Reverse proxy error

DavidFW1960 · June 4, 2021, 11:46am

You should only need 127.0.0.1. I use Caddy too. I also have ::1 as a trusted proxy for IPv6…

Topolynx · June 4, 2021, 11:49am

Thanks @DavidFW1960!

wauswaus · June 4, 2021, 2:16pm

Just adding 127.0.0.1 and ::1 didn’t do the trick for me. I also had to add 172.0.0.0/8

DavidFW1960 · June 4, 2021, 11:17pm

That 172.0.0.0/8 is the docker network. And also some public IP addresss so I wouldn’t do that. 172.16.0.0/12 is all internal though. You also need to have x_forwarded_for in the reverse proxy. I have been using only 127.0.0.1 and ::1 for years and it’s always worked. The other day on a dev instance I was getting the error and turned out I had not set this up in the dev instance so I added the reverse proxy 127.0.0.1 and ::1 and it just worked. No idea why you are not getting that…

not_a_coder · June 6, 2021, 1:35am

I use NGINX and a domain hosted at Cloudflare. I followed the setup posted in the blog at Securing Home Assistant with Cloudflare. All of the IPs that show up in the warning Received X-Forwarded-For header from untrusted proxy belong to Cloudflare. In order to continue with my setup is my only option to add the Cloudflare IP ranges to the http integration?

moto2000 · June 6, 2021, 3:07am

I was getting the warning too. Can confirm that adding the following to configuration.yaml resolved it:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 172.16.0.0/12
    - ::1

henry8866 · June 6, 2021, 3:27pm

I saw this in my log too. The ip is 172.18.0.2.
Running HA docker and NGINX(letsencrypt).

However seems HA is working fine without change anything, or something broke and I am not aware of it yet.

mwav3 · June 6, 2021, 4:59pm

It’s a warning now but according to the documentation will error on the July release, which means it will block the proxy request totally when you upgrade again. Best to fix it now by updating the config.

Given a proxy attack could be used as a security exploit probably explains the short turnaround time of just a month between warn and error.

henry8866 · June 7, 2021, 1:41am

Thanks. I’ve added below to the configuration.yaml and warning is gone. Although I’m not fully understand it

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 172.18.0.2
    - ::1

laxarus · June 8, 2021, 12:57pm

Using only

  - 127.0.0.1
  - ::1

didn’t work for me.
I had to add the nginx docker ip 172.30.33.10
I couldn’t add the whole network for some reason though. Checking the configuration threw an error.
172.30.33.1/16

Invalid config for [http]: not a valid value @ data['http']['trusted_proxies'][2]. Got '172.30.33.1/16'. (See /config/configuration.yaml, line 78).

tmjpugh · June 8, 2021, 2:50pm

You shouldn’t add entire network

laxarus · June 8, 2021, 5:05pm

Well, 127.0.0.1 should work since I use nging proxy manager addon but it doesn’t for some reason.

tmjpugh · June 8, 2021, 8:37pm

Since addons are docker containers separate from HA I would expect localshost IPs not to work and the IP of container to work since traffic should appear to be coming from nginx container host from HA perspective

Not sure how localhost can work in cases of docker or addons?

DavidFW1960 · June 8, 2021, 9:30pm

Well it does work. I’d suggest the x_forwarded_for is misconfigured in the proxy as that is supposed to pass through the real IP address instead of the proxy.

Try 172.30.33.0/24 instead.

laxarus · June 8, 2021, 10:12pm

I use 172.16.0.0/12
it works but I am not sure about the security.

DavidFW1960 · June 8, 2021, 10:24pm

It’s an internal IP address range so should be ok but I think you don’t have proxy configured correctly.

laxarus · June 8, 2021, 10:58pm

what’s wrong with proxy?
This is the config:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1
    - 172.16.0.0/12

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 5

DavidFW1960 · June 8, 2021, 11:11pm

that is not the proxy

henry8866 · June 8, 2021, 11:28pm

What should be the correct config? I’m using below. If I comment out 172.18.0.2, log will have warning.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 172.18.0.2
    - ::1

This is nginx config (just copied from sample file and update the ip address).

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name xxxx.xxxx.duckdns.org;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_homeassistant 192.168.x.xx;
        proxy_pass http://$upstream_homeassistant:8123;
    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_homeassistant 192.168.x.xx;
        proxy_pass http://$upstream_homeassistant:8123;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

DavidFW1960 · June 8, 2021, 11:34pm

see this post

You need to have something like this in the proxy:

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

I don’t use NGINX myself - I use Caddy and it has a similar setting in there and I have no errors with this.