[SOLVED] [HowTo] Home Assistant (VM) behind traefik (Unable to connect to Home Assistant.)

MrksHfmn · July 16, 2021, 4:33pm

Hi all, i’m running traefik on my docker host machine (192.168.1.100), HA is running in a VM (192.168.1.101). I try to proxy from outside (smarthome.domain.de) to my HA instance. This is working so far, but i can’t login (even with the right credentials):

Unable to connect to Home Assistant.

what could be the reason that it is not completely passed through?

traefik/config/dynamic.yml

---
tls:
  options:
    default:
      minVersion: VersionTLS13
      sniStrict: true

http:
  middlewares:
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        sslRedirect: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: SAMEORIGIN
    https-redirect:
      redirectScheme:
        scheme: https
  routers:
    home-assistant:
      service: home-assistant
      rule: "Host(`smarthome.domain.de`)"
      entryPoints:
        - https
      tls:
        certResolver: http
  services:
    home-assistant:
      loadBalancer:
        servers:
          - url: http://192.168.1.101:8123

traefik/config/traefik.yml

---
api:
  dashboard: true

entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entrypoint:
          to: https
          scheme: https
  https:
    address: ":443"

log:
  filePath: "/var/log/traefik.log"
  level: DEBUG

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /dynamic.yml
    watch: true

certificatesResolvers:
  http:
    acme:
      email: [email protected]
      storage: /acme.json
      httpChallenge:
        entrypoint: http

HA config.yaml (relevant part)

http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24 # Local LAN Subnet
    - 172.18.0.0/24 # Docker Subnet

MrksHfmn · July 18, 2021, 11:47am

It’s working now. I missed some IPs in the http config section:

http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24
    - 172.18.0.0/24
    - 127.0.0.1
    - ::1
    - fe80::/64
    - fe00::/64
    - fd00::/64

GeniePlumb · January 19, 2022, 9:32am

many thanks for taking the time to update, your solution helped me too.

rak · May 28, 2024, 3:54pm

This is awesome. Got it working today. The http: in config of HA is essential.

What I am missing is getting Alexa and apple home to work. I assume there are additional ports required to get this working.

I would love to get a hint or two. Thanks.

bjaurelio · July 13, 2024, 4:17am

I am trying to resolve an issue with my setup, which is similar to yours. I am running traefik in a docker container on my Unraid server, and Home Assistant is running on a VM. My Traefik access log shows every attempt returns a 502 error as seen below.

192.168.1.254 - - [13/Jul/2024:04:11:03 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 155 "home-assistant@file" "http://192.168.1.190:8123" 3081ms

From traefik, it’s showing the proper domain and IP address. The IP listed there is the correct one for the VM running HA.

I copied your http: section and pasted that into my configuration.yaml for HA. The only thing that’s different that I can think of where a problem could be occurring is with TLS certificates. Here’s my trafik.yml file

global:
  checkNewVersion: true
  sendAnonymousUsage: false

serversTransport:
  insecureSkipVerify: true

entryPoints:
  # Not used in apps, but redirect everything from HTTP to HTTPS
  http:
    address: :80
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https

  # HTTPS endpoint, with domain wildcard
  https:
    address: :443
    forwardedHeaders:
    http:
      tls:
        # Generate a wildcard domain certificate
        certResolver: letsencrypt
        domains:
          - main: EXAMPLE.duckdns.org
            sans:
              - '*.EXAMPLE.duckdns.org'
      middlewares:
        - securityHeaders@file

providers:
  providersThrottleDuration: 2s

  # File provider for connecting things that are outside of docker / defining middleware
  file:
    filename: /etc/traefik/fileConfig.yml
    watch: true

  # Docker provider for connecting all apps that are inside of the docker network
  docker:
    watch: true
    network: aurelioserver    # Add Your Docker Network Name Here
    # Default host rule to containername.domain.example
    defaultRule: "Host(`{{ lower (trimPrefix `/` .Name )}}.EXAMPLE.duckdns.org`)"    # Replace with your domain
    exposedByDefault: false

# Enable traefik ui
api:
  dashboard: true
  insecure: true

# Log level INFO|DEBUG|ERROR
log:
  level: DEBUG

# Use letsencrypt to generate ssl serficiates
certificatesResolvers:
  letsencrypt:
    acme:
      email: [email protected]
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: duckdns
        # Used to make sure the dns challenge is propagated to the rights dns servers
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

#Access Log
accessLog:
  filePath: "/etc/traefik/access.log"

#Prometheus
metrics:
  prometheus:
    addEntryPointsLabels: true
    addRoutersLabels: true
    addServicesLabels: true

Here’s my fileConfig.yml

http:

  ## MIDDLEWARES ##
  middlewares:

    # Security headers
    securityHeaders:
      headers:
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          X-Forwarded-Proto: "https"
          server: ""
        customRequestHeaders:
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        referrerPolicy: "same-origin"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        contentTypeNosniff: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true
        customFrameOptionsValue: "SAMEORIGIN" 

    nextcloud-redirect:
        chain:
            middlewares:
                - redirect-dav
                - redirect-webfinger
                - redirect-nodeinfo
    
    redirect-dav:
        redirectRegex:
            permanent: true
            regex: "https://(.*)/.well-known/(?:card|cal)dav"
            replacement: "https://${1}/remote.php/dav"

    redirect-webfinger:
        redirectRegex:
            permanent: true
            regex: "https://(.*)/.well-known/webfinger"
            replacement: "https://${1}/index.php/.well-known/webfinger"

    redirect-nodeinfo:
        redirectRegex:
            permanent: true
            regex: "https://(.*)/.well-known/nodeinfo"
            replacement: "https://${1}/index.php/.well-known/nodeinfo"
  routers:
    home-assistant:
        service: home-assistant
        rule: "Host(`homeassistant.EXAMPLE.duckdns.org`)"
        entrypoints:
            - https
        tls:
            certResolver: letsencrypt
  services:
    home-assistant:
        loadBalancer:
            servers:
                - url: http://192.168.1.190:8123

leelooauto · July 22, 2024, 10:03pm

Just a question as I’m going through a similar process and stumbled upon this topic. Don’t we need to explicitly reference the middleware within the router config to actually make use of it?

Like this?

  routers:
    home-assistant:
      service: home-assistant
      rule: "Host(`smarthome.domain.de`)"
      entryPoints:
        - https
      tls:
        certResolver: http
      middlewares:
        - secHeaders