No history on lovelace cards with Caddy proxy

gdschut · November 29, 2019, 7:30am

I changed my configuration to using caddy as proxy, with oAuth from Google, and most of it works fine, except showing the history of entities (like on history card).

By using Inspect on Chrome, i found this message:
Access to fetch at 'https://auth.xxxxxxx.duckdns.org/login?backTo=https%3A%2F%2Fxxxxxxx.duckdns.org%2Fapi%2Fhistory%2Fperiod%2F2019-11-27T07%3A11%3A39.384Z%3Ffilter_entity_id%3Dinput_boolean.motion_ib%2Cinput_boolean.motion_ib_5%2Cbinary_sensor.multisensor_2_motion_1%2Cbinary_sensor.multisensor_2_motion_2%26end_time%3D2019-11-29T07%3A11%3A39.384Z' (redirected from 'https://xxxxxxx.duckdns.org/api/history/period/2019-11-27T07:11:39.384Z?filter_entity_id=input_boolean.motion_ib,input_boolean.motion_ib_5,binary_sensor.multisensor_2_motion_1,binary_sensor.multisensor_2_motion_2&end_time=2019-11-29T07:11:39.384Z') from origin 'https://xxxxxxx.duckdns.org' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Everything else is working through caddy proxy, and oAuth by Google is working well also.
History cards are showing well without using the proxy, by accessing the Pi directly.

My configuration.yaml for http:

http:
  base_url: xxxxxxx.duckdns.org
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1

I tried adding the cors_allowed_origins: line, but could not get it fixed with that.

Caddyfile (HA section):

xxxxxxx.duckdns.org {
    header / {
        Strict-Transport-Security "max-age=31536000; includeSubdomains"
        X-XSS-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        Referrer-Policy "same-origin"
    }
    jwt {
        path /
        redirect https://auth.xxxxxxx.duckdns.org/login?backTo=https%3A%2F%2F{host}{rewrite_uri_escaped}
        allow sub [email protected]
        allow sub [email protected]
        allow sub [email protected]
    }

    proxy / localhost:8123 {
        websocket
        transparent
        header_upstream Host {host}
        header_upstream X-Real-IP {remote}
        header_upstream X-Forwarded-For {remote}
        header_upstream X-Forwarded-Proto {scheme}
    }
}

How can I get my history cards showing over caddy proxy?

gdschut · November 29, 2019, 10:02am

Tried adding the cors plugin to caddy, with the line

cors

in the caddyfile, and now the logs look like this:
has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

gdschut · November 30, 2019, 8:52am

Retried with caddy without login by oAuth (Google), and that works, so the problem will be caused by the redirects for the caddy http.login plugin. So here is my complete Caddyfile:

auth.xxxxxxx.duckdns.org {
    tls [email protected]
    redir 302 {
        if {path} is /
            / /login
    }
    login {
        google client_id=xxxxxxx,client_secret=xxxxxxx
        redirect_check_referer false
        redirect_host_file redirect_hosts.txt
        cookie_domain xxxxxxx.duckdns.org
    }
}

xxxxxxx.duckdns.org {
    header / {
        Strict-Transport-Security "max-age=31536000; includeSubdomains"
        X-XSS-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        Referrer-Policy "same-origin"
    }
    jwt {
        path /
        redirect https://auth.xxxxxxx.duckdns.org/login?backTo=https%3A%2F%2F{host}{rewrite_uri_escaped}
        allow sub [email protected]
        allow sub [email protected]
        allow sub [email protected]
    }
    proxy / localhost:8123 {
        websocket
        transparent
        header_downstream Access-Control-Allow-Origin "*"
        header_upstream Host {host}
        header_upstream X-Real-IP {remote}
        header_upstream X-Forwarded-For {remote}
        header_upstream X-Forwarded-Proto {scheme}
    }
}

Anyone any thoughts?