I have now been following along a bunch of tutorials on how to setup apache reverse proxy for HA. I have not succeeded with any config and was hoping to get some help from you, the experts, as you have got it running as is evident from other threads. I have also tried the official setup which has not yielded a successful outcome.
My setup is as follows:
I have home assistant installed on my ubuntu server running in a docker container. I have a reverser proxy configuration using apache2. This is all working. I can access my websites, services and home assistant from my local network (home assistant via ip and port). I can also access everything EXCEPT home assistant from outside the network.
I am getting the login screen and will be redirected to /lovelace where I am greeted with the message: Unable to connect to Home Assistant followed by a retry button.
I have also tried with *:80. Same result here. When checking the network tab in the browser dev tools I can see that a connection attempt is made to wss://example.com/api/websocket. The resulting status code is 400. No matter what i try, this does not change. I have changes the redirects to wss istead of ws and I have also used this config:
<VirtualHost *:80>
ServerName homeassistant.adamoutler.com #MODIFY to your host name
ServerAdmin [email protected] #MODIFY to your email
RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
#Declare server
ServerName homeassistant.adamoutler.com #MODIFY to your host name
ServerAdmin [email protected] #MODIFY to your email
#fix detecting incorrect login IP by proxy server
RemoteIPInternalProxy 192.168.1.1 #MODIFY to your proxy, or delete if you aren't using a firewall
RemoteIPHeader X-Forwarded-For
#proxy server setup
ProxyPreserveHost On
ProxyRequests Off
ProxyPass /api/websocket ws://192.168.1.8:8123/api/websocket #MODIFY to your HA IP:Port
ProxyPassReverse /api/websocket wss://192.168.1.8:8123/api/websocket #MODIFY to your HA:Port
ProxyPass / http://192.168.1.8:8123/ #MODIFY to your HA IP:Port
ProxyPassReverse / http://192.168.1.8:8123/ #MODIFY to your HA IP:Port
#fix websockets for addons and apis
RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule ^/?(.*) "ws://192.168.1.8:8123/$1" [P,L] #MODIFY to your HA IP address
#Set security on certan areas(some redacted)
<Location "/">
Satisfy any
# Include /path/to/mySecuritySettings.conf
</Location>
<Location "/api">
Satisfy any
</Location>
#HTTPS certs
# Include /path/to/sites-available/ssl.conf
# Include /path/to/options-ssl-apache.conf
# SSLProxyEngine On
# SSLCertificateFile /path/to/my-chain.pem
# SSLCertificateKeyFile /path/to/my-cert.pem
</VirtualHost>
</IfModule>
with no success. I of course adapted it to my server.
I have also enabled all the modules for apache that are required but still cannot get a connection. And yes, I also restarted the server everytime I made a change.
Can anyone tell me what I am missing or maybe just a tip where to look next?
Thank you for the hint. I cannot seem to configure it correctly though. Also I am not using hass.io but the normal home assistant in a docker container. So I installed autossh directly on my machine. However the tunnel will not establish.
Should it not be possible to do it with just apache? I mean there are so many people here saying they have it setup that way.
I have now even integrated AutoSSH but still this does not work. I would also really prefer not to use a ssh tunnel as this makes everything more complex to administrate.
Is there anyone that maybe has an idea?
I don’t use apache but apache log should show some information about what happen when you try connect to HA
Also, what happen in browser when you attempt connection?
Recently I had to go back and reconfigure my nginx and HA http settings due to x-forward_for and IPs getting banned. I forget and I set nginx to forward request to the hosting servers IP 192.169.10.12 for HA. This caused all connection to HA to be banned as they all, good and bad, appear to come from docker 172.17.0.1. it occured to me that I must set nginx to forward to HA docker IP 172.17.0.3 and set nginx docker IP as allowed_proxy in HA http setting
Before making above changes all ha connections blocked and web show ,“cannot connect” or HA banner with blank page. It was nginx log that point this out since it showed outgoing connection from external IP to HA but HA always show incoming connection ban for 172.17.0.1. After some thought I realize the connection is from outside docker which is wrong. I dont set 172.17.0.1 as allowed_proxy since that would allow anything sending to server to act as proxy and IP ban never work properly.
What kind of configuration would I have to do nin HA? So far I have done nothing to it and it still is working locally.
