[solved] “Unable to connect to Home Assistant” from WAN - Docker HA + Docker Lets Encrypt

spencerskinner99 · June 30, 2022, 10:01pm

Hi,

Been trying to set up a reverse proxy set up for my HA instance.

I used the generic proxy-conf file from the linuxserver/swag container and then just implemented the HTTP config block in the config.yaml file

configuration.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.6 #LE Docker Network IP
    - 192.168.2.13 #Docker Machine IP
    - 172.30.33.0/24 #Apparantly keep this one?
  login_attempts_threshold: 5

LetsEncrypt Subdomain Config


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name mydomain.ddns.net;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ ^/(api|local|media)/ {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}
~

proxy.conf

## Version 2018/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/proxy.conf

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

Error log ouput

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:125
Integration: HTTP (documentation, issues)
First occurred: 22:52:30 (5 occurrences)
Last logged: 22:56:38

Login attempt or request with invalid authentication from pfSense.home.arpa (192.168.2.1). (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36)

Both the container for HA and LE exist on a the same docker network hence the IP’s in the trusted proxies. I cant seem to work out the cause of the issue.

Many Thanks
Spencer

spencerskinner99 · June 30, 2022, 11:04pm

Ok,

So it just got a little worse, now getting a 403

I changed my HA instance to use the host network so that integration auto discovery worked, it is the way its done in the docs.

version: '3'
services:
  homeassistant:
    image: homeassistant/home-assistant:stable
    hostname: homeassistant
    container_name: homeassistant 
    network_mode: host
    restart: unless-stopped
    environment:
      TZ: "Europe/London"
    volumes:
      - /Docker_Configs/homeassistant/Config:/config
    ports:
      - 8123:8123

As such I also had to change the LE Conf

# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

# As of homeassistant 2021.7.0, it is now required to define the network range your proxy resides in, this is done in Homeassitants configuration.yaml
# https://www.home-assistant.io/integrations/http/#trusted_proxies
# Example below uses the default dockernetwork ranges, you may need to update this if you dont use defaults.
#
# http:
#   use_x_forwarded_for: true
#   trusted_proxies:
#     - 172.16.0.0/12

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name mydomain.ddns.net;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.2.13;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.2.13:8123;

    }

    location ~ ^/(api|local|media)/ {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.2.13;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass http://192.168.2.13:8123;

otherwise all the same

spencerskinner99 · July 2, 2022, 3:15pm

Ok - My bad the 403 was because i didnt disable IP banning, I’m back to the same issue with the above config

spencerskinner99 · July 2, 2022, 3:38pm

Ok solved it - Who’d have thought thoroughly reading documentation and cross checking against what LE provides by default would have been wise lol

## Version 2021/10/11
# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

# As of homeassistant 2021.7.0, it is now required to define the network range your proxy resides in, this is done in Homeassitants configuration.yaml
# https://www.home-assistant.io/integrations/http/#trusted_proxies
# Example below uses the default dockernetwork ranges, you may need to update this if you dont use defaults.
#
# http:
#   use_x_forwarded_for: true
#   trusted_proxies:
#     - 172.16.0.0/12

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name mydomain.ddns.net;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    proxy_buffering off;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        proxy_pass http://192.168.2.13:8123;

        proxy_set_header        Host                   $host;
        proxy_pass_header       Authorization;                            #needed to pass HA token from AWS Alexa to HA
        proxy_set_header        Upgrade                $http_upgrade;     #needed for HA user login
        proxy_set_header        Connection             "upgrade";         #needed for HA user login
        proxy_set_header        X-Forwarded-For        $remote_addr;      #needed so that HA sees the remote IP making a connection rather that the IP for NGINX
    }

    location ~ ^/(api|local|media)/ {
        proxy_pass http://192.168.2.13:8123;

        proxy_set_header        Host                   $host;
        proxy_pass_header       Authorization;                            #needed to pass HA token from AWS Alexa to HA
        proxy_set_header        Upgrade                $http_upgrade;     #needed for HA user login
        proxy_set_header        Connection             "upgrade";         #needed for HA user login
        proxy_set_header        X-Forwarded-For        $remote_addr;      #needed so that HA sees the remote IP making a connection rather that the IP for NGINX
    }
}

Thats the modified subdomain proxy config

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.0/16
    - 192.168.2.0/24
    - 172.30.33.0/24
  login_attempts_threshold: 500
  ip_ban_enabled: false

Thats my new conig.yaml

Hope this helps some people.

This helped me -