Hi community,
I´m facing an issue that I need your help with.
My homeassistant instance is hosted via docker behind a traefik reverse proxy. Now, I´m trying to stream music that is locally stored and attached via a bind mount to the homeassistant container.
When I select a song via the media player entity, the player starts but the song does not play. I then get the following warning in the logs:
WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 10.0.4.2 (10.0.4.2). Requested URL: '/media/local/albums/ABBA%2520-%2520Gold%2520-%2520Greatest%2520Hits/Gold%2520(Greatest%2520Hits)%2520-%252002.19%2520-%2520Knowing%2520Me,%2520Knowing%2520You.mp3?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3M'. (AvegaMediaServer/2.0 Linux/2.6)
The client IP matches the IP of the media player, which means that the player receives the request from homeassistant and tries to access the song via the homeassitant API. But for some unknown reason, homeassistant refuses the request.
This is my configuration:
Docker Compose for Home Assistant:
homeassistant:
image: homeassistant/home-assistant:2025.1.4
container_name: ${COMPOSE_PROJECT_NAME}
restart: always
networks:
- public
- automation
- default
volumes:
- /etc/localtime:/etc/localtime:ro
- /mnt/user/containers/${COMPOSE_PROJECT_NAME}/config:/config
- /mnt/user/containers/${COMPOSE_PROJECT_NAME}/config/.ssh:/root/.ssh
- /mnt/user/albums:/media/albums:ro
- /mnt/user/audiobooks:/media/audiobooks:ro
- /mnt/user/soundtracks:/media/soundtracks:ro
environment:
- TZ=Europe/Berlin
labels:
# Traefik
- traefik.enable=true
- traefik.docker.network=public
# Traefik HTTP Routers
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.entrypoints=web,websecure
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=Host(`${COMPOSE_PROJECT_NAME}.${DOMAIN_NAME}`)
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.service=${COMPOSE_PROJECT_NAME}
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls=true
- traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
# Traefik HTTP Services
- traefik.http.services.${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=80
Docker Compose for Traefik:
traefik:
image: traefik:v3.3.2
container_name: ${COMPOSE_PROJECT_NAME}
restart: always
ports:
- 80:80
- 443:443
- 8081:8080
- 8082:8082
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/user/containers/${COMPOSE_PROJECT_NAME}/data:/etc/traefik
- /mnt/user/containers/${COMPOSE_PROJECT_NAME}/rules:/rules
- /mnt/user/containers/${COMPOSE_PROJECT_NAME}/logs:/var/log/traefik
networks:
- public
environment:
- TZ=Europe/Berlin
- CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_TOKEN}
- CLOUDFLARE_HTTP_TIMEOUT=60 # API request timeout in seconds (Default: 60)
- CLOUDFLARE_POLLING_INTERVAL=2 # Time between DNS propagation check in seconds (Default: 2)
- CLOUDFLARE_PROPAGATION_TIMEOUT=120 # Maximum waiting time for DNS propagation in seconds (Default: 120)
- CLOUDFLARE_TTL=120 # The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)
command:
# API
- --api=true
- --api.insecure=true
- --api.dashboard=true
# Global
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=false
# Providers
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.endpoint=unix:///var/run/docker.sock
- --providers.file.directory=/rules
- --providers.file.watch=true
# Entrypoints
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entryPoint.permanent=true
- --entrypoints.websecure.address=:443
# Experimental Plugins
- --experimental.plugins.rewriteBody.modulename=github.com/packruler/rewrite-body
- --experimental.plugins.rewriteBody.version=v1.2.0
- --experimental.plugins.rewriteHeaders.modulename=github.com/XciD/traefik-plugin-rewrite-headers
- --experimental.plugins.rewriteHeaders.version=v0.0.4
# Servers Transport
- --serversTransport.insecureSkipVerify=true # Required for UniFi Controller
# Certificate Resolvers
- --certificatesresolvers.letsencrypt.acme.email=admin@${DOMAIN_NAME}
- --certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/certificates.json
# - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=hostingde
- --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=30
- --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1,1.0.0.1
# Logging
- --log=true
- --log.filepath=/var/log/traefik/traefik.log
# - --log.format=json
- --log.level=INFO
- --accesslog=true
- --accesslog.filepath=/var/log/traefik/access.log
# - --accesslog.format=json
# Healtcheck
- --ping=true
type or paste code here
Home Assistant configuration.yaml:
http:
server_port: 80
cors_allowed_origins:
- https://google.com
- https://www.home-assistant.io
# ip_ban_enabled: true
# login_attempts_threshold: 5
use_x_forwarded_for: true
trusted_proxies:
- 172.16.1.0/24 # traefik network
Do you have any idea how to solve this?
BR
Sebastian