How to resolve DNS locally for webpage panel iframes?

I’m trying to add Grafana dashboards to HA using a lovelace webpage panel. As I access my HA instance through a public web address, I use letsencrypt SSL certs and an Nginx reverse proxy. This means that I also need to use SSL to access grafana within HA.

I have added a location block to my proxy which shows the grafana dashboard at /grafana. This works fine when left unrestricted. However, I would like this to only be accessible on my local network, as I do not use authentication for Grafana, so I have added an:

deny all

My thinking is that Home Assistant will be able to access the page locally and show it in the webpage panel. By default, the panel goes to my public domain which is then forwarded to the nginx server with a client address that matches the public IP. This obviously gets blocked as the public IP is not local to my network. Therefore, I am trying to resolve my domain name to the server’s IP address locally on the server so that the request from HA’s webpage panel will go directly to Nginx, bypassing the external lookup.

The problem: Trying to access the dashboard through HA results in a blocked request as the IP is showing as the external public one.

This suggests to me that the domain name is not resolving correctly using my /etc/hosts file? Or am I way off track here and the domain will need to be resolved using a DNS server for some reason?

My HA container is running with the network mode as “host” and I have tried adding a mapping in /etc/hosts, as well as the docker “extra_hosts” option. These seem to create the correct mapping for the container as pinging my domain name within that container results in the correct IP address. Additionally, the /etc/hosts file within the container shows the mapping. I have also tried adding a /etc/nsswitch.conf file to the container which did not make a difference.

Further details:

If it’s an iframe, it doesn’t matter what Home Assistant knows about the grafana server, the ONLY machine that needs to be made to believe that the fully qualified domain name of the grafana server, resolves to a local IP, is the machine that you are viewing the home assistant interface on.

1 Like

Thanks, that explains why it doesn’t work! Is adding authentication to Grafana and removing the IP restriction the only solution to accessing the iframe dashboard from outside the network?

Nope. Wireguard is the best solution. Then you don’t have to worry about any unauthorized external access, and as long as do the ipv4 forwarding thing then as far as grafana is concerned you are accessing it from inside the network, even though you are outside the network.

Open your Home Assistant instance and show the dashboard of a Supervisor add-on.

Do you mean access Home Assistant through a VPN? Wouldn’t a client then need to be installed on every device that I use to access HA? This adds an extra layer of complexity that I would rather avoid. I think it would be easier just to add authentication to Grafana if there is no other way of setting up the reverse proxy.

No, it would require a VPN client on every device that you wanted to access Grafana from when outside the network. Home Assistant would be unaffected, if you can access that externally now, you will continue to be able to do so.