Reverse Proxy - "Invalid IP address in X-Forwarded-For"

JasonP · December 14, 2020, 6:19pm

I’m trying to get a new HA installation to work with an IIS reverse proxy. I’ve spent all day on this, read countless posts but am getting a problem that I haven’t seen reported anywhere.

I’m using the VM installation running on Hyper-V (Windows Server 2019). I updated to the latest software before I started configuring anything, Home Assistant OS 5.8 and Home Assistant 2020.12.0.

In the IIS server, my web.config is:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <rewrite>
         <rules>
            <rule name="ReverseProxyInboundRule1" stopProcessing="true">
               <match url="(.*)" />
               <action type="Rewrite" url="http://192.168.1.10:8123/{R:1}" />
               <serverVariables>
                  <set name="HTTP_SEC_WEBSOCKET_EXTENSIONS" value="" />
               </serverVariables>
            </rule>
         </rules>
      </rewrite>
   </system.webServer>
</configuration>

My configuration.yaml is:

http:
    use_x_forwarded_for: true
    trusted_proxies: 172.16.1.1

If I try to access HA via the proxy I get a “400: Bad Request” page.

When I check the log, I see:
‘2020-12-14 17:01:29 ERROR (MainThread) [homeassistant.components.http.forwarded] Invalid IP address in X-Forwarded-For: 192.168.2.123:63146’
The IP is the address of my workstation.

I do not understand this error message! What is “Invalid” about it? I have no issues logging in directly to the HA server from the same IP.

As a test, I deliberately tried putting in the wrong IP for the “trusted_proxies”. Then I could login fine! However the log brought up lots of errors all of the format:
‘2020-12-14 16:36:52 WARNING (MainThread) [homeassistant.components.http.forwarded] Received X-Forwarded-For header from untrusted proxy 172.16.1.1, headers not processed.’
What appeared to be happening is that the HA server was ignoring the x_forwarded_for value and treating all the requests as though they were originating from the IIS server.

Does anybody have any suggestions how I can fix this?

Thanks.

JasonP · December 15, 2020, 11:40am

I fixed the issue myself so am posting a follow-up in case anybody experiences the same problem.

It finally dawned on my why I got the “Invalid IP” error; it was because x_forwarded_for included the port as well as the IP. HA doesn’t like this!

Application Request Routing in IIS allows you to specify the option “Include TCP port from the client IP”, once I had disabled this then my reverse proxy configuration worked. I have never had an issue with this with other software, who seem to accept the client IP with the port but HA clearly doesn’t support this. I just need to check that changing this setting doesn’t break any of my other proxied sites.

liminal · February 1, 2021, 6:37am

Hey mate,

I seem to be having the same issue. But I cant log in. Im just getting;

Unable to connect to Home Assistant.

I cant see any errors in the logs now, other then a notification similar to what you were getting.

Login attempt or request with invalid authentication from

This is my config, if you can login do you have anything set for your ARR proxy settings other then having it enabled?

All my other sites and service work fine, except for this.

Any help or ideas would be really helpful

Thanks!

GeoffAtHome · August 14, 2021, 6:49pm

I had this working with IIS and Hyper-V in Home Assistant Core version: core-2021.6.6.

When I upgraded to core-2021.7.x and core-2021.8.x I am getting the same error as reported above in my log files.
In my configuration file I have the following:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - x.x.x.x
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Any clues as how to get this working again? Until I know I am stuck with version 6

GeoffAtHome · August 15, 2021, 8:42am

This fixed the problem:

binarydad · August 20, 2021, 5:45pm

I just want to thank you for figuring this out. I actually proxy double to get to my HA docker instance:

Internet => IIS (ARR forwarding :443 to :443) => Docker (with nginx forwarding :443 to :8123). I had the same issue with the port being included.

Since this setting is global in ARR, have you had any issues with other apps with this setting disabled? Thanks.