You should only need 127.0.0.1. I use Caddy too. I also have ::1 as a trusted proxy for IPv6…
Just adding 127.0.0.1 and ::1 didn’t do the trick for me. I also had to add 172.0.0.0/8
That 172.0.0.0/8 is the docker network. And also some public IP addresss so I wouldn’t do that. 172.16.0.0/12 is all internal though. You also need to have x_forwarded_for in the reverse proxy. I have been using only 127.0.0.1 and ::1 for years and it’s always worked. The other day on a dev instance I was getting the error and turned out I had not set this up in the dev instance so I added the reverse proxy 127.0.0.1 and ::1 and it just worked. No idea why you are not getting that…
I use NGINX and a domain hosted at Cloudflare. I followed the setup posted in the blog at Securing Home Assistant with Cloudflare. All of the IPs that show up in the warning Received X-Forwarded-For header from untrusted proxy
belong to Cloudflare. In order to continue with my setup is my only option to add the Cloudflare IP ranges to the http integration?
I was getting the warning too. Can confirm that adding the following to configuration.yaml resolved it:
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- 172.16.0.0/12
- ::1
I saw this in my log too. The ip is 172.18.0.2.
Running HA docker and NGINX(letsencrypt).
However seems HA is working fine without change anything, or something broke and I am not aware of it yet.
It’s a warning now but according to the documentation will error on the July release, which means it will block the proxy request totally when you upgrade again. Best to fix it now by updating the config.
Given a proxy attack could be used as a security exploit probably explains the short turnaround time of just a month between warn and error.
Thanks. I’ve added below to the configuration.yaml and warning is gone. Although I’m not fully understand it
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- 172.18.0.2
- ::1
Using only
- 127.0.0.1
- ::1
didn’t work for me.
I had to add the nginx docker ip 172.30.33.10
I couldn’t add the whole network for some reason though. Checking the configuration threw an error.
172.30.33.1/16
Invalid config for [http]: not a valid value @ data['http']['trusted_proxies'][2]. Got '172.30.33.1/16'. (See /config/configuration.yaml, line 78).
You shouldn’t add entire network
Well, 127.0.0.1 should work since I use nging proxy manager addon but it doesn’t for some reason.
Since addons are docker containers separate from HA I would expect localshost IPs not to work and the IP of container to work since traffic should appear to be coming from nginx container host from HA perspective
Not sure how localhost can work in cases of docker or addons?
Well it does work. I’d suggest the x_forwarded_for is misconfigured in the proxy as that is supposed to pass through the real IP address instead of the proxy.
Try 172.30.33.0/24 instead.
I use 172.16.0.0/12
it works but I am not sure about the security.
It’s an internal IP address range so should be ok but I think you don’t have proxy configured correctly.
what’s wrong with proxy?
This is the config:
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- ::1
- 172.16.0.0/12
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
ip_ban_enabled: true
login_attempts_threshold: 5
that is not the proxy
What should be the correct config? I’m using below. If I comment out 172.18.0.2, log will have warning.
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- 172.18.0.2
- ::1
This is nginx config (just copied from sample file and update the ip address).
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name xxxx.xxxx.duckdns.org;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_homeassistant 192.168.x.xx;
proxy_pass http://$upstream_homeassistant:8123;
}
location /api/websocket {
resolver 127.0.0.11 valid=30s;
set $upstream_homeassistant 192.168.x.xx;
proxy_pass http://$upstream_homeassistant:8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
see this post
You need to have something like this in the proxy:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
I don’t use NGINX myself - I use Caddy and it has a similar setting in there and I have no errors with this.