OSX Server with Apache Reverse Proxy Problem

Hello,

I managed to install Home Assistant on my Mac Mini with OSX-Server App

Now I wanted to establish a reverse proxy configuration but I will only reach the Home-Assistant Login-Page. Every Login-Attempt will fail with the error “Unable to connect”

I managed to establich a reverse proxy with other sites like Plex, Homebridge or even HADashboard but I have no luck with Home-Assistant. I searched in the Forum and couldn’t find any solution among the many posts regarding reverse proxy.

In the apache logs I couldn’t find any entries which would explain what is actually happening. In the proxy-access-log I can see a lot of entries like this:

home.domain.comhome.domain.com” 91.XXX.XXX.XX - - [04/Jan/2018:14:37:31 +0100] “GET /api/websocket?es5 HTTP/1.1” 400 66 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36”

I don’t know what it means but looks like Error 400 to me.

Here is my actual virtual host config from OSX-Server (only the SSL-Part)

<VirtualHost 127.0.0.1:34543>
	ServerName https://home.costa.one:443
	ServerAdmin [email protected]
	DocumentRoot "/Library/Server/Web/Data/Sites/Home"
	DirectoryIndex index.html index.php default.html
	CustomLog /var/log/apache2/access_log combinedvhost
	ErrorLog /var/log/apache2/error_log
	<IfModule mod_ssl.c>
		SSLEngine Off
		SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
		SSLProtocol -all +TLSv1.2
		SSLProxyEngine Off
		SSLCertificateFile "/etc/certificates/my.cert.pem"
		SSLCertificateKeyFile "/etc/certificates/my.key.pem"
		SSLCertificateChainFile "/etc/certificates/my.chain.pem"
		SSLProxyProtocol -all +TLSv1.2
		SSLProxyCheckPeerCN off
		SSLProxyCheckPeerName off
	</IfModule>
	<IfModule mod_secure_transport.c>
		MSTEngine Off
		MSTCipherSuite HIGH, MEDIUM
		MSTProtocolRange TLSv1.2 TLSv1.2
		MSTProxyEngine On
		MSTIdentity SHA-256:SHAKEY:"costa.one"
		MSTProxyProtocolRange TLSv1.2 TLSv1.2
	</IfModule>
	<Directory "/Library/Server/Web/Data/Sites/Home">
		Options All -Indexes -ExecCGI -Includes +MultiViews
		AllowOverride None
		<IfModule mod_dav.c>
			DAV Off
		</IfModule>
		<IfDefine !WEBSERVICE_ON>
			Require all denied
			ErrorDocument 403 /customerror/websitesoff403.html
		</IfDefine>
	</Directory>
	Include /Library/Server/Web/Config/apache2/httpd_hass.conf
</VirtualHost>

This is the include of the file https_hass.conf

SSLEngine On
SSLProxyEngine On

ProxyPreserveHost On
ProxyRequests off
ProxyPass / http://localhost:8123/
ProxyPassReverse / http://localhost:8123/
ProxyPass /api/websocket ws://localhost:8123/api/websocket
ProxyPassReverse /api/websocket ws://localhost:8123/api/websocket

RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*)  ws://localhost:8123/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*)  http://localhost:8123/$1 [P,L]

Most of the config is done by the server app and I added the include file.
Has anyone experience with Home Assistant on OSX-Server-App with reverse proxy ?

After many tests I finally found a solution.

The reason for the errors on osx with the osx server app result in the fact that the apache config uses already a proxy configuration where all the traffic on port 80 and 443 will be tunneld thrue port 34580 and 34543.

In order to avoid this behaviour You have to put the reverse proxy settings for Home Assistant before the standard proxy configuration from apple.

In order to do so you can simply add a file named apache_serviceproxy_customsites_ext.conf in the folder /Library/Server/Web/Config/Proxy and put there the settings mentioned on the site https://home-assistant.io/docs/ecosystem/apache/

I added also the certicate files for my domain and also a redirection from http to https.

The mentioned file will be loaded automatically after you restart the proxy service.
The restart can be done with the following commands via terminal:

sudo launchctl unload -w /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.serviceproxy.plist
sudo launchctl load -w /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/com.apple.serviceproxy.plist

Hope this helps for other users that may encounter similar problems.

1 Like

Would you be willing to share the contents of the apache_serviceproxy_customsites_ext.conf? I’ve been looking for this solution for awhile and I’m not reproducing it by just dropping in the information from https://home-assistant.io/docs/ecosystem/apache/.

Do you still configure the domains in the Server app as you would configuring reverse proxy for Plex?

This is the content of my apache_serviceproxy_customsites_ext.conf. Please change home.mydomain.com and my domain.com to your needs.

<VirtualHost *:443>
   ServerName https://home.mydomain.com:443
   ProxyPreserveHost On
   SetEnv proxy-chain-auth on
   RequestHeader set X-Forwarded-Proto "https"
   RequestHeader set X-Forwarded-Port "443"
   RequestHeader unset Proxy early

<IfModule mod_ssl.c>
   SSLEngine On
   SSLCertificateFile "/etc/letsencrypt/live/mydomain.com/cert.pem"
   SSLCertificateKeyFile "/etc/letsencrypt/live/mydomain.com/privkey.pem"
   SSLCertificateChainFile "/etc/letsencrypt/live/mydomain.com/chain.pem"
   SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
   SSLProtocol -all +TLSv1.2
   SSLProxyEngine On
   SSLProxyProtocol -all +TLSv1.2
   SSLProxyCheckPeerCN off
   SSLProxyCheckPeerName off
</IfModule>

<IfModule mod_secure_transport.c>
   MSTEngine On
   MSTIdentity ${MST_IDENTITY}
   MSTCipherSuite HIGH, MEDIUM
   MSTProtocolRange TLSv1.2 TLSv1.2
   MSTProxyEngine On
   MSTProxyProtocolRange SSLv3 TLSv1.2
</IfModule>

   ProxyPass / http://localhost:8123/
   ProxyPassReverse / http://localhost:8123/

   RewriteEngine on
   RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
   RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
   RewriteRule .* ws://localhost:8123%{REQUEST_URI} [P]
   
</VirtualHost>

<VirtualHost *:80>
   ServerName https://home.mydomain.com:80
   RewriteEngine On
   RewriteCond %{HTTP_HOST} !(^localhost|^127.0.0.1|^::1)
   RewriteCond %{REQUEST_URI} !^/netboot/ [NC]
   RewriteRule .* https://home.mydomain.com%{REQUEST_URI} [R]
</VirtualHost>
1 Like

I forgot: no I do not manage it with the server app anymore

1 Like