Ingress error

ESPHome
1

I have just installed hass.io (was running HA in virtenv previously) and the ESPhome addon is not working for me…
When I click the “Open Web UI” button, I get a 502: Bad Gateway
There is nothing in the addon log, but there is the following error in the hass.io system log:

19-11-29 23:11:58 ERROR (MainThread) [hassio.api.ingress] Ingress error: Cannot connect to host 172.30.32.1:64208 ssl:None [Connection refused]
This is the only error.

My system info from the addon log:
Add-on version: 1.14.3
You are running the latest version of this add-on.
System: CentOS Linux 7 (Core) (amd64 / qemux86-64)
Home Assistant version: 0.102.2
Supervisor version: 192

Does anybody have any suggestions?

2

Theses two statements are contradictory.

There is nothing in the addon log

My system info from the addon log:

Do you see a line at the bottom of the log that says:

INFO: Starting NGINX...

Do you use any non-default settings in the addon config?

Do you use a reverse proxy?

3

Sorry, I should have written: There is no error in the addon log.
last line in the log is:
[00:24:46] INFO: Starting NGINX...

I am accessing hass.io on the local IP address, no reverse proxy yet…

Addon config is:
{ "ssl": false }

I have already tried installing all 3 addon branches - stable, beta and dev, all 3 branches exhibit the same behaviour.

I am also using Grafana and VSCode addons, both work fine.

4

Mine does that too, right after i start the addon. However, if i wait 10 seconds or use the Sidebar button, it works.

5

I’ve left it overnight and it still doesn’t work.

6

Yeah I got nothing. You could ask at the ESPhome discord channel:

7

Try to uninstall it and when you reinstall, leave the config empty like this: {}

8

I’ve already tried that. When I first installed the addon, the config was empty - {}, and error was the same - Bad Gateway.

9

It is a bit old discussion, but I’ve just had a similar problem running hassio in docker under linux. My problem turn out to be firewall related. Running iptables -I INPUT -s 172.30.32.0/23 -d 172.30.32.0/23 -j ACCEPT fixed it for me (as a workaround). I’m still investigating why this is happening.

1 Like
10

Didn’t fix anything for me. But I get “401: Unauthorized” error when I try to open the Web UI.
No errors in any logs.

11

Glad I found this one. I Know it’s an old topic but since I still had this issue, other people probably do too.

In my case, it has probably something to do with docker networks. The only 2 addons I could not access through ingress are running in the host network while all other addons (that do work) run in hassio network.

Unfortunately I don’t know enough about docker (or linux/networking) figure out why this is an issue and why it does not create that rule automatically.

Maybe somebody that does know can explain this?

12

I also have pretty much the same problem.
Almost all addons fail to open with this error.
But my home assistant server is on the VDS on the Internet, not on the local network.
I tried to install a home assistant on a new clean VDS - it works.
I tried to remove home assistant, docker and network manager from the combat server.
Then reinstalled.
And no way. Addons won’t open

2023-04-27_20-15-25
2023-04-27_20-15-251920×1080 110 KB

13

I found the problem and was able to fix it. Problem in the Firewall!
Dropping all the rules with the command
iptables -t nat -F
I saw that the File Editor addon opens as it should.
Then I restored the firewall to the state “as it was before” with the reboot command. Or with netfilter-persistent reload commannd if apt-get install iptables-persistent is installed. (In order to save the current state of the firewall, I did netfilter-persistent save a few months ago.

After restoring the firewall, I removed one rule after another with the commands:

iptables --table nat -D POSTROUTING 5
iptables --table nat -D POSTROUTING 4

and after each removal, I looked to see if the addon worked.

In the end, I realized that the rules interfered:
MASQUERADE all -- anywhere anywhere

I had several.
To delete multiple rules, you need to enter the command:
iptables -t nat -D POSTROUTING -j MASQUERADE
several times until it gives an error
iptables: Bad rule (does a matching rule exist in that chain?).

