Failed attempted login warning, incorrect IP address

FutureTense · May 9, 2019, 6:56pm

I get these from time to time, and it’s usually due to me using the wrong password. However I got a notice a few hours ago and it was definitely not me.

But the IP address it shows is always an internal network address. I’m using docker and Traefik for reverse proxy. Is there a way to actually get the “true” ip that was attempting a login? Be it a device on my network that has a DHCP assigned address or a WAN IP address.

Pinging @DavidFW1960 as he knows his docker stuff and probably has some insights.

Silicon_Avatar · May 9, 2019, 7:05pm

Yes, take a look at the HTTP component docs, with a close look at the use_x_forwarded_for flag. Set that to True.
Also look at the trusted_proxies flag, since you will have to add your reverse proxy server to this list.

Finally, you’ll have to make sure your reverse proxy is forwarding the original IP. I’m not sure about Traefik, but for nginx, the config is something like this:

proxy_set_header  X-Real-IP $remote_addr;
proxy_set_header  X-Forwarded-For $remote_addr;
proxy_set_header  X-Forwarded-Host $remote_addr;
real_ip_header X-Real-IP;
real_ip_recursive on;

Dixey · May 9, 2019, 7:06pm

I’ve seen the same. It just started with HA 0.92.x with me. It appears to happen when I reboot my server but leave my browser open waiting for a reconnect.

DavidFW1960 · May 9, 2019, 11:18pm

Like @Silicon_Avatar said, xforwardedfor and trusted proxies as well as the authenticated custom component is what I use.

rossiluis22 · November 24, 2019, 9:57am

Did you find any solution? I’m facing the same problem

scote · December 1, 2019, 10:27pm

The trusted_proxies list which servers are allowed to forward those headers and have them reported. So whatever the “wrong” ip address you get reported you must configure as a trusted proxy and add these to your reverse proxy config, well actually I think its only the X-Forwarded-For which is what HA uses.

proxy_set_header  X-Real-IP $remote_addr;
proxy_set_header  X-Forwarded-For $remote_addr;
proxy_set_header  X-Forwarded-Host $remote_addr;
real_ip_header X-Real-IP;
real_ip_recursive on;

I was confused about this because with the hassio addon for nginx reverse proxy was running on the same machine. so I try to use the main ip address, and loopback, but nginx communicate through one of the internal docker addresses 172...* so I add that to trusted_proxies and then disconnect from wifi on my mobile and try to login with incorrect credentials, then the correct ip address appears in the notification, do whois on it and it comes up as my mobile provider which is correct.

FutureTense · January 20, 2020, 8:28pm

I had a hell of a time getting this working with my docker setup. I’m not even certain it is working 100% of the time. My network is 172.16.68.X/24. I think the trick was specifying the pihole_sub (at the bottom of the docker compose)

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.68.0.87

docker-compose.yaml


 #network stack
version: "3.7"
services:

  openvpn:
    container_name: openvpn
    image: kylemanna/openvpn:latest
    ports:
      - 1194:1194/udp
    cap_add:
      - NET_ADMIN
    volumes:
      - ${USERDIR}/stacks/network/openvpn:/etc/openvpn
    depends_on:
      - pihole
    restart: unless-stopped      
    networks:
      pihole_sub:
        ipv4_address: 172.68.0.99

  pihole:
    container_name: pihole
    domainname: docker
    hostname: pihole
    image: pihole/pihole:latest #4.2.1
    depends_on:
      - traefik
    dns:
      - 127.0.0.1
      - 1.1.1.1
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 1969:80
      - 8183:443
    restart: unless-stopped
    networks:
      pihole_sub:
        ipv4_address: 172.68.0.2
      default:
    cap_add:
      - NET_ADMIN
    volumes:
      - ${USERDIR}/stacks/network/pihole/pihole:/etc/pihole
      - ${USERDIR}/stacks/network/pihole/dnsmasq.d:/etc/dnsmasq.d
      - ${USERDIR}/stacks/network/pihole/scripts:/etc/scripts
    extra_hosts:
      - mariadb:${SERVER_IP}
      - pihole.${DOMAINNAME}:${SERVER_IP}
      - esphome.${DOMAINNAME}:${SERVER_IP}
      - homeassistant.${DOMAINNAME}:${SERVER_IP}
      - c9.${DOMAINNAME}:${SERVER_IP}
      - portainer.${DOMAINNAME}:${SERVER_IP}
      - sonarr.${DOMAINNAME}:${SERVER_IP}
      - radarr.${DOMAINNAME}:${SERVER_IP}
      - plex.${DOMAINNAME}:${SERVER_IP}
      - traefik.${DOMAINNAME}:${SERVER_IP}
      - docker.${DOMAINNAME}:${SERVER_IP}
      - qbittorrent.${DOMAINNAME}:${SERVER_IP}
      - phpmyadmin.${DOMAINNAME}:${SERVER_IP}
      - monitora:172.16.68.41
      - cp1:172.16.68.9
      - isy:172.16.68.40
      - tplink:172.16.68.15
    environment:
      - ServerIP=${SERVER_IP}
      - PROXY_LOCATION=pihole
      - VIRTUAL_HOST=pihole.${DOMAINNAME}
      - VIRTUAL_PORT=80
      - TZ=${TZ}
      - WEBPASSWORD=${PIHOLE_PASSWORD}
      - DNS1=1.1.1.1
      - DNS2=1.0.0.1
    restart: unless-stopped      
    labels:
      - traefik.frontend.rule=Host:pihole.${DOMAINNAME}
      - traefik.enable=true
      - traefik.frontend.headers.SSLRedirect=true
      - traefik.port=80
      
