[Solved] 'http' integration not set-up for reverse proxying even though it appears set up

Does anyone have their Home Assistant Green set up so it can be reached via a Traefik 2 reverse proxy running elsewhere with already-in-use and working Cloudflare and OAuth middleware?

I think I’m super close. I’ve got this in /homeassistant/configuration.yaml (apparently it’s not under /config as I’ve been reading):

http:
  use_x_forwarded_for: true
  trusted_proxies: 
    - 192.168.4.103 # From the error log msg

With YAML you can indent the item list marker - or place it directly below the previous indentation. I actually prefer the latter so that all keys/values end up having a consistent two-space indentation, but it’s ok, both are well-formed YAML! (For an example of no indentation being the culprit, see here.)

I’ve tried it as above, and I’ve tried with .0 and CIDR notation. Either way, when I reload the YAML config and try again, I see this in /homeassistant/home-assistant.log:

2024-02-13 00:28:26.666 ERROR (MainThread) [homeassistant.components.http.forwarded] A request from a reverse proxy was received from 192.168.4.103, but your HTTP integration is not set-up for reverse proxies
. . . above error repeats every time I try to reach it via Traefik . . .

I saw this thread as well but I was figuring if the log is already showing the IP in question, adding that as trusted oughta do it. I think? Remember this is a HA Green device, and then Traefik is running in a container on another server on the same home network. And clearly it’s reaching the Green device.

Looking at the http integration docs, it seems like I’m doing the right thing, but apparently I’m falling short somewhere. Clues/thoughts, anyone?

Vital stats:

Core: 2024.2.1
Supervisor: 2024.01.1
Operating System: 11.5
Frontend: 20240207.1

FWIW here’s the relevant Traefik 2 rule. Using an IP for the HA Green for now until I get internal DNS squared away. Notice the item list markers match the previous indent level. I could have indented another two spaces; where those markers are concerned either way is parsed the same.

http:
  routers:
    homeassistant-rtr:
      rule: "Host(`home.{{env "DOMAINNAME"}}`)"
      entryPoints:
      - https
      middlewares:
      - chain-oauth
      service: homeassistant-svc
      tls:
        certResolver: dns-cloudflare
        options: tls-opts@file
  services:
    homeassistant-svc:
      loadBalancer:
        servers:
        - url: "http://192.168.4.140:8123"

UPDATE: The plot thickens. In /etc/configurator.conf I do see BASEPATH set to /homeassistant (so that explains why it isn’t /config in my case), however I also see ALLOWED_NETWORKS set to ["127.0.0.1", "172.30.32.2"] and I wonder if that’s got anything to do with it?

But I’m not going to touch that file at all, or anything else under /etc. That seems like the sort of baseline thing that would be overridden (if allowed) under configuration in the BASEPATH anyway. Just wanted to point that out in case it’s relevant.

Ahahahahaha - heh. Hehehe. I’m feeling really silly right now!

It’s not enough to reload the YAML. I had to reboot the device. Probably because this sort of thing is read and initialized closer to startup time than not.

As you were. :joy:

Thanks for reporting your solution. I was in the same situation and I couldn’t understand.