Reverse proxy error

Bohemian · June 3, 2021, 11:31pm

I had the same issue as well with a local Nginx setup. Reverting from core core-2021.6.0 to my backup from a couple of days ago, I don’t see the error. So I suspect something was changed very recently.

Making changes to configuration.yaml similar to above solved the issue. Hassio with Nginx add-on in Proxmox.

frenck · June 3, 2021, 11:41pm

That is not a solution, and actually one of the few cases we can’t detect.
Strongly recommended NOT to delete the X-Forwarded-For, you are creating a security issue for yourself.

Topolynx · June 4, 2021, 11:44am

Hi. I’m experiencing a similar issue after the upgrade to HA Core 2021.7 (on raspbian OS).
HA reports
`Logger: homeassistant.components.http.forwarded
Source: components/http/forwarded.py:90
Integration: HTTP (documentation, issues)
First occurred: 10:51:04 (771 occurrences)
Last logged: 13:23:36

A request from a reverse proxy was received from 172.17.0.2, but your HTTP integration is not set-up for reverse proxies; This request will be blocked in Home Assistant 2021.7 unless you configure your HTTP integration to allow this header`.
Only recently (less than one month ago) I switched from a simple SSL way to secure HA to Caddy on docker (on the same machine).
Also, that message appears in concidence with the disconnection and reconnection of one of my smart plugs.
So, should I edit the configuration.yaml too?
Is it correct to add the following code?

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.17.0.2
    - 127.0.0.1

Thank you!

DavidFW1960 · June 4, 2021, 11:46am

You should only need 127.0.0.1. I use Caddy too. I also have ::1 as a trusted proxy for IPv6…

Topolynx · June 4, 2021, 11:49am

Thanks @DavidFW1960!

wauswaus · June 4, 2021, 2:16pm

Just adding 127.0.0.1 and ::1 didn’t do the trick for me. I also had to add 172.0.0.0/8

DavidFW1960 · June 4, 2021, 11:17pm

That 172.0.0.0/8 is the docker network. And also some public IP addresss so I wouldn’t do that. 172.16.0.0/12 is all internal though. You also need to have x_forwarded_for in the reverse proxy. I have been using only 127.0.0.1 and ::1 for years and it’s always worked. The other day on a dev instance I was getting the error and turned out I had not set this up in the dev instance so I added the reverse proxy 127.0.0.1 and ::1 and it just worked. No idea why you are not getting that…

not_a_coder · June 6, 2021, 1:35am

I use NGINX and a domain hosted at Cloudflare. I followed the setup posted in the blog at Securing Home Assistant with Cloudflare. All of the IPs that show up in the warning Received X-Forwarded-For header from untrusted proxy belong to Cloudflare. In order to continue with my setup is my only option to add the Cloudflare IP ranges to the http integration?

moto2000 · June 6, 2021, 3:07am

I was getting the warning too. Can confirm that adding the following to configuration.yaml resolved it:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 172.16.0.0/12
    - ::1

henry8866 · June 6, 2021, 3:27pm

I saw this in my log too. The ip is 172.18.0.2.
Running HA docker and NGINX(letsencrypt).

However seems HA is working fine without change anything, or something broke and I am not aware of it yet.

mwav3 · June 6, 2021, 4:59pm

It’s a warning now but according to the documentation will error on the July release, which means it will block the proxy request totally when you upgrade again. Best to fix it now by updating the config.

Given a proxy attack could be used as a security exploit probably explains the short turnaround time of just a month between warn and error.

henry8866 · June 7, 2021, 1:41am

Thanks. I’ve added below to the configuration.yaml and warning is gone. Although I’m not fully understand it

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 172.18.0.2
    - ::1

laxarus · June 8, 2021, 12:57pm

Using only

  - 127.0.0.1
  - ::1

didn’t work for me.
I had to add the nginx docker ip 172.30.33.10
I couldn’t add the whole network for some reason though. Checking the configuration threw an error.
172.30.33.1/16

Invalid config for [http]: not a valid value @ data['http']['trusted_proxies'][2]. Got '172.30.33.1/16'. (See /config/configuration.yaml, line 78).

tmjpugh · June 8, 2021, 2:50pm

You shouldn’t add entire network

laxarus · June 8, 2021, 5:05pm

Well, 127.0.0.1 should work since I use nging proxy manager addon but it doesn’t for some reason.

tmjpugh · June 8, 2021, 8:37pm

Since addons are docker containers separate from HA I would expect localshost IPs not to work and the IP of container to work since traffic should appear to be coming from nginx container host from HA perspective

Not sure how localhost can work in cases of docker or addons?

DavidFW1960 · June 8, 2021, 9:30pm

Well it does work. I’d suggest the x_forwarded_for is misconfigured in the proxy as that is supposed to pass through the real IP address instead of the proxy.

Try 172.30.33.0/24 instead.

laxarus · June 8, 2021, 10:12pm

I use 172.16.0.0/12
it works but I am not sure about the security.

DavidFW1960 · June 8, 2021, 10:24pm

It’s an internal IP address range so should be ok but I think you don’t have proxy configured correctly.

laxarus · June 8, 2021, 10:58pm

what’s wrong with proxy?
This is the config:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1
    - 172.16.0.0/12

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 5