I use nginx as a reverse proxy to enable SSL for HA and other local homelab services (ex: https://hass.mydomain.duckdns.org). I just installed the BabyBuddy HA addon and am running into CSRF issues when submitting forms:
You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.
The BB documentation explains that I need to use the nginx Forwarded header to make it work behind my proxy. My knowledge of nginx is quite limited, and I’m struggling to figure out how to implement this. Doesn’t help that the link provided in the docs now forwards to the root documentation page for nginx, and this particular header name is hard to google (“nginx reverse proxy Forwarded example”).
I see others are having issues with BB & CSRF, though I’m unsure if nginx is involved in those. Also, I am unable to get past the above 403 error on any device. Here’s my current list of trusted domains:
Yes, I followed the documentation. As noted above, others currently seem to have issues with CSRF too, though it’s unclear whether any of them are using a reverse proxy.
This proxy-specific documentation says I need to use the nginx Forwarded header:
If Baby Buddy is configured behind a standard HTTP proxy requests will always been seen as insecure even if the exposed public connection uses HTTPS between the client and proxy.
To address this most proxies can be configured to pass a special header to Baby Buddy indicating the scheme used by the original request. X-Forwarded-Proto is a common standard header for this feature and it is currently the only header supported by Baby Buddy. To use this feature the SECURE_PROXY_SSL_HEADER environment variable to True and Baby Buddy will consider the scheme indicated by the X-Forwarded-Proto header to be the scheme used for the request.
…so I added this to the custom yaml for the addon:
SECURE_PROXY_SSL_HEADER: True
However, I’m struggling to determine where (and how) to set the Forwarded header in nginx. Does it belong as custom configuration code in the Advanced tab of my proxy host config?
Also, since BB is running as a HAOS addon, its base URL is technically a subfolder of my HA instance: http://192.168.1.200:8123/68152197_baby_buddy/ingress. Do I need to add a custom location to my nginx proxy host config to support this?
