Error with reverse SSH tunneled HA instance

KhArtN · April 23, 2023, 7:10pm

Hello, all.
I tried to reproduce reverse SSH tunnel from topic Howto: Create a reverse SSH tunnel, with easy HTTPS at the other end, but I stuck on
Error: Invalid client id
I have HA instance of Home Assistant Operating System VMWare image, with Duck DNS add-on and it works very well on http s://sozid.duckdns.org:8123/ .
HA VM works on home server, that behind router. Router has “white” IP, not NAT. 8123 port of external IP mapped to 192.168.0.102:8123 with port forwarding on router.
I also have Terminal & SSH add-on installed with config

authorized_keys: []
password: qqqqqqq
apks:
  - autossh
server:
  tcp_forwarding: false
  packages:
    - autossh
username: root

Also I have external server with NGINX installed, that proxy request with config

location / {
proxy_pass http s://localhost:8887;
}

When I log into HA instance by SSH and run
/usr/bin/ssh -N -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PubkeyAuthentication=yes -o PasswordAuthentication=no -i /root/config/id_rsa -R 8887:localhost:8123 [email protected]
It starts:
Warning: Permanently added ‘176.32.32.98’ (ED25519) to the list of known hosts.
When I try to open http ://176.32.32.98/
I see nginx error
# 502 Bad Gateway
and error in HA SSH console:

connect_to localhost port 8123: failed.

OKay, I tried to change SSH start to

/usr/bin/ssh -N -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PubkeyAuthentication=yes -o PasswordAuthentication=no -i /root/config/id_rsa -R 8887:192.168.0.102:8123 [email protected]

Where 192.168.0.102 is local IP of my HA (http s://192.168.0.102:8123/lovelace/default_view works very well, I also connecting to 192.168.0.102 by SSH to start command for SSH tunnel).

After that http ://176.32.32.98/ starts to open, but redirects to

http ://176.32.32.98/auth/authorize?response_type=code&redirect_uri=http %3A%2F%2F176.32.32.98%2F%3Fauth_callback%3D1&client_id=http %3A%2F%2F176.32.32.98%2F&state=eyJoYXNzVXJsIjoiaHR0cDovLzE3Ni4zMi4zMi45OCIsImNsaWVudElkIjoiaHR0cDovLzE3Ni4zMi4zMi45OC8ifQ%3D%3D

It’s page
You’re about to give http ://176.32.32.98/ access to your Home Assistant instance.

Logging in with Home Assistant Local.
Error: Invalid client id

START OVER

So, http s://sozid.duckdns.org:8123/ and http s://192.168.0.102:8123/ work very well, but http ://176.32.32.98/ with SSH tunnel shows error.

Tell me please, how to fix that error with http ://176.32.32.98/?

KhArtN · April 25, 2023, 6:47pm

So, I figured out. So, my first mistake was that I used “Terminal & SSH” add-on instead of “SSH & Web Terminal”. After I disabled the first one and installed “SSH & Web Terminal” (addon-ssh/DOCS.md at fd483b0b8d4800d933b4dc771f4302b0c00debf6 · hassio-addons/addon-ssh · GitHub) add-on, I was able to set up init_commands add-on parameter.

I set init_commands parameter to
autossh -4 -N -M 18134 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o "PubkeyAuthentication=yes" -o "PasswordAuthentication=no" -i ~/config/id_rsa -R 8123:localhost:8123 [email protected]

Also, I changed my nginx config to

server {
            listen 8124 default_server;
            listen [::]:8124 default_server;
***************

            location / {
                       # First attempt to serve request as file, then
                       # as directory, then fall back to displaying a 404.
                       #try_files $uri $uri/ =404;
                       proxy_pass https://localhost:8123;

proxy_http_version 1.1;
proxy_set_header    Upgrade     $http_upgrade;
            proxy_set_header    Connection  "upgrade";
proxy_set_header Host $host;
            }

After that everything works fine on http://176.32.32.98:8124/