I had the following rules:

Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- anywhere haumea.vds.sh tcp dpt:3333 to:11.11.11.3:3000
2 DNAT tcp -- anywhere haumea.vds.sh tcp dpt:8888 to:11.11.11.4:80
3 DNAT tcp -- anywhere haumea.vds.sh tcp dpt:1122 to:11.11.11.22:22
4 DNAT tcp -- anywhere haumea.vds.sh tcp dpt:1122 to:10.11.12.10:80
5 DNAT tcp -- anywhere haumea.vds.sh tcp dpt:1123 to:10.11.12.10:443
6 DNAT tcp -- anywhere haumea.vds.sh tcp dpt:1122 to:11.11.11.18:80
7 DNAT tcp -- anywhere haumea.vds.sh tcp dpt:1123 to:11.11.11.18:443
8 DNAT tcp -- anywhere haumea.vds.sh tcp dpt:1180 to:11.11.11.18:80
9 DNAT tcp -- anywhere haumea.vds.sh tcp dpt:1181 to:11.11.11.18:443
10 DNAT tcp -- anywhere haumea.vds.sh tcp dpt:1182 to:11.11.11.18:8123
11 DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- anywhere haumea.vds.sh tcp dpt:http to:11.11.11.4
2 DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 172.17.0.0/16 anywhere
2 MASQUERADE all -- 172.30.32.0/23 anywhere
3 MASQUERADE all -- 11.11.11.0/24 anywhere
4 MASQUERADE all -- 172.16.0.0/24 anywhere
5 SNAT all -- anywhere anywhere to:172.16.0.1
6 SNAT tcp -- anywhere 11.11.11.4 tcp dpt:http to:11.11.11.1
7 MASQUERADE all -- anywhere anywhere
8 MASQUERADE all -- anywhere anywhere
9 MASQUERADE all -- anywhere anywhere
10 MASQUERADE all -- anywhere anywhere
11 MASQUERADE all -- anywhere anywhere
12 MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:9000
13 MASQUERADE tcp -- 172.30.32.6 172.30.32.6 tcp dpt:http
14 MASQUERADE all -- 172.16.0.0/24 anywhere
15 SNAT all -- anywhere anywhere to:172.16.0.1
16 MASQUERADE all -- anywhere anywhere

Chain Docker (2 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere
2 RETURN all -- anywhere anywhere
3 DNAT tcp -- anywhere anywhere tcp dpt:4357 to:172.30.32.6:80

And in order for addons to work, now I have such a firewall:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  anywhere             haumea.vds.sh        tcp dpt:3333 to:11.11.11.3:3000
2    DNAT       tcp  --  anywhere             haumea.vds.sh        tcp dpt:8888 to:11.11.11.4:80
3    DNAT       tcp  --  anywhere             haumea.vds.sh        tcp dpt:1122 to:11.11.11.22:22
4    DNAT       tcp  --  anywhere             haumea.vds.sh        tcp dpt:1122 to:10.11.12.10:80
5    DNAT       tcp  --  anywhere             haumea.vds.sh        tcp dpt:1123 to:10.11.12.10:443
6    DNAT       tcp  --  anywhere             haumea.vds.sh        tcp dpt:1122 to:11.11.11.18:80
7    DNAT       tcp  --  anywhere             haumea.vds.sh        tcp dpt:1123 to:11.11.11.18:443
8    DNAT       tcp  --  anywhere             haumea.vds.sh        tcp dpt:1180 to:11.11.11.18:80
9    DNAT       tcp  --  anywhere             haumea.vds.sh        tcp dpt:1181 to:11.11.11.18:443
10   DNAT       tcp  --  anywhere             haumea.vds.sh        tcp dpt:1182 to:11.11.11.18:8123
11   DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  anywhere             haumea.vds.sh        tcp dpt:http to:11.11.11.4
2    DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  172.17.0.0/16        anywhere
2    MASQUERADE  all  --  172.30.32.0/23       anywhere
3    MASQUERADE  all  --  11.11.11.0/24        anywhere
4    MASQUERADE  all  --  172.16.0.0/24        anywhere
5    SNAT       all  --  anywhere             anywhere             to:172.16.0.1
6    SNAT       tcp  --  anywhere             11.11.11.4           tcp dpt:http to:11.11.11.1
7    MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:9000
8    MASQUERADE  tcp  --  172.30.32.6          172.30.32.6          tcp dpt:http
9    MASQUERADE  all  --  172.16.0.0/24        anywhere
10   SNAT       all  --  anywhere             anywhere             to:172.16.0.1
11   MASQUERADE  all  --  anywhere             anywhere

Chain DOCKER (2 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere
2    RETURN     all  --  anywhere             anywhere
3    DNAT       tcp  --  anywhere             anywhere             tcp dpt:4357 to:172.30.32.6:80

Command to list all rules in NAT tables with the line numbers:
iptables --table nat --list --line-numbers