I was reading the release notes for the last release of 2021, and stumbled upon this new feature that allows a user only to login from local network. That’s a neat feature. But, if HA is set up behind a reverse proxy, for example NGINX proxy manager.
Can it distinguish that the above example is an online login?
If it can. Can distinguish that if I hit the global url e.g. homeassistant.example.com but from the same public ip as HA. Does this count as an internal login?
The reverse proxy will make it appear as if remote connections are coming from the local network. So I don’t think you can use this feature. Though I could be wrong. I don’t know a lot about it.
Wouldn’t it just use the same X-Forwarded-For header that is currently used - if that is present, and is not an address from the Class A, B or C IP range, then the user is not local.
I have my instance behind a nginx proxy, and just created a test user without remote access privileges.
I then tried logging in from an external network, and was denied (or at least, it went into a login loop without any real clear messaging). Tried with both the domain name and the IP address, both rejected the login.
So I assume it works, but that’s just my single test.
My HA instance has enforced SSL login. Therefore I cannot login with the HA app using the IP address in the local network. All logins are routed via the internet and appear external.
Users w/o remote login cannot login.
I wish HomeAssistant had a feature to enforce SSL via remote, but enables local login via IP anyway.
This is not an issue for these feature. However, this feature only prevent new login from remote. once you login locally with local only user, you will also able to login from outside, as the app/browser saved the token credential!
For the SSL remote vs local, you can still have your local SSL connection with local IP address not with the external address. Run a local DNS, and put an entry for Hass external domain name with the local address of the hass. In this way, if you are local and using the local advertised DNS, you will connect to home assistant directly with hass local IP while still maintain the SSL. and if you are outside, the normal DNS will resolve your IP to external normally.