Hello, I currently have home assistant listening on 127.0.0.1:8123 and HAProxy forwarding to it on the same machine, port 443.
configuration.yaml
homeassistant:
# Name of the location where Home Assistant is running
name: Home
# Location required to calculate the time the sun rises and sets
latitude: 37.9842
longitude: 23.7353
# Impacts weather/sunrise data (altitude above sea level in meters)
elevation: 0
# metric for Metric, imperial for Imperial
unit_system: metric
time_zone: Europe/Athens
# Customization file
customize: !include customize.yaml
# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:
# Show the introduction message on startup.
introduction:
# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
http:
base_url: https://hass.router.lan
server_host: 127.0.0.1
trusted_proxies: 127.0.0.1
use_x_forwarded_for: true
# Discover some devices automatically
discovery:
# Sensors
sensor:
# Weather prediction
- platform: yr
# Text to speech
tts:
- platform: google
group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
# :DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-ciphers ECDH+AESGCM
ssl-default-bind-options force-tlsv12
tune.ssl.default-dh-param 2048
defaults
mode http
log global
option forwardfor
option http-keep-alive
option httplog
option dontlognull
timeout connect 50s
timeout client 50s
timeout server 50s
timeout tunnel 1h
timeout http-keep-alive 10s
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth user:password
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend www-http
bind 192.168.0.1:80
redirect scheme https
frontend www-https
bind 192.168.0.1:443 ssl crt /etc/ca/keys/hass.pem
http-request add-header X-Forwarded-Proto https
http-request add-header X-Forwarded-Port 443
http-response set-header Strict-Transport-Security max-age=15768000
use_backend hass if { ssl_fc_sni hass.router.lan }
# use_backend nodered if { ssl_fc_sni nodered.router.lan }
backend hass
server hass 127.0.0.1:8123 check
backend nodered
server nodered 192.168.0.100:80 check
haproxy -vv
HA-Proxy version 1.7.5-2 2017/05/17
Copyright 2000-2017 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fdebug-prefix-map=/build/haproxy-DPqdp6/haproxy-1.7.5=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_NS=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.1.0e 16 Feb 2017
Running on OpenSSL version : OpenSSL 1.1.0j 20 Nov 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe
haproxy, just after POST /auth/token HTTP/1.1
logs a SSL handshake failure
hass logs WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication
Firefox (linux) works perfectly fine! This does only happen on the iOS companion app and Safari
I have installed the CA on both of them and the rest of the website (login page, etc.) work as expected on both. when I press login on iOS I get Unable to connect to Home Assisstant