Serving home assistant via Apache reverse proxy

Hi,

I have now been following along a bunch of tutorials on how to setup apache reverse proxy for HA. I have not succeeded with any config and was hoping to get some help from you, the experts, as you have got it running as is evident from other threads. I have also tried the official setup which has not yielded a successful outcome.

My setup is as follows:
I have home assistant installed on my ubuntu server running in a docker container. I have a reverser proxy configuration using apache2. This is all working. I can access my websites, services and home assistant from my local network (home assistant via ip and port). I can also access everything EXCEPT home assistant from outside the network.
I am getting the login screen and will be redirected to /lovelace where I am greeted with the message: Unable to connect to Home Assistant followed by a retry button.

My configuration looks as follows:

<VirtualHost *:443>
        ServerAdmin [email protected]
        ServerName example.com

        ProxyPreserveHost On
        ProxyRequests off
        ProxyPass / http://127.0.0.1:8123
        ProxyPassReverse / http://127.0.0.1:8123
        ProxyPass /api/websocket ws://127.0.0.1:8123/api/websocket
        ProxyPassReverse /api/websocket ws://127.0.0.1:8123/api/websocket

        RewriteEngine on
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
        RewriteRule /(.*)  ws://127.0.0.1:8123/$1 [P,L]
        RewriteCond %{HTTP:Upgrade} !=websocket [NC]
        RewriteRule /(.*)  http://127.0.0.1:8123/$1 [P,L]

</VirtualHost>

I have also tried with *:80. Same result here. When checking the network tab in the browser dev tools I can see that a connection attempt is made to wss://example.com/api/websocket. The resulting status code is 400. No matter what i try, this does not change. I have changes the redirects to wss istead of ws and I have also used this config:

<VirtualHost *:80>
        ServerName        homeassistant.adamoutler.com #MODIFY to your host name
        ServerAdmin       [email protected] #MODIFY to your email
        RewriteEngine On
        # This will enable the Rewrite capabilities
        RewriteCond %{HTTPS} !=on
        # This checks to make sure the connection is not already HTTPS
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>

		#Declare server
        ServerName        homeassistant.adamoutler.com #MODIFY to your host name
        ServerAdmin       [email protected] #MODIFY to your email

        #fix detecting incorrect login IP by proxy server
        RemoteIPInternalProxy 192.168.1.1  #MODIFY to your proxy, or delete if you aren't using a firewall
        RemoteIPHeader X-Forwarded-For

        #proxy server setup
        ProxyPreserveHost On
        ProxyRequests Off
        ProxyPass /api/websocket ws://192.168.1.8:8123/api/websocket #MODIFY to your HA IP:Port
        ProxyPassReverse /api/websocket wss://192.168.1.8:8123/api/websocket #MODIFY to your HA:Port
        ProxyPass / http://192.168.1.8:8123/ #MODIFY to your HA IP:Port
        ProxyPassReverse / http://192.168.1.8:8123/ #MODIFY to your HA IP:Port

        #fix websockets for addons and apis
        RewriteEngine On
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteRule ^/?(.*) "ws://192.168.1.8:8123/$1" [P,L] #MODIFY to your HA IP address


        #Set security on certan areas(some redacted)
        <Location "/">
                Satisfy any
#               Include /path/to/mySecuritySettings.conf
        </Location>
        <Location "/api">
                Satisfy any
        </Location>

        #HTTPS certs
#        Include /path/to/sites-available/ssl.conf
#        Include /path/to/options-ssl-apache.conf
#        SSLProxyEngine On
#        SSLCertificateFile /path/to/my-chain.pem
#        SSLCertificateKeyFile /path/to/my-cert.pem
</VirtualHost>
</IfModule>

with no success. I of course adapted it to my server.
I have also enabled all the modules for apache that are required but still cannot get a connection. And yes, I also restarted the server everytime I made a change.

Can anyone tell me what I am missing or maybe just a tip where to look next?

Thank you for your help!

I´m using Autossh to connect my local HA to my VPS and and use apache to proxy everythink.

Autossh Config:

hostname: xxx.xx.xxx.xxx
ssh_port: '22'
username: homeassistant
remote_forwarding:
  - '44400:localhost:8123'
local_forwarding:
  - ''
other_ssh_options: '-v'
monitor_port: '0'

vhost config:

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName ha.xxx.org
  ServerSignature Off
   RewriteEngine On
   RewriteCond %{HTTP:Upgrade} =websocket
   RewriteRule /(.*) ws://localhost:44400/$1 [P]
   RewriteCond %{HTTP:Upgrade} !=websocket
   RewriteRule /(.*) http://localhost:44400/$1 [P]
   ProxyPassReverse / http://localhost:44400

Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Thank you for the hint. I cannot seem to configure it correctly though. Also I am not using hass.io but the normal home assistant in a docker container. So I installed autossh directly on my machine. However the tunnel will not establish.

Should it not be possible to do it with just apache? I mean there are so many people here saying they have it setup that way.

I have now even integrated AutoSSH but still this does not work. I would also really prefer not to use a ssh tunnel as this makes everything more complex to administrate.
Is there anyone that maybe has an idea?

Both apache and HA http settings must be correct.

I don’t use apache but apache log should show some information about what happen when you try connect to HA

Also, what happen in browser when you attempt connection?

