Mobile app UI no longer working when on a new IP

Mobile Apps
1

Whenever I leave the house and as a result the IP address of my mobile changes, then the mobile app UI no longer works. According to the HA logs, the mobile app is still reporting sensor status to HA, but the UI does return there are problems. When I investigate the nginx logs, I see that UI requests get HTTP 404, while the sensor reporting gets HTTP 200, with the same key. Recovery from this situation is nasty, in the past I removed cache and data from the app, so I had to totally reconfigure it again, but I found out that by giving it a bogus https address and then the correct one, I can log in again. Would be nice if the problem didn’t happen on change of IP, but failing that it would be nice to have an option on the screen you get with wait and renew URL, an additional option to re-login.

Anybody else having this problem, it all started a couple of months ago, when external IP became important in nginx, and yes I have checked the config umpteen times, that it passes the correct IP.

2

Can you share your reverse proxy config? It sounds like that’s the area the issue is occurring in, as it likely should not start returning 404s for this.

3

@zacwest Here is my homeassistant NGINX config:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name homeassistant.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

#		include /config/nginx/proxy.conf;
		proxy_set_header Host $host;
		proxy_redirect http:// https://;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_buffering               off;
		proxy_ssl_verify              off;

		resolver 127.0.0.11 valid=30s;
        set $upstream_homeassistant homeassistant;
        proxy_pass http://$upstream_homeassistant:8123;
    }

    location /api/websocket {
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        resolver 127.0.0.11 valid=30s;
        set $upstream_homeassistant homeassistant;
        proxy_pass http://$upstream_homeassistant:8123;
    }
}
4

Are you connecting to this using some kind of globally-addressable domain name? Is it possible that is getting out of date and needs updating? What’s the TTL on the A/AAAA/etc. record set to?

Does it work if you directly set the local IP address for the :8123 variant?

5

Don’t think it is a DNS problem, since all other things work via the wildcard domainname, and IP address is sort of static, hasn’t changed in years. I will see if I can get a fresh set of NGINX access logs with the phenomena in it. May take me a couple of day.

6

I have been able to get the logs and some screenshots. It is clear that the token last obtained is still valid for reporting status (using POSTs) but GETs fail, see attached pictures and log:

Screenshot_20211008_162848-1
Screenshot_20211008_162848-11828×329 43.8 KB

Screenshot_20211008_160923-1

And following the nginx log that shows the UI respond with HTTP 403:

