Nginx proxy Error: Invalid client id

Installation
1

I see people have this error but no resolution. I have a nginx proxy server that is sending traffic to my HA behind a pfsense and I get Error: Invalid client id

Nginx proxy server 2.2.2.2
pfsense WAN IP 1.1.1.1
port forward 8123 - 8123
HA IP 10.0.0.17

http://1.1.1.1:8123 works (PFsense wan port)
http://10.0.0.17:8123 works (internal network IP)

http://2.2.2.2 I get Error: Invalid client id

nginx.conf

user  root;
worker_processes  2;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile on;
    keepalive_timeout 0;

    client_body_buffer_size 10K;
    client_header_buffer_size 1k;
    client_max_body_size 1G;
    large_client_header_buffers 2 1k;

    gzip on;
    gzip_http_version 1.1;
    gzip_vary on;
    gzip_comp_level 1;
    gzip_proxied any;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

    upstream homeassistant {
        server 1.1.1.1:8123;
        keepalive 64;
    }

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name sub.ha-domain.com;

        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        # add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
        ssl_session_tickets off;

        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

        proxy_buffering off;

        location / {
            proxy_pass http://homeassistant;
            proxy_set_header Host $host;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
        }

        location /api/websocket {
            proxy_pass http://homeassistant/api/websocket;
            proxy_set_header Host $host;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

        }
    }

    # cloudflare ip restoration https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs-Logging-visitor-IP-addresses-with-mod-cloudflare-

    # include /etc/nginx/conf.d/*.conf;
}

ha configuration.yaml

http:
  server_port: 8123
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.1 # openwrt's nginx server
    - 10.0.0.17
    - 1.1.1.1
    - 2.2.2.2
    - 10.1.1.1
    - 127.0.0.1
  ip_ban_enabled: false
  login_attempts_threshold: 500
  base_url: 2.2.2.2:8123
2

Login page in FF and Chrome

image
image860×654 14.8 KB

3

I had to install nginx proxy manager

use a domain name
then put the IP of my docker container in trusted proxies
Now its working

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.0.0/24      # Add the IP address of the proxy server
    - 127.0.0.1
    - 172.30.33.4 # Docker container IP