Recently I had to go back and reconfigure my nginx and HA http settings due to x-forward_for and IPs getting banned. I forget and I set nginx to forward request to the hosting servers IP 192.169.10.12 for HA. This caused all connection to HA to be banned as they all, good and bad, appear to come from docker 172.17.0.1. it occured to me that I must set nginx to forward to HA docker IP 172.17.0.3 and set nginx docker IP as allowed_proxy in HA http setting

Before making above changes all ha connections blocked and web show ,“cannot connect” or HA banner with blank page. It was nginx log that point this out since it showed outgoing connection from external IP to HA but HA always show incoming connection ban for 172.17.0.1. After some thought I realize the connection is from outside docker which is wrong. I dont set 172.17.0.1 as allowed_proxy since that would allow anything sending to server to act as proxy and IP ban never work properly.

What kind of configuration would I have to do nin HA? So far I have done nothing to it and it still is working locally.

When I am hitting the domain in the browser I get the login screen and can type username and password. When trying to login after that the screen turns black and I get the HA Logo in the middle of the screen saying underneath: Unable to connect to Home Assistant. Underneath that message is a button that just says: Retry. It releoads the page. When looking into the logs I can see that the websocket request (api/websocket) returns 400. In the apache logs there is nothing. It shows the 400 response to the /api/websocket route but thats it. No error logs and nothing. I am sure the password is correct as well as the user beacuse they work locally.
This is the error.log:

[Mon Nov 02 05:36:09.693188 2020] [proxy:error] [pid 1205828:tid 140172465256192] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:22000 (127.0.0.1) failed
[Mon Nov 02 05:36:09.693231 2020] [proxy_http:error] [pid 1205828:tid 140172465256192] [client 80.82.68.59:36496] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Mon Nov 02 05:36:10.930794 2020] [proxy:error] [pid 1205829:tid 140173304133376] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:22000 (127.0.0.1) failed
[Mon Nov 02 05:36:10.930832 2020] [proxy_http:error] [pid 1205829:tid 140173304133376] [client 80.82.68.59:43748] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Mon Nov 02 05:36:10.932587 2020] [proxy:error] [pid 1205828:tid 140172968589056] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:22000 (127.0.0.1) failed
[Mon Nov 02 05:36:10.932605 2020] [proxy_http:error] [pid 1205828:tid 140172968589056] [client 80.82.68.59:43746] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Mon Nov 02 13:36:41.923190 2020] [proxy:error] [pid 1205829:tid 140173018912512] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:22000 (127.0.0.1) failed
[Mon Nov 02 13:36:41.923232 2020] [proxy_http:error] [pid 1205829:tid 140173018912512] [client 128.14.134.134:42760] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Mon Nov 02 15:54:27.171083 2020] [proxy:error] [pid 1205829:tid 140173270562560] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:22000 (127.0.0.1) failed
[Mon Nov 02 15:54:27.171119 2020] [proxy_http:error] [pid 1205829:tid 140173270562560] [client 180.149.125.165:13314] AH01114: HTTP: failed to make connection to backend: 127.0.0.1

I am unsure what backend this is reffering to tbh.
This is the other_vhost_access.log file:

example.com:443 141.101.99.211 - - [02/Nov/2020:16:02:54 +0000] "GET / HTTP/1.1" 200 5359 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com::443 141.101.98.134 - - [02/Nov/2020:16:02:54 +0000] "GET /hacsfiles/iconset.js HTTP/1.1" 200 5549 "https://example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com::443 141.101.99.211 - - [02/Nov/2020:16:02:54 +0000] "GET /auth/providers HTTP/1.1" 200 4101 "https://example.com:/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fexample.com%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 162.158.155.22 - - [02/Nov/2020:16:02:54 +0000] "GET /service_worker.js HTTP/1.1" 304 4004 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 141.101.99.211 - - [02/Nov/2020:16:02:55 +0000] "POST /auth/login_flow HTTP/1.1" 200 4234 "https://example.com/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fexample.com%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 141.101.99.211 - - [02/Nov/2020:16:03:02 +0000] "POST /auth/login_flow/1b5ee79a33e7437fb46f4f449c817526 HTTP/1.1" 200 4224 "https://example.com/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fexample.com%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 141.101.99.211 - - [02/Nov/2020:16:03:03 +0000] "GET /?auth_callback=1&code=806692ed3b654a18a3c258d46dd4afee&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D HTTP/1.1" 200 5409 "https://example.com/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fexample.com%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 141.101.99.211 - - [02/Nov/2020:16:03:03 +0000] "POST /auth/token HTTP/1.1" 200 4407 "https://example.com/?auth_callback=1&code=806692ed3b654a18a3c258d46dd4afee&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 141.101.99.237 - - [02/Nov/2020:16:03:03 +0000] "GET /api/websocket HTTP/1.1" 400 4068 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"

I do not understand what the issue is here. The request definetly reach the server but what happens next I am not sure. I am not to good with apache though so that surely does not help

I think there is a typo in your websocket ProxyPass(Reverse):
in stead of
ws://127.0.0.1:8123/api/websocket
you should have
ws://127.0.0.1:8123/api/api/websocket
(Yes, repeated \api; doesn’t seem logical, but it works for me - can’t remember where I found this info several months ago).