I’m running Home Assistant OS in a virtual machine. On the same network, I have some services running in docker containers behind a reverse proxy (Traefik, in case it matters). For example, I’m running a plex server and a UniFi network controller. I’d like to add Home Assistant integrations for these services, but I keep getting errors when trying to set things up.
Home Assistant is NOT behind the reverse proxy. If that would help, I could look into doing that.
Example steps:
Point my browser at https://unifi.mydomain.net, just to verify my UniFi network controller service is running correctly behind the reverse proxy (it is, the page loads just fine).
In Home Assistant (which, again, is not behind the reverse proxy), set up a new “UniFi Network” integration, configured as such:
Host: unifi.mydomain.net
Username: hass_user
Password: hass_password
Port: 443
Verify SSL certificate: unchecked
Click Submit, eventually receive a “Failed to connect” error message and the integration fails to set up.
In my logs, I now see:
2022-05-22 00:05:40 ERROR (MainThread) [homeassistant.components.unifi] Error connecting to the UniFi Network at unifi.mydomain.net: Error requesting data from unifi.mydomain.net: Cannot connect to host unifi.mydomain.net:443 ssl:default [Connect call failed ('192.168.1.210', 443)]
That almost makes sense, because 192.168.1.210 is the IP address of the machine running the reverse proxy and the UniFi docker container. Port 443 also makes sense. However, if that’s literally what Home Assistant is doing (i.e., just making a request to https://192.168.1.210:443), that’s not enough, because of the reverse proxy.
So far I’ve gotten the same failure with plex and UniFi integrations, so I’m suspicious this isn’t specific to the integrations themselves. Is there a configuration somewhere I can change to tell Home Assistant to include some kind of reverse proxy information I would need to correctly resolve the paths for my integrations?
I’m not sure what you’d expect though, because Home Assistant is doing exactly what you’re telling it to: connect to port 443 of the IP-address that unify.mydomain.net resolves to.
Because it looks like HA can’t even connect to the IP address, I’m guessing there’s a routing issue somewhere. Can you ping 192.168.1.210 from inside the virtual machine?
Routing is different from proxiying. I’m not 100% sure which is the issue on your setup.
An http-proxy is a server that http requests go to and the it sends them to the destination gets the response and returns it to the caller. Commonly deployed it corporate IT network to proxy web requests from the internal network to the internet (and block malicious sites, etc.). In order for a web browser to work in this configuration you configure it to use the proxy. The http/https protocol supports this:
In Linux you typically can configure the environment variables http_proxy and https_proxy to cause traffic to redirect to the proxy. Most applications and python will use these variables by default. However setting them causes all traffic to route through the proxy - which may or may not be desirable. As an alternate approach within the python code that is making a request you can specify an http-proxy; however this requires code support and configuration which is likely not implemented in HA at a granular level,
I have zero information about shy those services are behind a proxy, and your reason may be perfectly valid.
All I can offer is that proxy usually defends your install from an outside network. If your HA install is inside the same network why would you put it on the other side of the proxy and try to punch back in?
If that’s the case I’d look at your design again to relocate ha to a segment behind the proxy.
I looked at this thread a little bit and since I don’t use Unifi, and don’t have much experience with reverse proxies, maybe you can help me out with the one thing that stood out to me and that is is the domain name. I don’t know if you are just using an example to illustrate, or you are actually using it for real, but when I do an nslookup on unifi.mydomain.net it shows it is a real internet domain name, so I’m wondering how this got resolved to an internal private IP address.
Otherwise the only other thing that I can think of is to what extent the certificate is not being validated. The log output says ssl:default which may be doing some amount of validation, but this I don’t know. Is the reverse proxy holding the certificates, and are they full chain?
Because it will be just an example to illustrate (that, or they configured their local DNS server to act as a resolver for mydomain.net but I doubt it)
