Home Assistant behind HAProxy with iOS companion

Tags: #<Tag:0x00007f3265ec9688>

Hello, I currently have home assistant listening on 127.0.0.1:8123 and HAProxy forwarding to it on the same machine, port 443.

configuration.yaml
homeassistant:
  # Name of the location where Home Assistant is running
  name: Home
  # Location required to calculate the time the sun rises and sets
  latitude: 37.9842
  longitude: 23.7353
  # Impacts weather/sunrise data (altitude above sea level in meters)
  elevation: 0
  # metric for Metric, imperial for Imperial
  unit_system: metric
  time_zone: Europe/Athens
  # Customization file
  customize: !include customize.yaml

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

# Show the introduction message on startup.
introduction:

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
http:
  base_url: https://hass.router.lan
  server_host: 127.0.0.1
  trusted_proxies: 127.0.0.1
  use_x_forwarded_for: true

# Discover some devices automatically
discovery:

# Sensors
sensor:
  # Weather prediction
  - platform: yr

# Text to speech
tts:
  - platform: google

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
haproxy.cfg
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	user haproxy
	group haproxy
	daemon

	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s

	# :DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	ssl-default-bind-ciphers ECDH+AESGCM
	ssl-default-bind-options force-tlsv12
	tune.ssl.default-dh-param 2048

defaults
	mode	http

	log	global

	option	forwardfor
	option	http-keep-alive
	option	httplog
	option	dontlognull

        timeout connect 	50s
        timeout client  	50s
        timeout server  	50s
	timeout tunnel		1h
	timeout http-keep-alive	10s

	stats	enable
	stats	uri /stats
	stats	realm Haproxy\ Statistics
	stats	auth user:password

	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend www-http
	bind 192.168.0.1:80
	redirect scheme https

frontend www-https
	bind 192.168.0.1:443 ssl crt /etc/ca/keys/hass.pem

	http-request add-header X-Forwarded-Proto https
	http-request add-header X-Forwarded-Port 443

	http-response set-header Strict-Transport-Security max-age=15768000

	use_backend hass if { ssl_fc_sni hass.router.lan }

#	use_backend nodered if { ssl_fc_sni nodered.router.lan }

backend hass
	server hass	127.0.0.1:8123 check

backend nodered
	server nodered	192.168.0.100:80 check
haproxy -vv
HA-Proxy version 1.7.5-2 2017/05/17
Copyright 2000-2017 Willy Tarreau <[email protected]>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -g -O2 -fdebug-prefix-map=/build/haproxy-DPqdp6/haproxy-1.7.5=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.1.0e  16 Feb 2017
Running on OpenSSL version : OpenSSL 1.1.0j  20 Nov 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
	[COMP] compression
	[TRACE] trace
	[SPOE] spoe

haproxy, just after POST /auth/token HTTP/1.1 logs a SSL handshake failure
hass logs WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication

Firefox (linux) works perfectly fine! This does only happen on the iOS companion app and Safari
I have installed the CA on both of them and the rest of the website (login page, etc.) work as expected on both. when I press login on iOS I get Unable to connect to Home Assisstant

Having the same issue, except with Nginx as opposed to HAProxy. Connecting through the public NGINX domain via Firefox works perfectly. If connecting via Safari or the iOS app I get the following error:

“POST /auth/token HTTP/1.1” 400 57 “https://my.domain.name/lovelace?auth_callback=1&code=6ddd4c9c5a19433d9a6e9c58c607e09b&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9oYXNzLmR1cnJhbmNlLm1lIiwiY2xpZW50SWQiOiJodHRwczovL2hhc3MuZHVycmFuY2UubWUvIn0%3D” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15” “-”

Interestingly, here is the same request with Firefox, but with a 200 status code.

“POST /auth/token HTTP/1.1” 200 314 “https://my.domain.name/lovelace/default_view?auth_callback=1&code=e7b801a225b74ca8b3e8a97d6cc684db&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9oYXNzLmR1cnJhbmNlLm1lIiwiY2xpZW50SWQiOiJodHRwczovL2hhc3MuZHVycmFuY2UubWUvIn0%3D” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0” “-”

Did you end up solving this?