Homeassistant reverse proxy error remote network

Iceman_CH · September 23, 2021, 2:50pm

Not sure if this is the right place to post/ask about this but, I started getting a reverse proxy error. It only happens when I try to use my setup while on my work network. I can still access the system on my phone but, not on my work network. I did see that there were some changes that need to be made to the YAML setup listed below but, this hasn’t’ helped at all. In fact I could no longer access the system when not on the home network.

I’m running HomeAssistant Supervised on Debian. I’m using duckdns and I have the router forwarding the ports so that HTTPS://mydomain.duckdns.org goes to my homeassistant. If I go to HTTP://mydomain.duckdns.org goes to my router admin.

Current YAML that works on everything but work network.

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

The YAML I tried that broke all external access.
http:

#  ssl_certificate: /ssl/fullchain.pem
#  ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.16.0.0/24
    - IP_ADDRESS OF WORK NETWORK

The Error that I’m getting is

ERROR (MainThread) [homeassistant.components.http.forward] A request from a reverse proxy was received from X.X.X.X, but your HTTP integration is not set-up for reverse proxies.

The X.X.X.X is an external IP address.

Any ideas on how to fix it?

Iceman_CH · September 24, 2021, 4:23pm

Little bit more information.

It’s not being on the work network it’s actually tied to the device. It looks like all my web traffic on my work laptop goes through a service called netskope and then goes to the website.

So my server is seeing the request but denying it because of the reverse proxy my laptop is using. I used to be able to access the server just fine. How do I get the old functionality back?

koying · September 24, 2021, 4:43pm

Do

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.16.0.0/24
    - IP_ADDRESS OF WORK NETWORK

replacing “IP_ADDRESS OF WORK NETWORK” by the netskope ip that will popup as en error in your log (that’s assuming netskope doesn’t have a bazillion reverse proxy ip’s, cloudflare style, or you’re in trouble)

Iceman_CH · September 24, 2021, 5:50pm

Thanks for the response I’m going to try it and see what happens.

Do you know or does any know why this was implemented? It seems like other website don’t have to constantly scan for blocked IPs and then enter them in.

Iceman_CH · September 24, 2021, 7:43pm

This worked. I had to include the internal network as well. So it ended up being

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.16.0.0/24
    - 192.168.0.0/24
    - IP_ADDRESS OF WORK NETWORK