Hi,
There are many threads related to external URL issues. I tried my best but I didn’t find a thread that describes my issue. If I missed something, I am sorry, and I would be happy if someone could point me to the correct thread.
(In order to submit this post, I had to edit everything that the website could possibly interpret as link, because new users are not allowed to post more than two links, and inserted “(colon)”,“(insertion)”,“(doubleslash)”,“(dot)”,“(slash)” and spaces into the text. I actually didn’t have a single link in my post, but to quote little britain “computer says no” …)
I have a top level domain (TLD, let’s call it myTLD (dot) net, not the real URL) and host several services at home that are accessible via port 443 and are proxied via cloudflare.
Via cloudflare, I configured several subdomains (e.g. website (dot) myTLD (dot) net, homeassistant (dot) myTLD (dot) net, etc…). All subdomains point to the same TLD and cloudflare does a full (strict) SSL/TLS encryption: client–SSL–>Cloudflare–SSL–>MyOriginServer.
On my router, I opened port 443, which points to MyOriginServer on my network, which will receive all traffic from all subdomains. On this server I am running HAProxy, which does layer 7 forwarding, and forwards the traffic to different servers (backends) on my network based on the subdomain that was used.
HAProxy also does SSL offloading for (some) servers on my network, including the home assistant server. Thus the traffic to my home assistant instance within my network is unencrypted.
My HAProxy backend configurations looks like this:
backend homeassistant
ht(insertion)tp-request del-header X-Forwarded-For
server homeassistance 192(dot)168(dot)100(dot)10(colon)8123
I had to delete the X-Forwarding header (via ht (random spaces inserted) tp-request del-header X-Forwarded-For), because otherwise home assistant always returned 403 errors.
HAProxy and the home assistant server are on two different VLANs and my firewall is configured to allow traffic from HAProxy to the home assistant server on port 8123.
In home assistant (Settings>System>Network>Home Assistant URL) I set the following:
Internet: h t (dummy insertion) t ps(colon)(doubleslash) homeassistant . myTLD.net
Local Network: ht (insertion) tp (colon)(doubleslash)92 (dot)168 (dot) 100 (dot)10 (colon) 8123
When I enter ht (insertion)tps(colon)(doubleslash)homeassistant(dot)myTLD.net into my browser OR ht (insertion) tp: (doubleslash) 192 (dot) 168 (dot) 100.10 (colon)8123, I am successfully forwarded to the login screen of my home assistant instance.
However, I can’t log in via the android app, e.g. from my phone.
If I start without having home assistant set up from my local network already and then enter the internet address (ht (insertion) tps (colon) (doubleslash)homeassistant (dot) myTLD (dot) net), I am forwarded to the login screen and can enter my credentials. I enter the username and password correctly and get this:
You’re about to give ht (insertion) tps: (doubleslash) home-assistant (dot) io/android access to your Home Assistant instance.
Logging in with Home Assistant Local.
(START OVER) button
I have to start over. When I check the logs on the server, I get the following warning: ` Logger: homeassistant (dot) components.htt (insertion)p (dot)ban
Source: components (slash) ht (insertion) tp (slash)ban (dot) py (colon)80
Integration: HT (insertion) TP (documentation, issues)
First occurred: 8:39:16 PM (2 occurrences)
Last logged: 8:41:27 PM
Login attempt or request with invalid authentication from XXX(dot)XXX(dot)XXX(dot)XXX (XXX(dot)XXX(dot)XXX(dot)XXX). Requested URL: '/auth(slash) login_flow(slash) 00de49a6ee7542591dc2c7d2739dcd98'. (Mozilla (slash) 5.0 (Linux; Android 9; SM-G950F Build (slash) PPR1.180610.011; wv) AppleWebKit (slash) 537.36 (KHTML, like Gecko) Version (slash) 4.0 Chrome (slash) 112(dot)0(dot)5615(dot)136 Mobile Safari (slash) 537.36 Home Assistant (slash)2023(dot)3(dot)0-3260 (Android 9; SM-G950F)) Login attempt or request with invalid authentication from XXX(dot)XXX(dot) XXX (dot)XXX (XXX(dot)XXX(dot)XXX(dot)XXX). Requested URL: '(slash)auth (slash) login_flow(slash) 670baf068f32a6330299f14f2c56b97e'. (Mozilla(slash)5.0 (Linux; Android 9; SM-G950F Build(slash)PPR1.180610.011; wv) AppleWebKit(slash)537.36 (KHTML, like Gecko) Version(slash)4.0 Chrome(slash) 112.0.5615.136 Mobile Safari(slash)537.36 Home Assistant(slash)2023.3.0-3260 (Android 9; SM-G950F))
(The IP (XXX(dot)XXX(dot)XXX(dot)XXX) was a public IP and not the local IP of the HAProxy server)
If I preconfigure the home assistant app from my local network using the local IP, I can log in, but only if I am connected directly to the local network.
It seems like the android app has an issue, because via the web browser, it works just fine …
Also, what seems a bit strange is that it says “Home Assistant Local” when I log in via ht (insertion)tps(colon)(doubleslash)homeassistant(dot)myTLD(dot)net
… well yeah, the server is accessed via it’s local address from the HAProxy. … But does the app expect a home assistant cloud address?
Could the app fail to log in, because the X-forwarding header was deleted? However, the server log (XXX(dot)XXX(dot)XXX(dot)XXX, see above) didn’t show the local IP of the HAProxy server.
Server:
Home Assistant 2023.4.6
Supervisor 2023.04.0
Operating System 10.0
Frontend 20230411.1 - latest
Already a while ago, I tried:
I configured SSL/TLS in my local network (I installed a Let’s encrypt certificate and changed the port to 443 on the home assistant server) without SSL offloading on my HAProxy Server:
server homeassistant 192(dot)168(dot)100(dot)10 ssl verify none
I do the same for other servers/subdomains and for them it works just fine.
However, the android app complains about an SSL or IP issue for the home assistant URL/subdomain, although the client was forwarded all the way through to the home assistant server. Sorry, it has been a couple of weeks since I tried this. If it is relevant, I can reproduce it and post the exact error message/screenshot.
Anyone any idea?
Thanks a lot!