How to troubleshoot connectivity errors when away/ iOS Companion / External

Hi,

I’ve got a bit of a strange setup:

• I have a Fortigate firewall capable of doing SSL Offloading (Virtual Server), connected to the internet with a public IP.
• Assigned my IP a public dns entry
• Forwarded a custom TCP port using the SSL Offloading to Home Assistant.
• Fortigate doesn’t translate host-header on the offloaded session, so I’m running the NGINX Proxy Manager on my Home Assistant to forward the traffic to the actual Home Assistant.

https://myhost.com:customport1/ → http://myhost.com:customport2 (NGINX Proxy Manager) → Home Assistant

This used to work just fine, but it stopped working a few months ago. I’ve got pretty good understading of all of the above, but am Unable to determine why the iOS Companion app stops working. The UI stays empty with the HA logo and it just sits there.

From a network capture I made behind the Fortigate I can see that the websocket stream is working just fine, all kinds of state changes are transmitted to the client. But the UI is not populating.
The Logs from the Companion app don’t tell either what is missing/going wrong.

How can I troubleshoot this in more detail on the iOS side of things?

Regards,
Erik

That probably doesn’t help, but what’s the point of doing SSL offloading on your “firewall” (actual firewalls don’t do that).
Just leave it to NGINX, reverse-proxying is in its ADN…

Offloading on the firewall because the firewall has the Letsencrypt certificate. And I use this cert on other ports as well. The firewall is packed with inspection options while nginx (in this case) has not.
And the feature is there, so why not… .
And it’s fun to learn about why this is not working and fixing it…. Hopefully

Well if you put it there rather than nginx, of course

For sure; that’s the role of a firewall

Well point is it doesn’t really is (it looks like “port forwarding+”), as you still have to put a nginx behind.

But whatever

nginx behind was because HA wasn’t accepting my host header. Which NGINX can handle.

Changed a few things to not have to need NGINX in between. Doing NAT on the Virtual Server /LB object and adding a the following on the http: configuration in my configuration.xml

http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.255.254 (my Source-IP from Fortigate when coming from external)

The HA Companion loads, the websocket is busy. The UI doesn’t load. As soon as I pull the UI down to refresh, the Hamburger menu appears with no options in it. This is where all stops in the UI.

From my Captures I see that a POST: is being issued to uri /api/webhook/… that HA doesn’t respond to:

POST /api/webhook/[long id here] HTTP/1.1
X-Forwarded-For: 89.x.y.z
Host: [myhost].fortiddns.com:8123
accept: /
content-type: application/json
accept-language: nl-NL,nl;q=0.9
accept-encoding: gzip, deflate, br
user-agent: Home Assistant/2023.4 (io.robbie.HomeAssistant; build:2023.460; iOS 16.5.1)
content-length: 384
cache-control: no-cache

{“encrypted”:true,“encrypted_data”:“some encrypted data/json”}

No response to this one from HA.

How to troubleshoot this on HA side?
(Setting debug level on the http component just says : Serving /api/webhook/… (Auth: False), thats all it says)

Does HA still work in a plain browser, now?
There are specific reverse proxy configurations to be made for websocket, as you know.

Yes, HA in the plain browser is working just fine.

From the following link I understand that no response is returned to my webhook call if the encrypted data is incorrect. I don’t receive any response, so this must be the case.

As a general rule, expect to receive a 200 response for all your requests. There are a few cases in which you will receive another code:

• You will receive a 400 status code if your JSON is invalid. However, you will not receive this error if the encrypted JSON is invalid.

No of course the question is; what makes my encrypted data incorrect??

Getting there, piece by piece…

Regards,
Erik