I’m trying to set up Home Assistant 0.114.3 in Docker for remote access via a reverse proxy, and am failing to be able to log in - or I think I’m logging in but failing to maintain a connection: I enter username and password, and get kicked back out to a “RETRY” screen, but a login token is created for each attempt.
I don’t think I’m an idiot, but I might be over my head.
My detailed situation is:
- A have a Synology Diskstation (192.168.86.37) and a separate Ubuntu box (192.168.86.99); I’m using the reverse proxy and SSL certificate services on the Diskstation and Docker on the Ubuntu box. I’ve done this before with other programs.
- I’ve registered a domain, TimTLD.com, and a dynamic DNS account, Tim.myDS.me.
- I added a “CNAME” record to my DNS, Name ha[.TimTLD.com] and Hostname Tim.myDS.me.
- My Verizon G3100 router forwards ports 80 and 443 (and a few others including 8123) to my Google WiFi, which forwards them to my Diskstation.
- On the Diskstation I’ve added a reverse proxy, Source HTTPS ha.TimTLD.com port 443, Destination 192.168.86.99 port 8123
- On my Diskstation I’ve added a Let’s Encrypt certificate and associated it with ha.TimTLD.com.
- Note: If I change the reverse proxy destination port to a different one, associated with a different Docker (Bitwarden), it works perfectly - so I think the configuration to this point is working.
- On my home network, connecting to Home Assistant on 192.168.86.99:8123 works perfectly.
- Connecting to https://ha.TimTLD.com gives me a normal-looking login screen with “You’re about to give https://ha.TimTLD.com/ access to your Home Assistant instance.”
- It (apparently) allows me to log in because a Refresh Token is created (“Refresh token for https://ha.TimTLD.com/”) - but I’m instantly kicked back out to a “RETRY” screen. (I have to log in with the IP address to see the Refresh Token.)
I’ve tried setting the logger default to debug and scanning the wealth of information that produces, but without knowing what to grep for it’s difficult. It seems as if the local IP login and the DNS login look similar, but the local IP login proceeds to a homeassistant.components.websocket_api.http.connection step that doesn’t happen with the remote login, specifically:
The successful local IP login/connection:
2020-09-10 10:14:26 DEBUG (MainThread) [homeassistant.components.http.view] Serving /auth/login_flow/52b663c3ec1d47dfbd2ca7593cbaca2b to 192.168.86.238 (auth: False)
2020-09-10 10:14:27 DEBUG (MainThread) [homeassistant.components.websocket_api.http.connection.140127263332384] Sending {'id': 3, 'type': 'result', 'success': True, 'result': [lots of stuff]
The failed remote login/connection:
2020-09-10 10:13:07 DEBUG (MainThread) [homeassistant.components.http.view] Serving /auth/login_flow/457066aeedc348cd894f58b7b5433d51 to 192.168.86.37 (auth: False)
I’ve tried various things with external_url and cors_allowed_origins and even ssl_certificate/key, but none of them seem to change anything.
Any ideas?
Thank you!
Tim