Attempts to use the UI

90.57.136.154 - - [08/Oct/2021:16:04:11 +0200] "POST /api/webhook/1cb6665e3f72112b45eb78da366dcea6102aa041b62ed0c299338141ecae3431 HTTP/2.0" 200 511 "-" "okhttp/4.9.1"
90.57.136.154 - - [08/Oct/2021:16:04:11 +0200] "GET /?external_auth=1 HTTP/2.0" 200 1501 "-" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:11 +0200] "POST /api/webhook/1cb6665e3f72112b45eb78da366dcea6102aa041b62ed0c299338141ecae3431 HTTP/2.0" 200 102 "-" "okhttp/4.9.1"
90.57.136.154 - - [08/Oct/2021:16:04:12 +0200] "POST /auth/token HTTP/2.0" 403 86 "-" "HomeAssistant/Android 2021.9.0-723"
90.57.136.154 - - [08/Oct/2021:16:04:12 +0200] "GET /api/websocket HTTP/1.1" 101 109 "-" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:12 +0200] "POST /auth/token HTTP/2.0" 403 86 "-" "HomeAssistant/Android 2021.9.0-723"
90.57.136.154 - - [08/Oct/2021:16:04:13 +0200] "GET /service_worker.js HTTP/2.0" 304 0 "https://homeassistant.gjmdmontferland.duckdns.org/service_worker.js" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:21 +0200] "GET / HTTP/2.0" 200 1501 "-" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:21 +0200] "POST /auth/token HTTP/2.0" 403 86 "-" "HomeAssistant/Android 2021.9.0-723"
90.57.136.154 - - [08/Oct/2021:16:04:21 +0200] "POST /auth/token HTTP/2.0" 403 86 "-" "HomeAssistant/Android 2021.9.0-723"
90.57.136.154 - - [08/Oct/2021:16:04:21 +0200] "GET /api/websocket HTTP/1.1" 101 57 "-" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:23 +0200] "GET /service_worker.js HTTP/2.0" 304 0 "https://homeassistant.gjmdmontferland.duckdns.org/service_worker.js" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:24 +0200] "GET /lovelace HTTP/2.0" 200 1496 "https://homeassistant.gjmdmontferland.duckdns.org/lovelace" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:24 +0200] "POST /auth/token HTTP/2.0" 403 86 "-" "HomeAssistant/Android 2021.9.0-723"
90.57.136.154 - - [08/Oct/2021:16:04:24 +0200] "POST /auth/token HTTP/2.0" 403 86 "-" "HomeAssistant/Android 2021.9.0-723"
90.57.136.154 - - [08/Oct/2021:16:04:24 +0200] "GET /api/websocket HTTP/1.1" 101 57 "-" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:26 +0200] "GET /service_worker.js HTTP/2.0" 304 0 "https://homeassistant.gjmdmontferland.duckdns.org/service_worker.js" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:27 +0200] "POST /api/webhook/1cb6665e3f72112b45eb78da366dcea6102aa041b62ed0c299338141ecae3431 HTTP/2.0" 200 99 "-" "okhttp/4.9.1"
90.57.136.154 - - [08/Oct/2021:16:04:30 +0200] "POST /api/webhook/1cb6665e3f72112b45eb78da366dcea6102aa041b62ed0c299338141ecae3431 HTTP/2.0" 200 101 "-" "okhttp/4.9.1"
90.57.136.154 - - [08/Oct/2021:16:04:32 +0200] "GET / HTTP/2.0" 200 1501 "-" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:32 +0200] "POST /auth/token HTTP/2.0" 403 86 "-" "HomeAssistant/Android 2021.9.0-723"
90.57.136.154 - - [08/Oct/2021:16:04:32 +0200] "POST /auth/token HTTP/2.0" 403 86 "-" "HomeAssistant/Android 2021.9.0-723"
90.57.136.154 - - [08/Oct/2021:16:04:32 +0200] "GET /api/websocket HTTP/1.1" 101 57 "-" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:34 +0200] "GET /service_worker.js HTTP/2.0" 304 0 "https://homeassistant.gjmdmontferland.duckdns.org/service_worker.js" "Mozilla/5.0 (Linux; Android 11; SM-T870 Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/94.0.4606.71 Safari/537.36"
90.57.136.154 - - [08/Oct/2021:16:04:49 +0200] "POST /api/webhook/1cb6665e3f72112b45eb78da366dcea6102aa041b62ed0c299338141ecae3431 HTTP/2.0" 200 134 "-" "okhttp/4.9.1"

Device pluged into mains:

90.57.136.154 - - [08/Oct/2021:16:07:25 +0200] "POST /api/webhook/1cb6665e3f72112b45eb78da366dcea6102aa041b62ed0c299338141ecae3431 HTTP/2.0" 200 249 "-" "okhttp/4.9.1"
90.57.136.154 - - [08/Oct/2021:16:07:30 +0200] "POST /api/webhook/1cb6665e3f72112b45eb78da366dcea6102aa041b62ed0c299338141ecae3431 HTTP/2.0" 200 76 "-" "okhttp/4.9.1"
7

@zacwest I think I know what is happening. When I logon to HA using the mobile app inside a trusted network and use a user-id, then if my IP address changes it is no longer a trusted IP address hence that authentication fails with a 403 as previous logs show.
Have tested the mobile app logging on to HA using a local id and then when IP address changes the app keeps working. Although it is a bit ambiguous from HA to accept status updates from the mobile app, but refuses to interface with the UI, is from a security point of view acceptable behavior. I think the mobile app should logout and show a proper login screen again when it gets a 403, since waiting and changing external URL is not an answer to the problem. Current way for solving this problem is deleting cache and user data from the app and do a login using a local ID, the pain you now have is that you need to configure your umpteen sensors again.

8

Leaving a trusted network causing authentication errors is a relatively new (beginning of the year) change; the iOS app now treats it as a logout but it sounds like the Android app does not. This would be a good issue to file on GitHub if you’re inclined to do so.