I am attempting to migrate from hassbian to using docker on a Raspberry Pi to consolidate services onto one device and improve security by using a reverse proxy setup.
So far everything is working as I have letsencrypt providing the ssl certificate and Traefik is creating the locations based on the docker tags.
The issue I am running into is when ever I attempt to access the new setup and check the logs, the IP shown is always from the Traefik proxy container no mater the configuration I have applied via tags in the docker setup or on the front end config with use_x_forwarded_for or trusted_proxies I can not get the IP shown in the logs for access to come from the outside IP.
The configuration is as follows:
Outside IP ā Modem ā Router ā Pi ā
___________________________Traefik ā HASS
Curent configuration.yaml:
http:
base_url: hass-test.my.duckdns.org
use_x_forwarded_for: true
trusted_proxies:
- 127.21.0.2 #Traefik container IP
- 192.168.1.0/24 #Router IP
ip_ban_enabled: true
login_attempts_threshold: 5
Good catch! Unfortunately after changing the IP that was not the issue. I now believe this is a bug as there are three open issues with X-Forwarded-For all showing nearly the same issue:
Thanks for the help as am sure that config issue would have gotten me after the bug is fixed.
For reference configuration.yaml now is as follows:
# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
http:
base_url: hass-test.my.duckdns.org
use_x_forwarded_for: true
trusted_proxies:
- 17.21.0.2 #Traefik container IP
#IP ban dissabled while X-Forwarded-For is broken to prevent blocking reverse proxy
# ip_ban_enabled: true
# login_attempts_threshold: 5
trusted_proxies is set to my traefik container IP address
One thing I did to help debug this is that is installed a docker container whoami:
docker run -d --name=whoami -p 80:80 emilevauge/whoami
Then set this behind traefik like your hass (traefik needs to forward to port 80). Then if you use a browser and go to (through traefik) to your whoami instance, you will see all of the headers that come through like this (I sanitized for public posting):
Hostname: *****
IP: ***.***.***.***
IP: ***.***.***.***
GET / HTTP/1.1
Host: whoami.mydomain.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: br, gzip, deflate
Accept-Language: en-us
X-Forwarded-For: ***.***.***.***
X-Forwarded-Host: whoami.mydomain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: server1
X-Real-Ip: ***.***.***.***
Thanks for the help. Iāll try setting my config.yaml the same way later and see if that fixes it.
I tried debugging with that container but could not get it to run as it apparently does not support the ARM platform:
standard_init_linux.go:190: exec user process caused "exec format error"
Do you have any āadvancedā Traefik labels do you have set on the homeassistant container other than the host and frontend and backend names? I tried adding traefik.frontend.whiteList.useXForwardedFor=true and traefik.frontend.passHostHeader=true to see if those were required but they did not help.
Iāll play around with this later this evening. Hopefully this is not related to be run on an ARM platform.
I have configured static IPās in the docker-compose.yml for the containers for deterministic IPās for any of the containers in that stack. The network is external and as such does not change IP range.
You need to create an external network first. I think that error pops up if youāre trying to use the default default network / not defined an external network so itās trying to create it during deployment which has been known to cause that error.
I split my docker-compose into multiple files, so each directory below has its own docker-compose.yml file. When I use portainer, this shows up as three different stacks. I suppose itās possible that using three three different stacks like this might be part of the problem but I doubt it, so I havenāt tried a āsingleā stack yet.
But since the issue here is related to home assistant, Iām only showing the network
and homeautomation files. I snipped out parts I didnāt think were relevant, and left things that were network related.