  portainer:
    image: portainer/portainer:latest #1.20.2
    container_name: portainer
    restart: always
    command: -H unix:///var/run/docker.sock
    ports:
      - 9999:9000
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${USERDIR}/stacks/network/portainer/data:/data
    environment:
      - TZ=${TZ}
    networks:
      - traefik_proxy
    labels:
      - traefik.frontend.rule=Host:portainer.${DOMAINNAME}  
      - traefik.enable=true
      - traefik.frontend.headers.SSLRedirect=true

  traefik:
    hostname: traefik
    image: traefik:1.7 #1.7-alpine
    container_name: traefik
    restart: unless-stopped
    domainname: ${DOMAINNAME}
    depends_on:
      - cloudflare-ddns
    networks:
      traefik_proxy:
      pihole_sub:
        ipv4_address: 172.68.0.87
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    environment:
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
      - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /tmp:/tmp
      - ${USERDIR}/stacks/network/traefik:/etc/traefik
    labels:
      - traefik.frontend.rule=Host:traefik.${DOMAINNAME}  
      - traefik.port=8080
      - traefik.enable=true
      - traefik.frontend.headers.SSLRedirect=true
      - traefik.frontend.headers.STSIncludeSubdomains=true
      - traefik.frontend.headers.STSPreload=true
      - traefik.frontend.headers.frameDeny=true

  cloudflare-ddns:
    image: oznu/cloudflare-ddns:latest #amd64     # change 'latest' to 'armhf' or 'aarch64' if running on an arm device
    container_name: cloudflare-ddns
    restart: unless-stopped
    environment:
      - EMAIL=${CLOUDFLARE_EMAIL}
      - API_KEY=${CLOUDFLARE_API_KEY}
      - ZONE=${DOMAINNAME}
      - PROXIED=false

  cloudflare-ddns-wc:
    image: oznu/cloudflare-ddns:latest #amd64     # change 'latest' to 'armhf' or 'aarch64' if running on an arm device
    container_name: cloudflare-ddns-wc
    restart: unless-stopped
    environment:
      - EMAIL=${CLOUDFLARE_EMAIL}
      - API_KEY=${CLOUDFLARE_API_KEY}
      - ZONE=${DOMAINNAME}
      - SUBDOMAIN=*
      - PROXIED=false

  cloud9:
    image: sapk/cloud9:latest
    container_name: cloud9
    restart: unless-stopped
    ports:
      - 8181:8181
    environment:
      - C9_WORKSPACE=/workspace
    volumes:
      - ${USERDIR}/:/workspace
    command: --auth ${CLOUD9_AUTH}
    labels:
      - traefik.frontend.rule=Host:c9.${DOMAINNAME}
      - traefik.enable=true
      - traefik.frontend.headers.SSLRedirect=true

# mysql for home assistant. needs db created manually.
# https://community.home-assistant.io/t/hassbian-and-mariadb/29149
# see secrets.yaml for sql commands
  mariadb:
    image: "linuxserver/mariadb"
    container_name: "mariadb"
    hostname: mariadb
    volumes:
      - ${USERDIR}/stacks/network/mariadb:/config
    ports:
      - target: 3306
        published: 3306
        protocol: tcp
        mode: host
    restart: unless-stopped
    environment:
      - HA_DATABASE=${HA_DATABASE}
      - MYSQL_USER=${MYSQL_USER}
      - MYSQL_USER_PASSWORD=${MYSQL_USER_PASSWORD}
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}


# login to phpmyadmin as root.
# If error dropping database, edit the following file
#      sudo nano ~/stacks/network/phpmyadmin/libraries/config.default.php
#      and change AllowUserDropDatabase to TRUE
# execute the following:
#  DROP DATABASE homeassistant;
#  CREATE DATABASE homeassistant;
#  GRANT ALL PRIVILEGES ON homeassistant.* to 'sqluser';
  phpmyadmin:
    image: phpmyadmin/phpmyadmin
    container_name: phpmyadmin
    depends_on:
      - mariadb
    restart: unless-stopped
    links:
      - mariadb:db
    ports:
      - 9191:80
    volumes:
      - ${USERDIR}/stacks/network/phpmyadmin:/var/www/html
      - /tmp:/sessions
    labels:
      - traefik.frontend.rule=Host:phpmyadmin.${DOMAINNAME}
      - traefik.enable=true
      - traefik.frontend.headers.SSLRedirect=true

networks:
  traefik_proxy:
    external:
      name: traefik_proxy
      
  default:
    external:
      name: traefik_proxy
      
    driver: bridge
    
  pihole_sub:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.68.0.0/16