Hi,
I’m running an Apache HTTPD instance in a reverse proxy configuration for (among others) Home Assistant.
User authentication is done by Apache (either through username/password or SSL client certificate) and HA is configured with the trusted_networks auth provider to whitelist requests from the proxy host.
While this basically works, my iOS clients (using Safari or the HA companion app) don’t seem to include any authentication information for calls to /api/websocket
or /api/webhook
resulting in a 403 error for each of those resources and in turn the HA web page being non-functional.
If I bypass authentication for /api/(websocket|webhook)
with a “Require all granted” directive, the web UI works as expected, but now my HA instance would be wide open as anyone can issue api calls without authentication.
I can’t imagine being the only one having this issue.
Is there an elegant solution?
Sebastian