Hassio behind HAProxy 400: Bad request with "option forwardfor" for Authelia

haratsch · September 5, 2024, 8:41am

Hello,
I want to add authelia to some services in my network. For this i have read HAProxy | Integration | Authelia and copied

    ## Ensure X-Forwarded-For is set for the auth request.
    acl hdr-xff_exists req.hdr(X-Forwarded-For) -m found
    http-request set-header X-Forwarded-For %[src] if !hdr-xff_exists
    option forwardfor

to my HAProxy-Configuration. But Hassio wont work with option forwardfor. I got “400 Bad request” if i set this option.
I have already tried to do something like

http-request set-header X-Forwarded-For %[src] if !hdr-xff_exists !hassio-host

where hassio-host is a acl hassio-host hdr(host) -i hassio.-example.com or something like http-request del-header but nothing worked.

I want to understand why Hassio has Problems with “option forwardfor”
I have already read HTTP - Home Assistant but maybe not fully understand.

thanks

koying · September 5, 2024, 9:04am

You have to use use_x_forwarded_for and add your reverse proxy IP to the trusted_proxies

haratsch · September 5, 2024, 9:22am

This is already configured.

  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.21.0/24

It works (Homeassistant with haproxy) till i have tried to add authelia and the forwardfor option.

koying · September 5, 2024, 9:34am

What does the HA log say?

haratsch · September 5, 2024, 9:48am

home-assistant.log says

ERROR (MainThread) [homeassistant.components.http.forwarded] Too many headers for X-Forwarded-For: ['PUBIP']

Before i didnt do anything with “X-Forwarded-For” in my haproxy.cfg.

koying · September 5, 2024, 9:55am

I guess you’re adding X-Forwarded-For twice, while it should be unique, with a comma separated list of intermediaries

haratsch · September 5, 2024, 11:20am

Mhh but where the second “X-Forwarded-For” can come from and how i can debug it? I find a few things with “curl” but i was unable to see X-Forwarded-For-headers there. This header is only between home-assistant and proxy or? How can i see that?

Okay i just changed
option forwardfor to option forwardfor if-none
Hassio is working again and (i hope) Authelia is happy to now. But i am rellay wondering where the “second” Forward-For will come from.

“Optional: Add the if-none argument to add the header only when it is not already present:”

koying · September 5, 2024, 11:35am

Well, I guess that if you do the “set-header”, and unconditionally add the header through “option”, HAProxy blindly add the header twice

haratsch · September 5, 2024, 11:58am

Maybe the Authelia-Team was not correct in their example…
Thank you