Settings for HA OS reverse proxy

This is a basic question, but I can’t find an answer.

I have an Unraid, PFsense with Let’s Encrypt and HAProxy. This works as I have other services running like this without any issues. I have already setup my domain for HA and setup HAproxy, etc.

I want to know what to change on HA side as all I get is “503 Service Unavailable” No server is available to handle this request.

All the instructions is mainly for DuckDNS and running the Let’sEncryp addon which I don’t use.

Solved: Nowhere is it mentioned, but you have to get your cert and key from your certificate from pfsense. Then you convert those two files using these commands:
openssl x509 -in fullchain.crt -out fullchain.pem
openssl rsa -in privkey.key -text > privkey.pem

Then copy those files to your ssl directory and add this to your configuration.yaml file.

So my configuration.yaml files looks like this:

    ssl_certificate: /ssl/fullchain.pem
    ssl_key: /ssl/privkey.pem
    use_x_forwarded_for: true
1 Like

Thank you for posting the solution; I have the exact problem that I am trying to fix for a long time. One question though: what is the IP address you put under the “trusted_proxies:”?

thank you in advance for helping.

That would really depend on how you setup your reverse proxy as there are a few ways of doing this.

For instance my pfSense runs on and normally you would use that as a trusted proxy, but I did it another way by following the two youtube vidieos posted by “SystemaD” so my proxy is as that is the ip I chose.

Hope that helps.

I also use virtual IP using instructions from “SystemaD” but no matter what IP I put under trusted_proxies in HA, I have the same warning error:

“Received X-Forwarded-For header from untrusted proxy, headers not processed; This request will be blocked in Home Assistant 2021.7 unless you configure your HTTP integration to allow this proxy to reverse your Home Assistant instance”

My question for you is what is the IP is that the virtual IP? is this the only IP you used under trusted_proxies?

BTW: my home assistant system does not work after updating to 2021.7 Core so I have to restore the system to 2021.6.X

Also had the issue after upgrading today, there’s an issue with reverse proxy. All I did to fix it was to check my home-assistant.log, which showed as an untrusted proxy so I just added my pfsense proxy to trusted_proxies and it worked after restarting.

ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
use_x_forwarded_for: true
- (this is the IP/proxy from my pfSense, not virtual)
- (this is my virtual IP as created with “SystemaD” intructions)

Double check the log file for home-assistant to make sure there are no other untrusted proxies, if there are, just add them to trusted proxies if they are relevant.

This “might” also help, I disabled Use “forwardfor” option under HAProxy/Frontend, HTTP_80 and HTTP_443. It’s right at the bottom, just unsellect it for both.

@GalacticSpines, thank you for your help. I am finally able to fix my problem. I think what happen is that I have Cloudflare as my proxy and also have HAproxy; so they are basically are double proxies and home assistant was not getting the correct client IP.

So I followed this post below to add all Cloudflare IPs under home assistant trusted_proxies and turn off pfsense HAproxy’s x-forwarded-for. That is all it take to fix my problem and now I can upgrade back to 2021.7.x

this is the link I followed: Reverse proxy error - #63 by matthewjporter

Very strange, I also use Cloudflare but don’t have any of their ip’s under trusted proxies.

Well, go figure. Glad you got it resolved.

I followed your guide and finally got this working, thank you so much! just a question, do you manually copy over the certs every 90 days?

1 Like

Thanks so much for coming back and posting the solution. This helped me. I have a similar setup with PFsense, Let’s Encrypt and HAProxy (where I get the certificates through PFsense).

I didn’t need to run the 2 openssl commands you shared. For me, this configuration worked:

ssl_certificate: /ssl/Home.crt
ssl_key: /ssl/Home.key
use_x_forwarded_for: true
  - https://ha.lan
  - https://ha

Home.crt and Home.key are the certificate files from the pfsense /conf/acme directory. is the IP address of my pfsense.

After going on a bit of a goose chase because of this thread (and I’m an idiot), I want to comment here because:

  1. I use a pfsense router (as others mention above).

  2. I setup HAProxy as described in the “SystemaD” videos (as others mention above).

  3. I have my own domain (as others mention above, kind of :).

  4. I have it working despite some of what is mentioned above.

If you have a pfsense box (mine is bare metal, but VM should work) and you have the ACME and HAProxy packages installed as “SystemaD” describes then… you’re Home Assistant isn’t working… WHY!?..

You need to:

  1. In the HAProxy frontend for Home Assistant; the default, “Use ‘forwardfor’ option” is set to checked/on and it must be set to unchecked/off (I think this is mentioned above).

  2. In the HAProxy backend for Home Assistant; the default “Health Check Method” is set to “HTTP” and this should be set to “Basic”.

(I have to say that HAProxy has NOTHING to do with Home Assistant (commonly referred to as HA).

To be clear… I have absolutely NO changes in my configuration.yaml file. I have no “http” section and no references to certificates, trusted proxies, hostnames, nothing! My best guess as to why anything in configuration.yaml worked is some sort of leftovers from a previous NGINX/LetsEncrypt/DuckDNS setup.

I’m no expert (obviously), but I can, “https:ha.mydomain.tld” both locally and “Internet” and be secured with both (some will say the public cert. makes it not “local” and I would very much like to talk to them in private in order to learn; not debate).

Edit: My bad… For proper “public” access, you will need to have “trusted proxies” filled out properly. I hope I didn’t stray too many people aray.


1 Like

I second the question below do you manually copy the certs every 90 days or so ?