When I am hitting the domain in the browser I get the login screen and can type username and password. When trying to login after that the screen turns black and I get the HA Logo in the middle of the screen saying underneath: Unable to connect to Home Assistant. Underneath that message is a button that just says: Retry. It releoads the page. When looking into the logs I can see that the websocket request (api/websocket) returns 400. In the apache logs there is nothing. It shows the 400 response to the /api/websocket route but thats it. No error logs and nothing. I am sure the password is correct as well as the user beacuse they work locally.
This is the error.log:
[Mon Nov 02 05:36:09.693188 2020] [proxy:error] [pid 1205828:tid 140172465256192] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:22000 (127.0.0.1) failed
[Mon Nov 02 05:36:09.693231 2020] [proxy_http:error] [pid 1205828:tid 140172465256192] [client 80.82.68.59:36496] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Mon Nov 02 05:36:10.930794 2020] [proxy:error] [pid 1205829:tid 140173304133376] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:22000 (127.0.0.1) failed
[Mon Nov 02 05:36:10.930832 2020] [proxy_http:error] [pid 1205829:tid 140173304133376] [client 80.82.68.59:43748] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Mon Nov 02 05:36:10.932587 2020] [proxy:error] [pid 1205828:tid 140172968589056] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:22000 (127.0.0.1) failed
[Mon Nov 02 05:36:10.932605 2020] [proxy_http:error] [pid 1205828:tid 140172968589056] [client 80.82.68.59:43746] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Mon Nov 02 13:36:41.923190 2020] [proxy:error] [pid 1205829:tid 140173018912512] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:22000 (127.0.0.1) failed
[Mon Nov 02 13:36:41.923232 2020] [proxy_http:error] [pid 1205829:tid 140173018912512] [client 128.14.134.134:42760] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
[Mon Nov 02 15:54:27.171083 2020] [proxy:error] [pid 1205829:tid 140173270562560] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:22000 (127.0.0.1) failed
[Mon Nov 02 15:54:27.171119 2020] [proxy_http:error] [pid 1205829:tid 140173270562560] [client 180.149.125.165:13314] AH01114: HTTP: failed to make connection to backend: 127.0.0.1
I am unsure what backend this is reffering to tbh.
This is the other_vhost_access.log file:
example.com:443 141.101.99.211 - - [02/Nov/2020:16:02:54 +0000] "GET / HTTP/1.1" 200 5359 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com::443 141.101.98.134 - - [02/Nov/2020:16:02:54 +0000] "GET /hacsfiles/iconset.js HTTP/1.1" 200 5549 "https://example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com::443 141.101.99.211 - - [02/Nov/2020:16:02:54 +0000] "GET /auth/providers HTTP/1.1" 200 4101 "https://example.com:/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fexample.com%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 162.158.155.22 - - [02/Nov/2020:16:02:54 +0000] "GET /service_worker.js HTTP/1.1" 304 4004 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 141.101.99.211 - - [02/Nov/2020:16:02:55 +0000] "POST /auth/login_flow HTTP/1.1" 200 4234 "https://example.com/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fexample.com%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 141.101.99.211 - - [02/Nov/2020:16:03:02 +0000] "POST /auth/login_flow/1b5ee79a33e7437fb46f4f449c817526 HTTP/1.1" 200 4224 "https://example.com/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fexample.com%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 141.101.99.211 - - [02/Nov/2020:16:03:03 +0000] "GET /?auth_callback=1&code=806692ed3b654a18a3c258d46dd4afee&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D HTTP/1.1" 200 5409 "https://example.com/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fexample.com%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 141.101.99.211 - - [02/Nov/2020:16:03:03 +0000] "POST /auth/token HTTP/1.1" 200 4407 "https://example.com/?auth_callback=1&code=806692ed3b654a18a3c258d46dd4afee&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly90aW1iby56b25lIiwiY2xpZW50SWQiOiJodHRwczovL3RpbWJvLnpvbmUvIn0%3D" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
example.com:443 141.101.99.237 - - [02/Nov/2020:16:03:03 +0000] "GET /api/websocket HTTP/1.1" 400 4068 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
I do not understand what the issue is here. The request definetly reach the server but what happens next I am not sure. I am not to good with apache though so that surely does not help
I think there is a typo in your websocket ProxyPass(Reverse):
in stead of ws://127.0.0.1:8123/api/websocket
you should have ws://127.0.0.1:8123/api/api/websocket
(Yes, repeated \api; doesn’t seem logical, but it works for me - can’t remember where I found this info several months ago).