(iOS 14) Unable to connect to fresh HA setup ObjectMapper failed to serialize

Mobile Apps Home Assistant Companion for Apple
2

Found the problem!

Thanks to the inspiration from WhatPlantsCrave here I found the problem not in TLS version but Google Oauth.

here is my working setup for the future. Ofcourse still a work in progress and open for suggestions
(A massive shoutout to smarthomebeginner for their guides. My config is heavily based on their Traefik Oauth guide and I wouldn’t have gotten this far without them)

Running Traefik v2 in docker-compose, on a NUC machine Ubuntu Server 20.04

docker-compose.yml

version: '3.8'
services:
#? NETWORK CONTAINERS # # # # # # # # # # # # # # #
  #? Traefik Reverse Proxy
  traefik:
    container_name: traefik
    hostname: traefik
    image: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - t2_proxy
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
      - $DOCKERDIR/traefik/acme/acme.json:/acme.json
      - $DOCKERDIR/traefik/shared:/shared
      - $DOCKERDIR/traefik/rules:/rules
      - $DOCKERDIR/traefik/traefik.log:/traefik.log
      - $DOCKERDIR/traefik:/etc/traefik
    environment: 
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
    labels:
      - "traefik.enable=true"
      #? HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      #? HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
      #? Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      #? Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"

  #? Google OAuth - Proxy layer using Oauth 2.0
  oauth:
    container_name: oauth
    image: thomseddon/traefik-forward-auth:latest
    restart: unless-stopped
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges
    environment:
      - CLIENT_ID=$GOOGLE_CLIENT_ID
      - CLIENT_SECRET=$GOOGLE_CLIENT_SECRET
      - SECRET=$OAUTH_SECRET
      - COOKIE_DOMAIN=$DOMAINNAME
      - INSECURE_COOKIE=false
      - AUTH_HOST=oauth.$DOMAINNAME
      - URL_PATH=/_oauth
      - WHITELIST=$MY_EMAIL
      - LOG_LEVEL=info
      - LOG_FORMAT=text
      - LIFETIME=2592000 # 30 days
    labels:
      - "traefik.enable=true"
      #? HTTP Routers
      - "traefik.http.routers.oauth-rtr.entrypoints.https"
      - "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME`)"
      - "traefik.http.routers.oauth-rtr.tls=true"
      #? HTTP Services
      - "traefik.http.routers.oauth-rtr.service=oauth-svc"
      - "traefik.http.services.oauth-svc.loadbalancer.server.port=$OAUTH_PORT"
      #? Middlewares
      - "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"

#? APP CONTAINERS # # # # # # # # # # # # # # #
  homeassistant:
    container_name: homeassistant
    image: homeassistant/home-assistant:latest
    restart: always
    security_opt: 
      - no-new-privileges
    privileged: true
    network_mode: host
    ports:
      - target: 8123
        published: $HOMEASSISTANT_PORT
        protocol: tcp
        mode: host
    #devices:
    #  - /dev/ttyUSB0:/dev/ttyUSB0
    #  - /dev/ttyACM0:/dev/ttyACM0
    volumes:
      - $DOCKERDIR/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock # For Docker Monitor https://github.com/Sanderhuisman/docker_monitor
    environment:
      - TZ=$TZ

traefik.yml (dynamic conf under $DOCKERDIR/traefik/traefik.yml)

entryPoints:
  traefik:
    address: ":8080"
  http:
    address: ":80"
  https:
    address: ":443"
    forwardedHeaders:
      trustedIPs:
        #* Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/12
        - 172.64.0.0/13
        - 131.0.72.0/22


#tls:
  #options:
    #default:
      #minVersion: VersionTLS12

    #mintls13:
      #minVersion: VersionTLS13

certificatesResolvers:
  dns-cloudflare:
    acme:
      email: $CLOUDFLARE_EMAIL
      storage: /acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

log:
  level: ERROR # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC

accessLog:
  filePath: /traefik.log
  bufferingSize: 100 # A buffer of 100 lines
  filters:
    statusCodes:
      - "400-499"
api:
  dashboard: true

ping: {}

finally the middlewares.yml and middleware-chain.yml under $DOCKERDIR/traefik/rules

http:
  middlewares:
    #? Basic Auth which uses a static login from .htpasswd file 
    middlewares-basic-auth:
      basicAuth:
        realm: "Traefik2 Basic Auth"
        usersFile: "/shared/.htpasswd"
    #? Denies request floods (DDoS and CredScan)
    middlewares-rate-limit:
      rateLimit:
        average: 100
        burst: 50
    #? Security headers for. Headers are the "shipping box" around the website that tells the browser how to handle each component
    middlewares-secure-headers:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - X-Forwarded-Host
        sslRedirect: true
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "allow-from https:$DOMAINNAME"
        contentTypeNosniff: true
        browserXssFilter: true
#        sslForceHost: true
#        sslHost: "$DOMAINNAME"
        referrerPolicy: "same-origin"
#      Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
#      the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
#      contentSecurityPolicy = "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
          server: ""
    #? Google Oauth authentication. 
    middlewares-oauth:
      forwardAuth:
        address: "http://oauth:4181"
        trustForwardHeader: true
        authResponseHeaders:
          - "X-Forwarded-User"

http:
  middlewares:
    chain-no-auth:
      chain:
        middlewares:
          - "middlewares-rate-limit"
          - "middlewares-secure-headers"
    chain-basic-auth:
      chain:
        middlewares:
          - "middlewares-basic-auth"
          - "middlewares-rate-limit"
          - "middlewares-secure-headers"
    chain-oauth:
      chain:
        middlewares:
          - "middlewares-rate-limit"
          - "middlewares-secure-headers"
          - "middlewares-oauth"