HA with Traefik and Basic Auth

Hi,

I run HassIO on a raspberry and have Traefik running in Docker on another server. I am trying to expose HA via Traefik with TLS and basic auth to add some extra security.
I have the following config:

http:
  routers:
    homeassistant:
      rule: Host(`ha.mydomain.com`)
      service: homeassistant
      middlewares: homeassistant
      tls:
        certresolver: le

  services:
    homeassistant:
      loadBalancer:
        servers:
          - url: http://192.168.1.125:8123

  middlewares:
    homeassistant:
      basicAuth:
        users:
          - userid:$apr1$479ks6qd$OTR/QB8Po8zHFBgJZdn4a0

When using WebUI - I can login but some features doesn’t work. Like

  • Sensor card doesn’t load in lovelace
  • Map doesn’t load
  • History doesn’t work
  • Supervisor doesn’t work properly (getting the basic auth dialog again)
  • Logbook doesn’t work

With the Android App I can’t even login with https://userid:[email protected]

Anyone having solved this?
I have seen some old discussions but no solutions

Although it’s iOS, my comments here should be fairly representative of Android too. The basic gist is that we need the Authorization header (where basic auth is put) for other things, so we can’t support basic auth. That’s why you’re also seeing issues with the frontend doing so.

1 Like

@zacwest that is a pity, I think many users of HA have a web proxy with TLS termination etc and for apps like HA I really would like an additional layer of security with basic auth.
2FA with HA could be fine but when on trusted zone (my internal network) I would like to have UserId/Password

I was really confused by this request since basic auth is pretty weak compared to the 2FA HA supports natively. But reading it and the linked github issue I understand now, its really the ability to carefully control which clients are even allowed to connect to HA at all.

Given that my personal preference would be a way to upload a client certificate for the app to use when connecting. Then I can simply use mtls in my reverse proxy. Plus I think the concerns with basic auth would entirely mitigated with that approach:

  1. Doesn’t use the Authorization header so HA can keep doing what it does with it
  2. Works fine with websockets

[EDIT] The obvious downside to this approach is you won’t be able to connect to HA at all using the browser. But I feel like that an acceptable trade-off, especially since I can make a LAN only route to HA that doesn’t require a client certificate. I personally have no issue with saying that you can only connect to my HA from outside my network with apps I have specifically allowed by giving them a certificate.