Reverse proxy error

Fabietto_Abete · July 7, 2021, 8:47pm

Hi all, till now I never adjusted settings to work well with a reverse proxy. I use proxmox and I have a ct with Nginx, registered a duckdns domain. If I try to access to HA using on my pc the duckdns url, a warning says my pc is not allowed in trusted network, so I must login with username and password and it works; if I enter with my local HA ip, in trusted network drop menu I select my user and enter without problem. Remote connection on my phone is working after reinstalling companion app, any advice is welcome, if login with user and password is simpler than configuring trusted network and proxies I can do this way without headaches.

matthewjporter · July 7, 2021, 9:52pm

I am also using cloudflare, did you add the IP’s listed in the log?

matthewjporter · July 8, 2021, 7:58am

I use Cloudflare with full proxy and encryption and the following worked for me
I used the following list of IP’s from IP Ranges | Cloudflare and then any others added into my log file

Copy to clipboard

use_x_forwarded_for: true
trusted_proxies:
#log reported ipv4
  - 162.158.159.139
  - 172.69.55.59
  - 141.101.76.195
  - 141.101.98.91
  - 141.101.99.102
  - 141.101.105.87
  - 141.101.105.99
#cloudflare ipv4
  - 103.21.244.0/22
  - 103.22.200.0/22
  - 103.31.4.0/22
  - 104.16.0.0/13
  - 104.24.0.0/14
  - 108.162.192.0/18
  - 131.0.72.0/22
  - 141.101.64.0/18
  - 162.158.0.0/15
  - 172.64.0.0/13
  - 173.245.48.0/20
  - 188.114.96.0/20
  - 190.93.240.0/20
  - 197.234.240.0/22
  - 198.41.128.0/17
#cloudflare ipv6
  - 2400:cb00::/32
  - 2606:4700::/32
  - 2803:f800::/32
  - 2405:b500::/32
  - 2405:8100::/32
  - 2a06:98c0::/29
  - 2c0f:f248::/32

agent_kith · July 8, 2021, 9:41am

Hi all,

I have cloudflare with proxy going to my HAProxy. Set all the cloudflare ranges to trusted…

And that isn’t working, I get the following errors:
too many headers for X-Forwarded-For [client_ip, cf_proxy_ip]

Disable proxy on cloudflare and everything works fine. Anybody doing double reverse proxy? How do you get it to work?

Update: Disabled forward-for in HAProxy, re-enable proxy on CF and things are working again. Just not entirely sure if the correct IP is passed through to this stage. Will have to investigate more to continue later in the week.

koying · July 8, 2021, 10:07am

This means the request has multiple X-Forwarded-For headers, which is wrong.
Assuming one is from cloudflare and another one is from HAProxy, there is something wrong in your HAProxy. It should have added itself to the already existing list of proxies in the existing header rather than creating one of its own.

EDIT: See Too many headers http 400 Error while using revers proxies · Issue #40421 · home-assistant/core · GitHub for a possible resolution

francisp · July 9, 2021, 3:07pm

Did you read the breaking changes ? Add this to the http: section in configuration.yaml

http:
  use_x_forwarded_for: true    
  trusted_proxies:
    - 127.0.0.1

egglestn · July 10, 2021, 3:47pm

Yes, Indeed I copied & pasted your code into my configuration.yaml file

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

# Text to speech
tts:
  - platform: google_translate

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1

I am running using docker and behind Apache2 as areverse proxy.It has worked fine for around a year, but stopped working recently.
I am at a loss

egglestn · July 10, 2021, 4:42pm

I solved it!
Further reading suggested that I should also add
`

192.168.0.0 /24
`
to the list of trusted proxies and it works! I am not sure if opening the entire network might not be a security risk

GlennHA · July 10, 2021, 8:25pm

Are you running Apache2 as a docker container?
Is it running on the same machine, in the same docker network?
If you have static IPs in your network you should only have to add the IP that has your reverse proxy.
If in the same docker network then the network address of that network should work; you can easily see this network if you use Portainer.

egglestn · July 10, 2021, 9:39pm

No Apache2 is running on Ubuntu, the container is running HA.

So yes, using static IPs…but they didnt work, so i added the network and bingo…I suspect it is an order thing, but that is for a time when I want to risk breaking a system that is now working

chrmnxpnoy · July 12, 2021, 6:10am

This worked for me Thank you!!

KingRichard · July 12, 2021, 6:21am

guys, if you are running proxy from a different machine on your local then you need to add that proxy IP or you should just put 127.0.0.1

You should not have multiple IP since you will only used single proxy server.

koying · July 12, 2021, 7:08am

That’s conceptually correct, but HA is using the trusted_proxies in its own way.
See Incorrect (?) handling of X-Forwarded-For · Issue #52736 · home-assistant/core · GitHub for the discussion.

Basically:

If the immediate caller is not in the trusted list, the request is rejected
Beyond that, if the request went through a chain of proxy, the first proxy not in the trusted list is considered as the originating IP.

If you’re using, e.g. cloudflare, that could lead to a cloudflare IP being listed as the caller unless you put every single known cloudflare proxy in your trusted list.

egglestn · July 12, 2021, 8:06am

I accept and appreciate that, but it doesn’t work! I had 127.0.0.1 as my sole trusted proxy, and I got the connection refused. An examination of the logs showed the proxy request was from 192.168.0.7, so I added that…still didn’t work.
It was only when I changed the whole thing to 192.168.0.0/24 that it worked…and I am baffled (and a little concerned , since that appears to mean any machine on the network will be a trusted proxy)
I will tinker with it and see if I can get a more elegant way of doing it, but for now…it works
Cheers

koying · July 12, 2021, 8:34am

Shouldn’t be. When you added 192.168.0.7, was there a message with another IP?

egglestn · July 12, 2021, 8:51am

No the message was Still 192.168.0.7…and I have no idea why… I am going to have a play this morning… I will start by taking the whole network out & replacing with 192.168.0.7… And I will post the logs if it doesn’t work… I mean… What could possibly go wrong?

egglestn · July 12, 2021, 9:06am

Ok I Think I have sussed it
When I comment out the 192.168.0.0/24 I get a 400 error, and the logs show

2021-07-12 09:56:56 ERROR (MainThread) [homeassistant.components.http.forwarded] Received X-Forwarded-For header from an untrusted proxy 192.168.0.7

I amend the configuration.yaml to

  use_x_forwarded_for: true    
  trusted_proxies:
   - 127.0.0.1
    - 192.168.0.7
#    - 192.168.0.0/24

and it STILL breaks… But if I comment out 127.0.0.1 then it works… It seems that the order is vital (I think you may have said something to that in a previous post)
TBH this is way above my levels of competence or understanding, BUT i have a working system, and I feel it is more secure by limiting the proxies that access it.
Thanks for your help

koying · July 12, 2021, 10:28am

Your Yaml is not aligned, not sure if it’s a forum thing or your actual config.

  use_x_forwarded_for: true    
  trusted_proxies:
   - 127.0.0.1
   - 192.168.0.7

egglestn · July 12, 2021, 11:37am

It was a transcription error… the yaml is as you show

ppluti007 · July 12, 2021, 11:39am

Same error, solved with this note. Thank You