[SOLVED] Out of the blue now I get 403: Forbidden

OK, so I’m running HASS 2021.7.3 on a Synology NAS inside a VM with Home Assistant OS 6.1, and all was working fine up to a few hours ago.

Suddenly I went to HA App on my phone and got an error 403, double checked online on my PC via Firefox browser and I get the same 403: Forbidden error.

What on earth might have caused this all of the sudden???
Any ideas?

I can connect via VNC and all seems ok as far as I can tell, i.e. core is running, check goes ok, reverse proxy is untouched, heck no-one touched anything, it just broke on its own apparently.

Any assistance/help to diagnose this strange behavior is greatly appreciated.

Cheers,
-jprates

4 Likes

Check ip_bans.yaml
This is a ‘bug’ that was fixed in a recent testflight version. Basically if you use trusted networks to auth the iOS app and then move to say a 4G network you will get banned by the app immediately. So grab the latest tsetflight version and instead of banning it nakes you re-auth and all will be well again.

22 Likes

Removed; unrelated issue. Nothing to see here …

I managed to order a snapshots restore from VNC via VM command line, and rolled back to my most recent full snapshot with core 2021.7.3 and all come back fine.

@DavidFW1960 thanks for the info, I will keep an eye on ip_bans.yaml if this ever happens again, I didn’t know that file.

@123 I don’t thiink it was the same because I have firefox 90 for quite some time and this problem only surfaced a few hours ago at most. Also tried Edge before posting and couldn’t get in.

I changed all components and add-ons to NOT update automatically, and will let it stay that way from now on. I suspect the update to 2021.7.4 might be to blame here.

I’ll get back if I get any news, since I have to roll-up again to the latest releases on several add-ons and core itself.

Thanks all.

If it’s the iOS app and you aren’t on the testflight version you can expect to see it again unless you take heed of what I said

I’m on Android, but thanks.

1 Like

@DavidFW1960 you’ll think it’s funny, but actually the root cause included the ip_bans.yaml file after all.

I’m posting this so that if the same happens to someone else, they can understand what they have, and self punish like banging their head on the wall or something…

[shame_mode]
I recently had deleted some 30 tokens that somehow were left undeleted on my HASS install, from mobile app connections to the server.
Inadvertently I deleted one more than I should, i.e. I deleted one that was still valid and in use by one of my family members app.
Therefore his app was trying to connect over and over again, with a missing token, and the IP got banned.
The thing is the IP is the local proxy IP on my LAN, so we all got banned, including myself on my console pc.
[/shame_mode]

I discovered this when I was reading other people’s issues with the 403 error and one of them said it could connect via a WAN IP but not LAN IP, which got me thinking.

Sure enough inside the ip_bans.yaml was the server LAN address itself, which is using reverse proxy, and therefore no-one could access from inside the LAN, but I could connect via VPN from an outside IP.

There you have it, hope this stupid mistake of mine serves to help someone some day.

Cheers,
-jprates

16 Likes

I’m glad you left his up. Was pulling my hair out trying to get duck-dns / remote access working. Turns out my wan address was in the blocked list so I could only connect internally.

2 Likes

I am glad I stumbled across this. My local router got banned and so I couldn’t connect while I was on my local internet. I had to use my phone to modify the ip_bans.yaml to get it to work.

2 Likes

This has been bugging me for a few weeks and didn’t dig in until today to figure out why I was getting a 403 Forbidden error! Thanks for posting this!

2 Likes

Thanks for this,
I’d been playing with duckdns certificates but then this happened overnight. Sure enough my router IP address was in the ip_bans.yaml file in the Config directory.
I deleted the file and restarted HA and all is working again.
Cheers!

1 Like

thanks a lot

1 Like

Some time later though - but the same problem. I’m on HA 2023.5.3
I tried to clear (delete) the content of the file ip-bans.yaml but it didn’t help. After hours of struggle, I found that I had to delete the file altogether.
Probably it’s content was cached somewhere (?)
I tried clearing the browser cache, and I tried different browsers, but to no avail.

got this recently for no apparent reason too.

deleting the IP out of ip-bans.yaml worked for me as well, but only after restarting my home assistant yellow.

1 Like

Randomly happened to me today. I mean, not entirely random. I replaced my router, poorly, some shenanigans happened. Merely deleting the contents of the ip ban file fixed it after a full HA restart. A

Whats the typical way to access to the HA-Raspi, if i get 403 on all the devices?
How can i get to the mentioned yaml-file?

Do you have the Samba add-on installed, or one of the SSH add-ons?

And if you don’t have SSH or Samba configured, you can take the SD-Card out of the Raspberry pi. If you have a yellow, you can use the serial console, which is described in the documentation. (I didn’t link directly since the instructions are different for Windows than for Linux/Mac).

Today my was day to experience exactly same lockout.
Fortunately, was able to access SD card and delete offending ip_bans.yaml file.

I, too, experienced this just recently; it banned my local IP address (192.168.x.x) :man_facepalming:

One thing to note for others: you need to restart HASS in order for it to pick up manual modifications to ip_bans.yaml.