Reverse proxy error

dvoijen · June 3, 2021, 11:55am

Found it!!!
In my reverse proxy i had to delete:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Troon · June 3, 2021, 12:01pm

Good that you’ve solved it, although I’d be interested to understand why that’s fixed it. I still have that line in my nginx config, although that is running on a remote machine.

martymarty004 · June 3, 2021, 2:10pm

I’m also getting this new warning, but I had one question: do I need the NGINX Add-on if I just use the external URL (DuckDNS domain) and rewrite DNS requests with AdGuard? (if I’m outside my network the URL is resolved by DuckDNS to my external IP, if I’m inside it’s resolved to my local address, so I can use only one URL and one certificate)

martymarty004 · June 3, 2021, 4:44pm

For now, I just added the following lines to the configuration.yaml file to remove the warning:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.5    #The IP shown in the warning

and everything is fine now.

breakthestatic · June 3, 2021, 4:59pm

I’m running Traefik and HA in Docker. Is there any clean/portable way to add the trusted ips without hard-coding a specific Docker network ip?

tmjpugh · June 3, 2021, 6:07pm

martymarty004:

For now, I just added the following lines to the configuration.yaml file to remove the warning:

Copy to clipboard
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.5    #The IP shown in the warning
and everything is fine now.

Is that the ip of nginx in docker maybe?
You really should find out what that is

Cuttysark90 · June 3, 2021, 6:08pm

Worked for me, but I had to add as well 127.0.0.1 due to having Nginx on local.
Im running hassio on raspberry pi 4.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.5          #IP Reverse_Proxy Nginx ADGuard
    - 127.0.0.1        #IP Reverse_Proxy Nginx

Thanks

martymarty004 · June 3, 2021, 6:30pm

I think it’s Nginx, because every time I clicked something the warning counter was going up by 1.
(just clicking refresh in the logs page was enough)

penright · June 3, 2021, 7:36pm

I am using the Nginx Proxy also.

I assume that is where this message is coming from. The IP is different than what the OS is showing. So is the Nginx running in a different VM? If I use that IP could it change in the future? In all my other vhost I had to add the remote address, but not for the HA instance. Should I be able to use 127.0.0.1 then?

baimard · June 3, 2021, 9:39pm

Just to complet all the answers, for those who are in docker context even swarm, you can configure a network :

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.0.0.0/8 # example

Bohemian · June 3, 2021, 11:31pm

I had the same issue as well with a local Nginx setup. Reverting from core core-2021.6.0 to my backup from a couple of days ago, I don’t see the error. So I suspect something was changed very recently.

Making changes to configuration.yaml similar to above solved the issue. Hassio with Nginx add-on in Proxmox.

frenck · June 3, 2021, 11:41pm

That is not a solution, and actually one of the few cases we can’t detect.
Strongly recommended NOT to delete the X-Forwarded-For, you are creating a security issue for yourself.

Topolynx · June 4, 2021, 11:44am

Hi. I’m experiencing a similar issue after the upgrade to HA Core 2021.7 (on raspbian OS).
HA reports
`Logger: homeassistant.components.http.forwarded
Source: components/http/forwarded.py:90
Integration: HTTP (documentation, issues)
First occurred: 10:51:04 (771 occurrences)
Last logged: 13:23:36

A request from a reverse proxy was received from 172.17.0.2, but your HTTP integration is not set-up for reverse proxies; This request will be blocked in Home Assistant 2021.7 unless you configure your HTTP integration to allow this header`.
Only recently (less than one month ago) I switched from a simple SSL way to secure HA to Caddy on docker (on the same machine).
Also, that message appears in concidence with the disconnection and reconnection of one of my smart plugs.
So, should I edit the configuration.yaml too?
Is it correct to add the following code?

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.17.0.2
    - 127.0.0.1

Thank you!

DavidFW1960 · June 4, 2021, 11:46am

You should only need 127.0.0.1. I use Caddy too. I also have ::1 as a trusted proxy for IPv6…

Topolynx · June 4, 2021, 11:49am

Thanks @DavidFW1960!

wauswaus · June 4, 2021, 2:16pm

Just adding 127.0.0.1 and ::1 didn’t do the trick for me. I also had to add 172.0.0.0/8

DavidFW1960 · June 4, 2021, 11:17pm

That 172.0.0.0/8 is the docker network. And also some public IP addresss so I wouldn’t do that. 172.16.0.0/12 is all internal though. You also need to have x_forwarded_for in the reverse proxy. I have been using only 127.0.0.1 and ::1 for years and it’s always worked. The other day on a dev instance I was getting the error and turned out I had not set this up in the dev instance so I added the reverse proxy 127.0.0.1 and ::1 and it just worked. No idea why you are not getting that…

not_a_coder · June 6, 2021, 1:35am

I use NGINX and a domain hosted at Cloudflare. I followed the setup posted in the blog at Securing Home Assistant with Cloudflare. All of the IPs that show up in the warning Received X-Forwarded-For header from untrusted proxy belong to Cloudflare. In order to continue with my setup is my only option to add the Cloudflare IP ranges to the http integration?

moto2000 · June 6, 2021, 3:07am

I was getting the warning too. Can confirm that adding the following to configuration.yaml resolved it:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 172.16.0.0/12
    - ::1

henry8866 · June 6, 2021, 3:27pm

I saw this in my log too. The ip is 172.18.0.2.
Running HA docker and NGINX(letsencrypt).

However seems HA is working fine without change anything, or something broke and I am not aware of it yet.