Issues with Caddy and Home Assistant [solved]

rherriage · June 12, 2020, 1:36pm

Hi everyone,

Pardon if this is in the wrong section…

I have a separate linux VM running MQTT broker and Caddy as a reverse proxy for HA (running hassio VM). I’m running into a strange issue the reverse proxy seems to be redirecting to HA. All I get is the top header blue bar and nothing else. I’ve followed the steps in this link Reverse Proxy with Caddy to set up the reverse proxy. Syntax for Caddyfile is a little different as I installed caddy2, but the config per the link is just websocket and transparent mode, which is supposed to be the default for caddy2. I went ahead and added the below config to the Caddyfile to test, but still get this issue.

Here is what I have added to test it, as apparently the transparent keyword adds this to caddy v1, but didn’t work

header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Port {server_port}
header_upstream X-Forwarded-Proto {scheme}

I’ve tried various things, including removing HTTPS config from the passthrough proxy and HA. Watching the Caddy process (–watch) doesn’t output any errors at all. I’m thinking this may be on some kind of trust issue with HA, but I’ve got the trusted proxy set up, too. At a loss here for a couple of days. HA’s been completely rebooted, proxy has too (for other things)

I’m a network engineer by trade, so tech isn’t foreign, but webservers aren’t exactly my strength

Before I scrap this and move to nginx, has anyone run into this and can provide a little guidance?
Thanks in advance!
Robert

Here is what I get in browser (regular, incognito, etc) no matter what I do (short of removing the reverse proxy config entirely or borking it intentionally)

Here is my current Caddyfile

domain.com {

root * /usr/share/caddy
file_server
}



domain2.com {

reverse_proxy / {
    to 192.168.5.49:8123
#    transport http {
 #       tls_insecure_skip_verify
  #      tls

   #  }
  }
}

Current http section of config.yaml as you can see, I removed https for testing purposes

http:
  #ssl_certificate: /ssl/fullchain.pem
  #ssl_key: /ssl/privkey.pem
  base_url: http://domain2.com
  use_x_forwarded_for: true
  trusted_proxies: 192.168.5.40

Browsing directly to the IP/port is fine over http (or when enabled, https)

callifo · June 13, 2020, 9:19am

The new version removed the need to even put transparent anymore. This is my working config

(logs_external_https) {
  log {
    output file /var/log/caddy/caddy-https-external.log {
      roll_size 1MiB
      roll_keep 5
      roll_keep_for 168h
    }
    format console
  }
}
(https_header) {
  header {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
  }
}

https://ha.xxx.org {
  import https_header
  tls /etc/letsencrypt/live/xxx/fullchain.pem /etc/letsencrypt/live/xxx/privkey.pem {
    alpn http/1.1
  }
  reverse_proxy 127.0.0.1:8123
  import logs_external_https
  encode gzip
}

rherriage · June 13, 2020, 3:34pm

Thanks. yeah I noticed that too. Makes me think it’s some kind of forwarding/permission issue between the HA and Caddy VMs, but they are on the same L2 with no FW in between, which led me down the path of a potential config issue with one or the other. Looking at your config, I modified m ine slightly to match (https in the domain declaration) and added the gzip/header changes you have, but still just the blue bar. The kicker is even just the basic reverse proxy with https disabled still does this same thing.

it’s almost as if HA isn’t trusting the trusted proxies directive in the config file

rherriage · June 13, 2020, 4:33pm

after tons of trial and error, google searching, etc. My google-fu skills finally found the problem. It has to do with the domain matching differences of v2 and v1. i was matching root (/) adding in a splat to root (/*) solved it, and now it’s working as expected. Hopefully this helps someone else out (my updated caddyv2 file)

https://domain.org {
reverse_proxy /* {
  to 192.168.5.49:8123
  transport http {
        tls
        tls_insecure_skip_verify
 }
}
}

Tyfoon · August 28, 2022, 6:13pm

@rherriage Is this still working for you? I had caddy v1 working and moving to v2 but can’t get it to work with this. What does you’r http section in home assistant look like?

rherriage · August 29, 2022, 1:42pm

Here you go, and, yes. Working fine still.

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
#  base_url: https://
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.5.40

Tyfoon · August 29, 2022, 6:18pm

Ok. In the end I could not get your config to work. After a lot of trail and error my working config:


https://ha.mydomain.com {
	reverse_proxy 192.168.1.39:8123 {
		header_up X-Real-IP {remote}
	}

  	log {
    		format console
    		output file /var/log/caddy/ha.log {
			roll_size 100MiB
			roll_keep 10
			roll_keep_for 168h
		}
  	}
	header {
		Strict-Transport-Security "max-age=31536000; includeSubdomains"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "SAMEORIGIN"
		Referrer-Policy "same-origin"
	}

}

And my http:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.181
    - 127.0.0.1
    - 172.30.33.0/24
    - ::1

Still not sure if I really need the ones after the proxy IP but I’m done testing for now…

does anyone know if these pose a security risk?

akeslo · November 28, 2022, 10:53pm

Thanks for this, saved me a few hours!