NGINX Docker API password warning even after removing api password (using tokens)

Aephir · June 15, 2019, 3:01pm

Hi,

I’ve noticed a few warnings about access tokens and bearer tokens (see below). The thing is, I was pretty sure I took care of this. I don’t have the legacy API password enabled.

api_password is going to deprecate. You need to use a bearer token to access /api/ios/identify from 172.11.0.2
api_password is going to deprecate. You need to use a bearer token to access /api/services/device_tracker/see from 172.11.0.2
api_password is going to deprecate. You need to use a bearer token to access /api/config from 172.11.0.2
api_password is going to deprecate. You need to use a bearer token to access /api/states from 172.11.0.2

This is from my config.yaml:

  auth_providers:
    - type: homeassistant
    - type: trusted_networks
      trusted_networks:
        - 127.0.0.1
        - ::1
        - 172.11.0.2 # NGINX/Let's encrypt docker container

Where 172.11.0.2 is my let’s encrypt/nginx docker container.

I set up the nginx using this great guide, and I have since changed the “home assistant” part to use tokens instead of password, as per this suggestion. It seemed to work for a while (I didn’t get/see these notifications for some time), but now I’ve started to see them again.

From my nginx site-confs/default:

### HOMEASSISTANT ##############################################################
server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	server_name hass.READACTED.duckdns.org;

	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
		proxy_set_header Host $host;
		proxy_redirect http:// https://;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		# https://github.com/home-assistant/home-assistant.io/issues/6350
		proxy_set_header Authorization "Bearer READACTED_LONG_TOKEN";
		proxy_buffering               off;
		proxy_ssl_verify              off;
#		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.0.100:8123;
	}
}

Any ideas?

Cheers!

tmjpugh · June 15, 2019, 7:03pm

Are you using those services listed, i.e. IOS
Maybe there service is still usi g the api password. Confirm in the config file you sent up service with or maybe HA iOS app.

Looks like something is still accessing HA using API password.

Also. If using trusted networks with reverse proxy you should add x_forward_for and trusted_proxy in HA config. I will look for it and edit this post

Aephir · June 16, 2019, 12:23pm

I’m using the iOS app (well, on my girlfriends phone), but I logged her in with the new user/pass auth, not a legacy API password. I guess I’ll check the old iPads, and make sure there’s not one still trying with legacy (but it should just be denied access though, right? Since I’m not allowing legacy in the home assistant config?).

I’m fairly sure I don’t (intentionally) use device_tracker.see (I had no idea what it was until googling it after seeing the logs).

But I can’t really make sense of what the deal is about accessing /api/config or /api/states… The only way I know that I interact wit them is via UI, and a few Tasker POST requests through RESTask (but using Authorization: Bearer …).

If you have the config setup for using trusted with nginx, I’d love to see that.

I should note that it seems to be an occasional thing, that these warnings show up, and I haven’t been able to discern the pattern.

juan11perez · June 16, 2019, 1:25pm

HI, I still have legacy password enabled. but Im not using it. see my conf

homeassistant:
  # https://developers.home-assistant.io/blog/2018/07/02/trying-new-auth.html
  auth_providers:
  # Uncomment next line if you want to enable legacy API password support
  - type: homeassistant
  # Name of the location where Home Assistant is running
  - type: legacy_api_password
    api_password: !secret http_password
  # The Trusted Networks auth provider defines a range of IP addresses for which no authentication will be required
  - type: trusted_networks
    trusted_networks:
    - 127.0.0.1
    - 192.168.1.0/24

This is my http:

http:
  ip_ban_enabled: true #blocks unathorized ips from accessing HA
  login_attempts_threshold: 5 #number of attempts before ip is banned
  base_url: myhass
  use_x_forwarded_for: true
  trusted_proxies:
  - 172.10.0.10 #as set up in docker-compose for Nginx/Letsencrypt
  - ::1

I gave letsencrypt a static docker ip and I addded it into trusted proxies.

Aephir · June 17, 2019, 5:38am

Great, I have added this (though not the legacy API password) to my config, and so far, ~12h later, I have not seen any og the warnings yet.

I did get one persistent notification about unauthorized login attempt from 172.11.0.2, but that might have been while I was messing with things.

I’ll keep an eye open for that, but thanks, I think it seems to work!

juan11perez · June 18, 2019, 12:24am

Glad it works