RPI - docker installed with external access HA,problem with fail2ban and external IP

Hi,
I have fail2ban secured sites with https proxying by nginx implemented by docker letsencrypt. I can’t set Home Assistant security. SSL works, external access works, however, not the external address but the docker’s IP address (172.17.0.1) goes to the HA log.
HA log - Login attempt failed, message = Login attempt or request with invalid authentication from 172.17.0.1 (172.17.0.1)

My configuration:
Device - RPI4 with portainer
Dockers:
HA - home-assistant/raspberrypi4-homeassistant
Letsencrypt include fail2ban/nginx - linuxserver/letsencrypt
Config nginx: homassistant.subdomain.conf

server {
   listen *: 443 ssl http2;
server_name domainname.duckdns.org;
include /config/nginx/ssl.conf;
proxy_buffering off; location / {
        set $ upstream_app homeassistant;
        set $ upstream_port 8123;
        set $ upstream_proto http;
        proxy_pass http://192.168.1.2:8123;
proxy_set_header X-Real-IP $ remote_addr;

    }

    location / api / websocket {
        set $ upstream_app homeassistant;
        set $ upstream_port 8123;
        set $ upstream_proto http;
        proxy_pass http://192.168.1.2:8123;

        proxy_set_header Host $ host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $ http_upgrade;
        proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $ remote_addr;
    }

}

I have already made many combinations and it is unchanged. As a result, fail2ban still blocks my IP docker.
What am I doing wrong?

Home assistant recently added a requirement in version 7.2021 that required additional configuration when setting a reverse proxy for security reasons. See this post/thread Reverse proxy error

You should be able to add this to your config.yaml to get it working:

http:
  use_x_forwarded_for: true
  trusted_proxies: 
    - 172.17.0.1

My version is “core-2021.7.4”

  1. I added co configuration.yaml:

    default_config:
    http:
    use_x_forwarded_for: true
    trusted_proxies:
    • 172.17.0.1
  2. Restart HA
  3. Still the same…HA - Notify - “Login attempt failed
    Login attempt or request with invalid authentication from 172.17.0.1 (172.17.0.1). See the log for details.”

YAML is super fussy about spacing. Is it spaced and indented exactly like the post above?

yes,exactly as you wrote code (copy/paste)

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:
http:
  use_x_forwarded_for: true
  trusted_proxies: 
    - 172.17.0.1

Any IP’S blocked in you fail 2ban jail? Below is my nginx config using the Swag docker container which is formerly called letsencrypt. Is that what you’re using? Do you have Home Assistant container or some other install? If container, did you install with host networking mode in docker?

Nginx config:

## Version 2020/05/23 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default

# redirect all traffic to https
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name mydomain.duckdns.org;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name mydomain.duckdns.org;
	
	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	# enable for Authelia
	#include /config/nginx/authelia-server.conf;

	# enable for geo blocking
	# See /config/nginx/geoip2.conf for more information.
	#if ($allowed_country = no) {
	#return 444;
	#}

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}


}


### HOMEASSISTANT ##############################################################
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name hass.*;
    
    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.0.184:8123;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.0.184:8123;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

If still not working checkout this thread for some more ideas

I forgot that after many attempts to fix this error I changed in HA docker from HOST to Bridge with port forwarding. Now I corrected the HA docker to the HOST, changed the entry to the correct IP nginx (172.20.0.2) in the configuration.yaml file. Restarted docker and HA.
Re-attempted and unfortunately no changes. HA notify me about incorrect logging from 172.20.0.2, fail2ban does not block because:
“[homeassist] Ignore 172.20.0.2 by ignoreself rule”

fail2ban will not block anything until a valid external IP is in the home-assistant.log. This is probably not a fail2ban problem.

For other applications, normally the external IP flows correctly to the logs of these applications and fail2ban read logs and blocks. HA log has got only the IP docker at failed logon.

I agree, just suggested to look at the logs to rule out something silly.

