Hass docker on public cloud, "Login attempt or request with invalid authentication" when using a Load Balancer

Hello team,

I’m testing a new setup for my hass environment, where most if it gets moved to a public cloud (Google Cloud in my case). I’ve deployed latest (2021.6.6 as I write) and it’s working fine when I use port redirection (80 → 8123 on the host machine).

The problem comes when I put a load balancer in the path, so the setup is something like:

(Load Balancer) -> (proxy) -> Host Machine -> Docker container

No matter what I do, I get a

WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from X.X.X.X

on the backend logs and a login screen with just the hass logo and this text (because I even tried adding my public IP to the trusted networks list):

You’re about to give http://X.X.X.X/ access to your Home Assistant instance.

Logging in to Home with Trusted Networks.
Error: invalid client id or redirect uri

Where X.X.X.X is the public IP of my desktop. So apparently, use_x_forwarded_for and trusted_proxies configs are working, but I’m completely lost on how to debug further.

I’m using http (no https) and no domain on the external URL. Find below the relevant sections of my config file:

http:
  server_host: 0.0.0.0
  use_x_forwarded_for: true
  trusted_proxies:
    - <my proxy IP>
    - 0.0.0.0/0
  ip_ban_enabled: false

homeassistant:
  external_url: "http://<my load balancer ip>
  auth_providers:
    - type: trusted_networks
      trusted_networks:
        - <my public IP>

thanks!

Can you sniff what use_x_forwarded_for contains?
If it eventually is your load balancer IP, it makes sense that the setup fails.

You have to be sure that it is the load balancer that sets the header with the proper address.

Nevermind. You already said that was working.

UPDATE:

From HA code, it seems the HA url must adhere to IndieAuth for trusted network auth.

That says that IPs are not allowed, only domain names.

Thank you Chris!

Indeed I had already captured traffic and saw the header:

X-Forwarded-For: <my public IP>, <my LB public IP>
X-Forwarded-Proto: http

on the other hand, I’ll check the requirements for domain name instead of plain IPs, but what’s the difference when reaching HA directly via port forwarding on the host vs. via the LB? Is it because it’s considered an “external” access? What’s the criteria for that? Because even with port forwarding I’m using IPs on different subnets… trying to understand the details behind the issue.

Trusted network auth was just a temporarily test/workaround.

That error relates to trusted auth.
If that’s a temporary test, remove it and tell us what issue you get, then.

Apologies. Almost the same error in the frontend, no user/password text boxes:

hass-capture

and backend:

WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from <my public IP>

Could you show your current homeassistant: please

http:
  server_host: 0.0.0.0
  use_x_forwarded_for: true
  trusted_proxies:
    - <public load balancer IP>
    - 0.0.0.0/0
  ip_ban_enabled: false

homeassistant:
  external_url: "http://<public load balancer IP>"

Doesn’t really make sense. Stupid question, but you restated HA after removing “trusted networks”, right?

Maybe add

homeassistant:
  auth_providers:
    - type: homeassistant

to be sure

Thanks for suggesting. Same result.

Yes, I restarted the docker container after the changes. No stupid questions!! Double checking is always great :slight_smile:

Anything else I could capture, log? Yesterday I enabled debug-log levels but I was unable to identify anything relevant, maybe my eyes are not trained enough for hass logs.

I’ll try with a domain, just in case, and let you know. Wanted to first rule out the basic stuff with the experts here in the forum.

Another “random” suggestion is to try from a private browser window, to rule out cookie issues.

No luck either with the private browser. Thanks for the quick support!

Interesting. It works with a domain name, with no other configuration than

homeassistant:
  external_url: "http://<my domain>"

no trusted_proxies nor use_x_forwarded_for

Maybe I was confused and this restriction applies to all “reverse proxy” setup, not only “Trusted Networks”?