Problem with NGINX reverse proxy setup

Hello,

I am having a hard time configuring my HA setup for external use.
I have installed NGINX Home Assistant SSL proxy add-on, I have created a certificate through the letsencrypt add-on and I have configured NGINX to my external domain.

So far so good.

After that I have configured the configuration.yaml with the needed lines of code:

http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.11

Now when I try to access my website through the external url, I am getting the following error:

ERROR (MainThread) homeassistant.components.http.forwarded Received X-Forwarded-For header from an untrusted proxy 172.30.33.11

As you can see I have trusted this ipaddress as trusted_proxy, but I still get this error message and the browser comes up with the 440: bad request error.

i have tried to whitelist the whole subnet: 172.30.33.0/24, I have even tried to whitelist all subnets: 0.0.0.0/0

Nothing is working, I always end up with the same error:

ERROR (MainThread) homeassistant.components.http.forwarded Received X-Forwarded-For header from an untrusted proxy 172.30.33.11

Who can help me get this up and running?

How does your nginx configuration look like?

Mine looks like this:

domain: mydomain.myfritz.net
  hsts: max-age=31536000; includeSubDomains
  certfile: fullchain.pem
  keyfile: privkey.pem
  cloudflare: false
  customize:
    active: false
    default: nginx_proxy_default*.conf
    servers: nginx_proxy/*.conf

And my HA config like this:

  http:
    use_x_forwarded_for: true
    trusted_proxies: 
      - 172.30.33.0/24

I use the following configuration:

Please note that I have also tried to get it working with the customize active setting set to false.

I have already tried to add the whole subnet (172.30.33.0/24) to the trusted_proxies, like in your configuration. But that also resulted in the bad request error.

Which HA installation type are you using? Standard HA image or running HA on docker or other?

I just recognized that your indentation for the trusted_proxies IP might be wrong!
This is what you have:

  http:
    use_x_forwarded_for: true
    trusted_proxies: 
    - 172.30.33.11

Here is the corrected version. Try it.

  http:
    use_x_forwarded_for: true
    trusted_proxies: 
      - 172.30.33.11

I have tried it with the indentation you sent me, but it still gives me the same error.

I have installed HA as standard (i used the ova for esxi). HA is running on my esx 7.0U2 standalone host with local storage.
I dont have any VLAN’s in use and HA is only using a single IP address with ipv6 disabled (from the HA webinterface).

Seems to be an issue with ESXi. Try searching the forum for ESXi installations that use nginx and have issues.

Just to make sure we are on the same page.

The NGINX is running as an add-on within HA, so there is no dedicated server running the NGINX proxy.

been watching this thread …

Maybe you’re accessing HA over ipv6 instead of ipv4 ? (in some cases automatically switching between the two)

I would check this through your logs, maybe even look at the list of tokens in your profile for evidence of ipv6 use.

If all else fails, disable ipv6 on the network interfaces
settings > system > network

Good luck

Or try the unthinkable

http:
    use_x_forwarded_for: true
    trusted_proxies: 
      - 172.30.33.11
      - ::/0

Hello,

I have checked the logs and i can only find a connection being setup over ipv4.

I have already disabled ipv6 via settings > system > network.
Eventhough ipv6 is disabled i have also tried the setup with ipv6 in the trusted_proxies list, but this also does not work.

I have got the configuration working!

I have added 127.0.0.1 to the trusted_proxies list and after a config reload I was able to access HA from external.

However I have read that it is not wise to add 127.0.0.1 to the trusted_proxies list.

Can someone confirm this, or is my configuration as is ( with 172.30.33.11 and 127.0.0.1 added to the trusted_proxies) correct?

It was working for a little while.

I have restarted HA after an update and now it is broken again.
However, instead of getting the error untrusted proxy 172.30.33.11 I am not getting untrusted proxy 172.30.33.10. So the NGINX plugin ip address seems to have been renewed/changed after the reboot.

I have added 172.30.33.10 to the trusted_proxies list, but I still get the error.
I also tried to add the whole subnet (172.30.33.0/24) to the trusted_proxies list, but this also does not work.

So i am stuck again.

Another update (haha).
External access is working again at the moment.

I have rebooted HA a couple of times, each time it seems that the Nginx addon gets a new ipaddress.
After the first reboot, I was still getting the error, but now from ip 172.30.33.4.

I was sick of it, so I have added 172.30.33.1 through 172.30.33.11 to the trusted_proxies list (I accidentally forgot to add 127.0.0.1 back to the list) and rebooted HA after.

Guess what? External access was working again.
It goes beyond my knowledge what is happening here, to me it seems like sometimes the configuration.yaml is not read as intended.

I would suggest you put a comment in you conf.yaml file referencing this thread as I’m sure you’ll be pulling your hair again in the future trying to phathom how you got working by trial and error :slight_smile:

Haha I agree, playing around and figuring things out is fun. But having to figure something out you have solved in the past is very frustrating.

I am not totally convinced that I have solved the problem, it still feels a bit unstable.

Thank you for your help guys! At least I have got thing working now!

One last minor update:

After changing my configuration.yaml file (like updating the trusted_proxies entry) and reloading the yaml config, HA will not accept the new entries.

I have tried this multiple times now and I have to do a full restart of HA before it reads the edited configuration.yaml.

I don’t mind rebooting HA before it will read the new config, but is this something you guys have encountered before?