It seems like the connection through the proxy is not even making it through correctly. Any corresponding error in the nginx log? I think you still don’t have the right nginx config. Did you try the example I posted?

I changed letsencrypt docker (deprecated) to swag. I replaced my nginx.conf as your, changed domainame and HA ip address. Swag does not start due to a error"
nginx: [emerg] “server” directive is not allowed here in /config/nginx/nginx.conf:5
"

I’m using wild card subdomains so I can specify multiple different servers. This is my compose file

version: "2.1"
services:
  swag:
    image: linuxserver/swag
    container_name: swag
    restart: unless-stopped
    cap_add:
    - NET_ADMIN
    volumes:
    - /home/tim/docker/swag/config:/config
    - /etc/localtime:/etc/localtime:ro
    environment:
    - PGID=1000
    - PUID=1000
    - [email protected]
    - URL=yourdomain.duckdns.org
    - SUBDOMAINS=wildcard
    - VALIDATION=duckdns
    - TZ=yourtimezone
    - DUCKDNSTOKEN=yourtoken
    - MAXMINDDB_LICENSE_KEY=yourkey #this is optional for location based IP banning
    ports:
    - "80:80"
    - "443:443"
    networks:
      default:
        ipv4_address: 172.21.0.2

Can you post your docker compose?

I use Portainer to create dockers. Until installation, HA letsencrypt was working fine. But I have no ideas what is the reason that only the HA does not receive these external IPs.
My SWAG config:

Env
0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
1 PS1=$(whoami)@$(hostname):$(pwd)\$
2 HOME=/root
3 TERM=xterm
4 DHLEVEL=2048
5 ONLY_SUBDOMAINS=true
6 AWS_CONFIG_FILE=/config/dns-conf/route53.ini
7 S6_BEHAVIOUR_IF_STAGE2_FAILS=2
8 PUID=1002 (my docker user)
9 PGID=100
10 SUBDOMAINS=list subdomains with ','
11 TZ=timezone
12 URL=duckdns.org
13 VALIDATION=http
14 DUCKDNSTOKEN=token
15 EMAIL=myemail

Network settings - Bridge 172.17.0.3 

And my working nginx.conf

## Version 2019/12/19 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf
user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}


http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	variables_hash_max_size 2048;
	large_client_header_buffers 4 16k;
		 server_names_hash_bucket_size 64;
		 client_max_body_size 0;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	access_log /config/log/nginx/access.log;
	error_log /config/log/nginx/error.log;
	gzip on;
	gzip_disable "msie6";
	include /etc/nginx/conf.d/*.conf;
	include /config/nginx/site-confs/*;
}
daemon off;

And my proxy-conf for HA

## Version 2020/12/09
# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url
map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}
server {
   listen *:443 ssl http2;
    server_name mydomain.duckdns.org;
    include /config/nginx/ssl.conf;
proxy_buffering off;
location / {
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.1.2:8123;
proxy_set_header X-Real-IP $remote_addr;
    }

    location /api/websocket {
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.1.2:8123;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
		proxy_set_header X-Real-IP $remote_addr;
    }

}


Of course, for this port forwarding and configuration folder - here it works fine. I make all the settings for my applications and nginx in the “proxy-confs” folder

I guess a victory. One more line in my proxy-conf - location section add real IP to log:
(…)

proxy_set_header X-Real-IP $remote_addr; - It wasn't enough
proxy_set_header  X-Forwarded-For $remote_addr; - Only after this entry did it start working properly

Good, glad you got it working. I figured it was an nginx config issue, but since you advised you define the settings in the proxy-confs file versus mine which are defined in the same default file, my config wasn’t going to work for you.

1 Like

Practically the problem was in nginx only … until now I do not understand why other applications without such entries, e.g. nextcloud don’t have any of these lines and it is ok.

Home Assistant relies on websockets vs other services that are just traditional http, so additional configuration is necessary for websockets to work when using a reverse proxy. This article explains a little more on why the extra configs are needed and what they mean. How to Proxy WSS WebSockets with NGINX - Serverlab

1 Like