OK, so I’m running HASS 2021.7.3 on a Synology NAS inside a VM with Home Assistant OS 6.1, and all was working fine up to a few hours ago.
Suddenly I went to HA App on my phone and got an error 403, double checked online on my PC via Firefox browser and I get the same 403: Forbidden error.
What on earth might have caused this all of the sudden???
Any ideas?
I can connect via VNC and all seems ok as far as I can tell, i.e. core is running, check goes ok, reverse proxy is untouched, heck no-one touched anything, it just broke on its own apparently.
Any assistance/help to diagnose this strange behavior is greatly appreciated.
Check ip_bans.yaml
This is a ‘bug’ that was fixed in a recent testflight version. Basically if you use trusted networks to auth the iOS app and then move to say a 4G network you will get banned by the app immediately. So grab the latest tsetflight version and instead of banning it nakes you re-auth and all will be well again.
I managed to order a snapshots restore from VNC via VM command line, and rolled back to my most recent full snapshot with core 2021.7.3 and all come back fine.
@DavidFW1960 thanks for the info, I will keep an eye on ip_bans.yaml if this ever happens again, I didn’t know that file.
@123 I don’t thiink it was the same because I have firefox 90 for quite some time and this problem only surfaced a few hours ago at most. Also tried Edge before posting and couldn’t get in.
I changed all components and add-ons to NOT update automatically, and will let it stay that way from now on. I suspect the update to 2021.7.4 might be to blame here.
I’ll get back if I get any news, since I have to roll-up again to the latest releases on several add-ons and core itself.
@DavidFW1960 you’ll think it’s funny, but actually the root cause included the ip_bans.yaml file after all.
I’m posting this so that if the same happens to someone else, they can understand what they have, and self punish like banging their head on the wall or something…
[shame_mode]
I recently had deleted some 30 tokens that somehow were left undeleted on my HASS install, from mobile app connections to the server.
Inadvertently I deleted one more than I should, i.e. I deleted one that was still valid and in use by one of my family members app.
Therefore his app was trying to connect over and over again, with a missing token, and the IP got banned.
The thing is the IP is the local proxy IP on my LAN, so we all got banned, including myself on my console pc.
[/shame_mode]
I discovered this when I was reading other people’s issues with the 403 error and one of them said it could connect via a WAN IP but not LAN IP, which got me thinking.
Sure enough inside the ip_bans.yaml was the server LAN address itself, which is using reverse proxy, and therefore no-one could access from inside the LAN, but I could connect via VPN from an outside IP.
There you have it, hope this stupid mistake of mine serves to help someone some day.
I’m glad you left his up. Was pulling my hair out trying to get duck-dns / remote access working. Turns out my wan address was in the blocked list so I could only connect internally.
I am glad I stumbled across this. My local router got banned and so I couldn’t connect while I was on my local internet. I had to use my phone to modify the ip_bans.yaml to get it to work.
Thanks for this,
I’d been playing with duckdns certificates but then this happened overnight. Sure enough my router IP address was in the ip_bans.yaml file in the Config directory.
I deleted the file and restarted HA and all is working again.
Cheers!
Some time later though - but the same problem. I’m on HA 2023.5.3
I tried to clear (delete) the content of the file ip-bans.yaml but it didn’t help. After hours of struggle, I found that I had to delete the file altogether.
Probably it’s content was cached somewhere (?)
I tried clearing the browser cache, and I tried different browsers, but to no avail.
Randomly happened to me today. I mean, not entirely random. I replaced my router, poorly, some shenanigans happened. Merely deleting the contents of the ip ban file fixed it after a full HA restart. A
And if you don’t have SSH or Samba configured, you can take the SD-Card out of the Raspberry pi. If you have a yellow, you can use the serial console, which is described in the documentation. (I didn’t link directly since the instructions are different for Windows than for Linux/Mac).
