Reverse proxy error

Hi there,

I am getting this error in my logbook:
A request from a reverse proxy was received from , but your HTTP integration is not set-up for reverse proxies; This request will be blocked in Home Assistant 2021.7 unless you configure your HTTP integration to allow this header.

My nginx reverse proxy config:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name <HOSTNAME>;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app <IP OF HA>;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_cache_bypass $http_upgrade;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app <IP OF HA>;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Host $host;

        # proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

If i change my HA configuration to this:

http:
  server_port: 8123
  base_url: https://<MY URL>
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - <IP OF NGINX>

Than HA is not working anymore.

2 Likes

You only need the x_forwarded_for and trusted_proxy…

2 Likes

Why did you add the localhost IP? I got this warning as expected upon upgrade to 2021.6, and just using this in configuration.yaml solved it:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - MY_LINODE_IP_ADDR

If the proxy is on the same machine then localhost is fine…

1 Like

When i only use

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - <IP OF NGIX>

It does the same, no more access.

If it’s on the same machine try localhost

David,

127.0.0.1 is localhost…

When i change it to:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1

It starts but i get a message in the log:
A request from a reverse proxy was received from , but your HTTP integration is not set-up for reverse proxies; This request will be blocked in Home Assistant 2021.7 unless you configure your HTTP integration to allow this header.

When i enter that ip in stead of 127.0.0.1 or when i even add that ip than the site does not work.
I get: 400: Bad Request

I am aware of that but localhost also has an IPv6 equivalent so if you specify 127.0.0.1 it won’t find the other!

Good point. Try:

http:
  server_host: 0.0.0.0
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1

Found it!!!
In my reverse proxy i had to delete:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

2 Likes

Good that you’ve solved it, although I’d be interested to understand why that’s fixed it. I still have that line in my nginx config, although that is running on a remote machine.

I’m also getting this new warning, but I had one question: do I need the NGINX Add-on if I just use the external URL (DuckDNS domain) and rewrite DNS requests with AdGuard? (if I’m outside my network the URL is resolved by DuckDNS to my external IP, if I’m inside it’s resolved to my local address, so I can use only one URL and one certificate)

For now, I just added the following lines to the configuration.yaml file to remove the warning:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.5    #The IP shown in the warning

and everything is fine now.

2 Likes

I’m running Traefik and HA in Docker. Is there any clean/portable way to add the trusted ips without hard-coding a specific Docker network ip?

1 Like

Is that the ip of nginx in docker maybe?
You really should find out what that is

Worked for me, but I had to add as well 127.0.0.1 due to having Nginx on local.
Im running hassio on raspberry pi 4.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.5          #IP Reverse_Proxy Nginx ADGuard
    - 127.0.0.1        #IP Reverse_Proxy Nginx

Thanks

I think it’s Nginx, because every time I clicked something the warning counter was going up by 1.
(just clicking refresh in the logs page was enough)

I am using the Nginx Proxy also.
image

I assume that is where this message is coming from. The IP is different than what the OS is showing. So is the Nginx running in a different VM? If I use that IP could it change in the future? In all my other vhost I had to add the remote address, but not for the HA instance. Should I be able to use 127.0.0.1 then?

Just to complet all the answers, for those who are in docker context even swarm, you can configure a network :

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.0.0.0/8 # example
7 Likes