Home Assistant and have an unpleasant problem with revers proxy.

The main goal in what i want access HA outside my network via domain url

I have DIY home server. Every service in docker container

So when i add HA container i add nginx host with subdomain in nginx-proxy container. Both containers in same network

In configuration.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1 #localhost
    - 172.21.0.1 #docker_net gw
    - 172.21.0.11 #nginx-proxy hardcoded ip
    - 31.202.xxx.xxx #my external ip
  ip_ban_enabled: False
  login_attempts_threshold: 5

Have access to main page but can’t login with message

2020-07-31 16:19:35 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 31.202.xxx.xxx

In ./config/.storage/auth have

                "access_token_expiration": 1800.0,
                "client_icon": null,
                "client_id": "https://home.xxxxx.tk/",
                "client_name": null,
                "created_at": "2020-07-31T13:19:45.810914+00:00",
                "id": "7da899ddb8b744beba5bd9dfbdbde79e",
                "jwt_key": "6792fd8c25ef54af330a14dd7655a9d8b517ce36d7223340721c5e839ccb491a8e6f6a0145b0b653a19a3eb1e58a68f55c3662dexxxxxxxxxxxxx",
                "last_used_at": "2020-07-31T13:19:45.811048+00:00",
                "last_used_ip": "31.202.xxx.xxx",
                "token": "24aa12671c27a25e2270b982a3c50d86e39a10ee47f7cff6b21620899750952860b9225ef4d792a2a363fa1dc7c2d511a450ad451c6xxxxxxxxx",
                "token_type": "normal",
                "user_id": "97aeb489b50046ef8ae546axxxxx"

I don’t think your external IP should be trusted_proxy as traffic will no show as coming from there.

Maybe your server IP if docker

i don’t think what it will help

cause my traffic when i open browser link via url goes like pc > server in local net > nginx-proxy in container > HA in container

Not sure about you, but I exposed mine with NGINX and didn’t change anything under configuration.yaml HTTP section except IP ban and thresholds:

http:
  ip_ban_enabled: false
  login_attempts_threshold: 8

As for in NGINX just basic configuration, it’s pretty much empty.
All IPs show correctly whether I am inside my network (internal IP) or outside (public IP I have assigned from whatever device or location I am accessing from).

I never had to play with the use_x_forwarded_for or trusted_proxies for the public IPs to show correctly, so I can actually see the IPs that have logged to my HA.

I have the proxy (local_host) set as a trusted proxy but I also use x_forwarded_for and so the real connecting IP address is exposed. I also then use the authenticated custom component so I can see every IP address that connects (with local IP addresses whitelisted). I use Caddy not Nginx but assume you can do the same.

I’ll simplify the configuration.

do you also use docker version?

Yes, I am using this docker image in Ubuntu which already contains the database compared to the official one:

Same as @DavidFW1960 I am also using Authenticated custom component to monitor on these logins and keep track of them.

find problem

at first i create virtual machine and setup hassio on it
after configure nginx proxy to vm ip adress in local network. nginx is in old host on docker contaner
added trusted networks to hassio conf

when i open url i can log in. and see new token with success auth in logs. but web page stack on url
https://home.tommass.tk/lovelace?auth_callbackk=1&code=896261d383c3474bk=1&code=896261d383c3474bxxxxxxxxxxxxxx

it can’t open web socket for callback cause my nginx work on docker internal network with 172.xxx.xx.xx ip

Any ideas??

I had exactly tyhe same issue. Not sure if you were able to resolve it, but I found a solution. Will post it here just in case if anybody else will have the same issue:

Was resolved by adding these two parameters to my Nginx config:

            proxy_set_header   Upgrade          $http_upgrade;
            proxy_set_header   Connection       "upgrade";

Here is my working Nginx config:

server {

listen       80;
        server_name  hass.lan;
        location / {
            proxy_pass         http://172.80.1.14:8123/;
            proxy_redirect     off;

            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header   Upgrade          $http_upgrade;
            proxy_set_header   Connection       "upgrade";
        }
}