HA with Caddy reverse-proxy timing out with: Disconnected: Did not receive auth message within 10 seconds

Hi Dear HA community,

I am struggling a bit to fire up HASS on rpi using caddy as a reverse-proxy for it.
My Caddyfile is the following:

:80 {
proxy / {

Tried a lot of iterations and still not sure what is missing, I have also tried:

header / {
Strict-Transport-Security “max-age=31536000; includeSubdomains”
X-XSS-Protection “1; mode=block”
X-Frame-Options “DENY”
Referrer-Policy “same-origin”
proxy / <HA_IP>:8123 {
header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Proto {scheme}

My HA config has the following:

Uncomment this if you are using SSL/TLS, running in Docker container, etc.

login_attempts_threshold: 5

Here I have also tried a lot of things like:

ip_ban_enabled: true
login_attempts_threshold: 5
use_x_forwarded_for: true
trusted_proxies: <CADDY_IP>

I have also did a tcpdump and what I can see that the authentication looks fine and I get to the point where the browser sends the following HTTP packet :

GET /api/websocket HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Connection: Upgrade
Cookie: wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; wp-settings-time-1=1547414549
Pragma: no-cache
Sec-Websocket-Extensions: permessage-deflate; client_max_window_bits
Sec-Websocket-Key: BVOA6ZZhyfY9khwJFipKlQ==
Sec-Websocket-Version: 13
Upgrade: websocket
X-Forwarded-Proto: http
Accept-Encoding: gzip
Connection: close

However after this no response from the HASS only the error in the logs after like 20 seconds.
If the issue is the Connection: close sent by the proxy, why is it doing that ?

Thanks for your help.

1 Like

I was able to make it work with disabling HTTP/2, forcing HTTP 1.1:

  tls {
    alpn http/1.1

On the other hand I failed to successfully daisy-chain two caddy instances (one downgrading to http, the second redirecting to the right container on the host) so I pointed the front caddy HTTPS terminating instance directly to homeassistant’s IP and port.