Reverse Proxy for HA and iOS clients (authentication issue)

Hi,

I’m running an Apache HTTPD instance in a reverse proxy configuration for (among others) Home Assistant.
User authentication is done by Apache (either through username/password or SSL client certificate) and HA is configured with the trusted_networks auth provider to whitelist requests from the proxy host.

While this basically works, my iOS clients (using Safari or the HA companion app) don’t seem to include any authentication information for calls to /api/websocket or /api/webhook resulting in a 403 error for each of those resources and in turn the HA web page being non-functional.

If I bypass authentication for /api/(websocket|webhook) with a “Require all granted” directive, the web UI works as expected, but now my HA instance would be wide open as anyone can issue api calls without authentication.

I can’t imagine being the only one having this issue.
Is there an elegant solution?

Sebastian

I have similar issue with nginx where is seems they not providing authentication details with requests

iOS clients in safari cannot authenticate.
Login page shows but fails as “invalid authentication”. This is not issue for iOS app.

I see others have similar issue when tls 1.3 not enabled but this was not cause for me

Ok, as I did not want to expose the /api/(websocket|webhook) paths to the whole world unsecured, I now decided to set up an OpenVPN server and the respective client app on my iOS device.
This way I need to connect the VPN before trying to access my HA instance from my phone “on the road”, but at least that works.

Sebastian