HA behind pfSense with Cloudflare

Configuration
10

its of little help if you have browser to Cloudflare encrypted and then clear text on port 80 from Cloudflare to router. that 2nd leg is most of the time more critical as thats where they come and look what you up to, thats your exposure point, opening port 80 on your FW.

this works perfectly with a web site, where I come in all the way into my pfSense on port 443, and then on the inside of my network I go port 80, or in HA case 8123

I will try and set my trusted proxy to the LAN address of my pfSense, lets see.

G

11

If you just look at your Home Assistant logs when you get a 400 bad request, it will have a line that says that it rejected a connection from an IP address (which it will tell you) which was not configured as a trusted proxy. So you will be able to figure out if it’s complaining about an internal IP address or an external one.

12

i’m bad at logs, where are these ?
let me look.

asking as Configuration : Logs is not showing anything

10.0.0.1 is the LAN IP on My Modem
10.0.0.2 is the WAN IP on the pgSense

G

Screen Shot 2021-10-16 at 15.10.41
Screen Shot 2021-10-16 at 15.10.411044×236 32.5 KB

13

Your trusted proxies should be:

trusted_proxies:
    - 10.9.116.254
    - 173.245.48.0/20
    - 103.21.244.0/22
    - 103.22.200.0/22
    - 103.31.4.0/22
    - 141.101.64.0/18
    - 108.162.192.0/18
    - 190.93.240.0/20
    - 188.114.96.0/20
    - 197.234.240.0/22
    - 198.41.128.0/17
    - 162.158.0.0/15
    - 104.16.0.0/12
    - 172.64.0.0/13
    - 131.0.72.0/22

With the top address being your HAProxy address.

Meanwhile your config in HAProxy needs to have:

http-request replace-value x-forwarded-for ^ "%[hdr(x-forwarded-for)], %[src]"

Because otherwise you will have multiple x_forwarded_for headers and Home Assistant will complain.

Github: https://github.com/home-assistant/core/issues/40421

14

any idea where this must be set ? I"m digging…
in front end there was the option to enable “Use “forwardfor” option” which I’ve now unticked.
still getting invalid certificate on mobile devices through, thinking there was 2 issues maybe, the 400 and the cert on mobile app on cell phone.

G

15

think I found something that might be pointing to the problem,
as it seems we got the browser based https stable.
the mobile works on a socket:

G

16

What is the certificate presented by cloudlfare?
If it’s the letsencrypt one, you might encounter an issue like Home assistant Android App and Let’s encrypt certificate - Mobile Apps - Home Assistant Community (home-assistant.io)

17

it’s the ACME generated lets_encrypt,
but the mobile app is iOS.
G

18

One of the replies mentioned iPad…

PS. BTW, using ACME in place of “certificate” or “Let’s Encrypt” is not correct. ACME is just the protocol used to obtain and renew the certificates with Letsencrypt.

19

Chris, true… but I also mentioned the ACME generates the lets_encrypt cert.

we’re a apple house, all the mobile devices are iOS.

Believe my problem is related to the web sockets, getting them working. looking for a clear explanation, what to enable how and where.

All I really want to work is the mobile device, happy to close web access to the HA site from outside.

G

20

If it would be so, the browsers wouldn’t work, either

21

just following somer redit threads that all seem to be pointing to web sockets thats seem to be handled by haproxy differently.

G

22

also found this one on GitHub, that seem to point to web sockets.

although as said, I can access through browser, only problem now is the not working mobile app.

G

23

The mobile app in the connection configuration screen actually says web socket not working.

G

24

George, you receive an “invalid certificate” error message.
What in the name of god would make you think the problem is not a certificate one…

25

because the mobile app is telling the web socket is failing.
and the fact that from the same mobile device access the url through safari works.
and the fact that from safari and firefox from other devices accessing the url works.

G

26

It maybe obvious but are you clearing the storage of the mobile app after making each of these changes?

27

clearing storage on mobile app, how would I do that.
What I have done is to totally close the app.

G

28

I don’t have an ios device. A long press on the icon brings me to androids settings for the app, from there I can clear the storage.

29

nothing like that in iOS, closest is a hard close of the app.

G