Hi! I’m trying to figure out a simple situation… Can I use 2FA on my external HASS domain, and not use 2FA on my internal domain?
From what I’ve read, this should be doable with trusted_networks inside configuration.yaml. But for some reason I cannot get it to work.
Setup:
I run HASS on a Docker image within a K3s (kubernetes) raspberry pi cluster. Traefik (and MetalLB) do reverse proxying and Traefik takes care of SSL for the domains. Cloudflared provides a cloudflare tunnel for external access (and public DNS). And finally I use PiHole (outside of K3s currently) as my local DNS.
Config:
homeassistant:
name: Home
elevation: 129
unit_system: imperial
currency: USD
time_zone: "America/Los_Angeles"
internal_url: "https://hass.something.net"
external_url: "https://hass.somethingelse.com"
auth_providers:
- type: trusted_networks
trusted_networks:
- !secret ethernet_network #192.168.1.0/24
- !secret trusted_wifi_network #192.168.10.0/24
- type: homeassistant
auth_mfa_modules:
- type: totp
name: "Authenticator app"
- type: notify
message: "Your 2FA code is {}."
http:
use_x_forwarded_for: true
trusted_proxies:
- !secret k3s_ip_range
Error
This is what happens when I try to log in using an IP on the ethernet_network:
You’re about to give https://hass.something.net/ access to your Home Assistant instance.
Logging in with Trusted Networks.
Login aborted:
Your computer is not allowed.