Whenever I leave the house and as a result the IP address of my mobile changes, then the mobile app UI no longer works. According to the HA logs, the mobile app is still reporting sensor status to HA, but the UI does return there are problems. When I investigate the nginx logs, I see that UI requests get HTTP 404, while the sensor reporting gets HTTP 200, with the same key. Recovery from this situation is nasty, in the past I removed cache and data from the app, so I had to totally reconfigure it again, but I found out that by giving it a bogus https address and then the correct one, I can log in again. Would be nice if the problem didn’t happen on change of IP, but failing that it would be nice to have an option on the screen you get with wait and renew URL, an additional option to re-login.
Anybody else having this problem, it all started a couple of months ago, when external IP became important in nginx, and yes I have checked the config umpteen times, that it passes the correct IP.
Can you share your reverse proxy config? It sounds like that’s the area the issue is occurring in, as it likely should not start returning 404s for this.
Are you connecting to this using some kind of globally-addressable domain name? Is it possible that is getting out of date and needs updating? What’s the TTL on the A/AAAA/etc. record set to?
Does it work if you directly set the local IP address for the :8123 variant?
Don’t think it is a DNS problem, since all other things work via the wildcard domainname, and IP address is sort of static, hasn’t changed in years. I will see if I can get a fresh set of NGINX access logs with the phenomena in it. May take me a couple of day.
I have been able to get the logs and some screenshots. It is clear that the token last obtained is still valid for reporting status (using POSTs) but GETs fail, see attached pictures and log:
@zacwest I think I know what is happening. When I logon to HA using the mobile app inside a trusted network and use a user-id, then if my IP address changes it is no longer a trusted IP address hence that authentication fails with a 403 as previous logs show.
Have tested the mobile app logging on to HA using a local id and then when IP address changes the app keeps working. Although it is a bit ambiguous from HA to accept status updates from the mobile app, but refuses to interface with the UI, is from a security point of view acceptable behavior. I think the mobile app should logout and show a proper login screen again when it gets a 403, since waiting and changing external URL is not an answer to the problem. Current way for solving this problem is deleting cache and user data from the app and do a login using a local ID, the pain you now have is that you need to configure your umpteen sensors again.
Leaving a trusted network causing authentication errors is a relatively new (beginning of the year) change; the iOS app now treats it as a logout but it sounds like the Android app does not. This would be a good issue to file on GitHub if you’re inclined to do so.