Music Streaming: Login attempt or request with invalid authentication

Hi community,

I´m facing an issue that I need your help with.

My homeassistant instance is hosted via docker behind a traefik reverse proxy. Now, I´m trying to stream music that is locally stored and attached via a bind mount to the homeassistant container.

When I select a song via the media player entity, the player starts but the song does not play. I then get the following warning in the logs:

WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 10.0.4.2 (10.0.4.2). Requested URL: '/media/local/albums/ABBA%2520-%2520Gold%2520-%2520Greatest%2520Hits/Gold%2520(Greatest%2520Hits)%2520-%252002.19%2520-%2520Knowing%2520Me,%2520Knowing%2520You.mp3?authSig%3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3M'. (AvegaMediaServer/2.0 Linux/2.6)

The client IP matches the IP of the media player, which means that the player receives the request from homeassistant and tries to access the song via the homeassitant API. But for some unknown reason, homeassistant refuses the request.

This is my configuration:

Docker Compose for Home Assistant:

  homeassistant:
    image: homeassistant/home-assistant:2025.1.4
    container_name: ${COMPOSE_PROJECT_NAME}
    restart: always
    networks:
      - public
      - automation
      - default
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /mnt/user/containers/${COMPOSE_PROJECT_NAME}/config:/config
      - /mnt/user/containers/${COMPOSE_PROJECT_NAME}/config/.ssh:/root/.ssh
      - /mnt/user/albums:/media/albums:ro
      - /mnt/user/audiobooks:/media/audiobooks:ro
      - /mnt/user/soundtracks:/media/soundtracks:ro
    environment:
      - TZ=Europe/Berlin
    labels:
      # Traefik
      - traefik.enable=true
      - traefik.docker.network=public
      # Traefik HTTP Routers
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.entrypoints=web,websecure
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=Host(`${COMPOSE_PROJECT_NAME}.${DOMAIN_NAME}`)
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.service=${COMPOSE_PROJECT_NAME}
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls=true
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
      # Traefik HTTP Services
      - traefik.http.services.${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=80

Docker Compose for Traefik:

  traefik:
    image: traefik:v3.3.2
    container_name: ${COMPOSE_PROJECT_NAME}
    restart: always
    ports:
      - 80:80
      - 443:443
      - 8081:8080
      - 8082:8082
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /mnt/user/containers/${COMPOSE_PROJECT_NAME}/data:/etc/traefik
      - /mnt/user/containers/${COMPOSE_PROJECT_NAME}/rules:/rules
      - /mnt/user/containers/${COMPOSE_PROJECT_NAME}/logs:/var/log/traefik
    networks:
      - public
    environment:
      - TZ=Europe/Berlin
      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_DNS_TOKEN}
      - CLOUDFLARE_HTTP_TIMEOUT=60 # API request timeout in seconds (Default: 60)
      - CLOUDFLARE_POLLING_INTERVAL=2 # Time between DNS propagation check in seconds (Default: 2)
      - CLOUDFLARE_PROPAGATION_TIMEOUT=120 # Maximum waiting time for DNS propagation in seconds (Default: 120)
      - CLOUDFLARE_TTL=120 # The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)
    command:
      # API
      - --api=true
      - --api.insecure=true
      - --api.dashboard=true
      # Global
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false
      # Providers
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.file.directory=/rules
      - --providers.file.watch=true
      # Entrypoints
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.web.http.redirections.entryPoint.permanent=true
      - --entrypoints.websecure.address=:443
      # Experimental Plugins
      - --experimental.plugins.rewriteBody.modulename=github.com/packruler/rewrite-body
      - --experimental.plugins.rewriteBody.version=v1.2.0
      - --experimental.plugins.rewriteHeaders.modulename=github.com/XciD/traefik-plugin-rewrite-headers
      - --experimental.plugins.rewriteHeaders.version=v0.0.4
      # Servers Transport 
      - --serversTransport.insecureSkipVerify=true # Required for UniFi Controller
      # Certificate Resolvers
      - --certificatesresolvers.letsencrypt.acme.email=admin@${DOMAIN_NAME}
      - --certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/certificates.json
      # - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=hostingde
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=30
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1,1.0.0.1
      # Logging
      - --log=true
      - --log.filepath=/var/log/traefik/traefik.log
      # - --log.format=json
      - --log.level=INFO
      - --accesslog=true
      - --accesslog.filepath=/var/log/traefik/access.log
      # - --accesslog.format=json
      # Healtcheck
      - --ping=true
type or paste code here

Home Assistant configuration.yaml:

http:
  server_port: 80
  cors_allowed_origins:
    - https://google.com
    - https://www.home-assistant.io
  # ip_ban_enabled: true
  # login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.16.1.0/24 # traefik network

Do you have any idea how to solve this?

BR
Sebastian

Have you tried adding this under trusted_proxies: ?

I´ve tried it, but still the same issue:

trusted_proxies:
  - "10.0.4.2"
  - 10.0.4.2/32
  - 172.16.1.0/24