Problem With remote Access with NGINX + Azure Proxy Application and IP Ban

Good morning,
I have a problem with the IP Ban of Home Assistant and NGINX + Azure Proxy Application for expose my instance, I put the IPs from where I connect most often in trusted_proxies but it continues to give me problems with the message “Unable to connect to Home Assistant.” upon login with the 60 second wait.

This always appears in the log:

Registratore: homeassistant.components.http.ban
Fonte: components/http/ban.py:135
Integrazione: HTTP (documentazione, problemi)
Prima occorrenza: 10:18:48 (2 occorrenze)
Ultima registrazione: 10:19:13

Login attempt or request with invalid authentication from 4.232.xxx.xx (4.232.xxx.xx). Requested URL: ‘/auth/login_flow/ae5989017bddf79ddca20ac72f32082b’. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36)
Login attempt or request with invalid authentication from 4.232.xxx.xx (4.232.xxx.xx). Requested URL: ‘/auth/token’. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36)

The indicated IP has been trusted in the settings and gives the same problems.

Even Google Assistant in the manual integration connection logs in and then fails to connect.

Hey!
To resolve IP ban issues in Home Assistant, double-check trusted proxies configuration, temporarily disable IP ban, check for Socrates GM conflicting reverse proxy settings, review Home Assistant logs, and consider alternative authentication methods. Restart services and consult documentation for specific instructions.

Thanks for the reply, I’ll start working on the advice given, what are other authentication methods compatible with Home Assistant?

I understood where the problem is, I cloufla it as a DNS record service and it is it that causes the problems

I still have the same problem, I checked any settings and tried instead of using NGINX + Azure I tried Cloudflare Tunnel + NGINX or even just Cloudflare Tunnel

The error is always this:

Registratore: homeassistant.components.http.ban

Fonte: components/http/ban.py:135

Integrazione: HTTP (documentazione, problemi)

Prima occorrenza: 16 ottobre 2024 alle ore 11:08:34 (32 occorrenze)

Ultima registrazione: 12:32:01

Login attempt or request with invalid authentication from 4.232.xxx.xx (4.232.xxx.xx). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36)

Login attempt or request with invalid authentication from host-95-245-xx-xx.retail.telecomitalia.it (95.245.xx.xx). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36)

Login attempt or request with invalid authentication from 4.232.xxx.xx (4.232.xxx.xx). Requested URL: '/auth/login_flow/7400ea3d0a97c4dd13b0c04e82e9c6be'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36)

Login attempt or request with invalid authentication from host-79-20-xxx-xxx.retail.telecomitalia.it (79.20.xxx.xxx). Requested URL: '/auth/token'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36)

what is the configuration you have in your Azure AD App Proxy (Entra ID App Proxy) … you should have it configured to bypass (direct mode) without authentication on Azure AD/Entra ID…

yes, it is in pass-through mode (Entra ID App Proxy)

and you’ve editted the configuration.yaml to include

# Proxy configuration
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.5.120 # Add the IP address of the proxy server

that works for me with the HA OS + Proxy Agent on a Windows Machine

yes, but it continues to give logs about IP ban activation without creating an IP ban file

I also set ip_ban_enabled: False, but the IP ban still intervenes seeing from the logs.

I suspect my system has some bugs.